CVE-2024-23222 Apple Safari Type Confusion Leading to Sandbox Escape

A public exploit was published demonstrating a type confusion vulnerability in Apple Safari, identified as CVE-2024-23222. This vulnerability affects Apple Safari on iOS 16.4.1. The exploit allows for a sandbox escape on iPhone X (A11 Bionic) devices. The exploit is delivered entirely as a single HTML page served over HTTP. The exploit code leverages a flaw in JavaScriptCore (JSC) related to the handling of Float64Array and WebAssembly.Instance objects during garbage collection (GC). This can lead to arbitrary native function calls and ultimately a sandbox escape, allowing the attacker to write files to the filesystem outside of the Safari sandbox. The vulnerability was patched in iOS 17.3 and macOS 14.3.

Attack Chain

1. The user visits a malicious webpage containing the exploit code.
2. The exploit triggers CVE-2024-23222, a type confusion vulnerability in the JavaScriptCore (JSC) JIT engine.
3. The type confusion occurs between a Float64Array and a WebAssembly.Instance due to a race condition during garbage collection.
4. Successful exploitation allows the attacker to gain arbitrary read and write capabilities in memory, specifically addrof(obj), read64(addr), and write64(addr).
5. The exploit leverages a CALLER_WASM module with a call_indirect to gain arbitrary native function call capability. ASLR slide discovery is performed statically.
6. The exploit calls _getpid() and _getuid() to confirm arbitrary C function invocation and to determine the user context (mobile).
7. The exploit calls _open("/tmp/pwned_cve_2024_23222") to escape the sandbox and creates a file on the filesystem.
8. The exploit calls _write(fd, “PWNED…”, 57) to write data to the file, confirming the sandbox escape.

Impact

Successful exploitation of CVE-2024-23222 leads to a sandbox escape in Apple Safari on iOS 16.4.1. This allows an attacker to perform actions outside the normal restrictions of the browser’s sandbox, such as writing arbitrary files to the filesystem. In the demonstrated exploit, a file named /tmp/pwned_cve_2024_23222 is created with the content “PWNED CVE-2024-23222 WebKit sandbox escape on iOS 16.4.1”. While the provided exploit targets iOS 16.4.1 on an iPhone X, other devices and versions may be vulnerable until patched. The vulnerability was patched in iOS 17.3 and macOS 14.3.

Recommendation

• Monitor web server logs for requests to exploit-related URLs, such as exploit_stage2.html, exploit_23222.html, and cve-2023-*.html as mentioned in the file structure section of the report.
• Apply the latest security patches for iOS and macOS to mitigate CVE-2024-23222 as the vulnerability has been fixed in iOS 17.3 and macOS 14.3.
• Deploy the Sigma rule to detect potential exploitation attempts of CVE-2024-23222 by monitoring for unexpected file creations in /tmp/.