| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <IQ4lrdfdNLF-o0Fn1e8NI7scU8HrVPeXITqGych_AqpeH81rE_ZkZFstLZYAiGVu9y-6xwBZCdbBlRB2yPkm8HvlC625dSjupRgmdVQW6cw=@proton.me> Date: Mon, 09 Jun 2025 05:22:35 +0000 From: josephgoyd via Fulldisclosure <fulldisclosure@...lists.org> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain → Secure Enclave Key Theft, Wormable RCE, Crypto Theft Hello Full Disclosure, This is a strategic public disclosure of a zero-click iMessage exploit chain that was discovered live on iOS 18.2 and remained unpatched through iOS 18.4. It enabled Secure Enclave key theft, wormable remote code execution, and undetectable crypto wallet exfiltration. Despite responsible disclosure, the research was suppressed by the vendor. Apple issued a silent fix in iOS 18.4.1 (April 2025) without public acknowledgment or credit. This post establishes authorship, ensures technical transparency, and invites peer review. It is published to resist institutional suppression and promote user awareness. Summary: - CVEs: CVE-2025-31200 & CVE-2025-31201 - Affected Devices: iPhones running iOS 18.2 through iOS 18.4 - Exploitable at Discovery: Yes (active zero-day on iOS 18.2 at time of report) - Trigger: Zero-click MP4 with AAC audio sent via iMessage - Exploit Chain: Blastdoor trust bypass → CoreAudio heap corruption → PAC bypass → Secure Enclave key theft → wormable peer injection - Impact: Full device compromise, crypto key theft, identity hijacking, peer-to-peer propagation - Patched: iOS 18.4.1 (quiet release) Technical Overview: Apple’s trust model allowed audio messages from known iMessage senders to bypass Blastdoor sandboxing. A crafted MP4 file with AAC encoding triggered heap corruption in CoreAudio (CVE-2025-31200), leading to RCE. This was chained with a malformed AMPDU metadata exploit (CVE-2025-31201) that bypassed Pointer Authentication (PAC), enabling kernel-level control. The exploit chain facilitated: - Extraction of Secure Enclave–protected keys via CryptoTokenKit - Forgery of Apple identity sessions - Silent crypto wallet draining - Peer injection and lateral device propagation via MultipeerConnectivity Context & Urgency: This disclosure parallels recent real-world incidents such as the Oil Engineering crypto theft, where enclave misuse and identity spoofing led to material loss. With escalating social engineering threats and trust-channel abuse in mobile ecosystems, this case illustrates systemic risk. Disclosure Timeline: - Dec 20, 2024 — Live zero-day discovered on iOS 18.2 and reported to Apple (Report ID: OE19648805943313) - Jan 21, 2025 — Escalated to US-CERT / CISA (Tracking ID: VRF#25-01-MPVDT) - Apr 11, 2025 — Full exploit chain submitted to Google Project Zero - Apr 16, 2025 — Quiet patch issued in iOS 18.4.1 - Jun 6, 2025 — Public full disclosure CVEs Assigned: - CVE-2025-31200 — Heap corruption in CoreAudio AAC decoder - CVE-2025-31201 — Kernel escalation via malformed AMPDU metadata (PAC bypass) Write-Up and Artifacts: https://weareapartyof1.substack.com/p/the-crypto-heist-apple-kept-quiet Validation: - Reproducible on iOS 18.2 and iOS 18.4 - Exploit artifacts verified by independent researchers - No active payloads or binaries distributed - Logs, call traces, and affected APIs fully documented Call for Collaboration: Researchers are encouraged to reproduce the trust bypass conditions, verify CryptoTokenKit key exposure, and evaluate Secure Enclave leakage vectors. I welcome validation, feedback, and partnership on wider threat modeling. Final Note: This disclosure creates a permanent public record of suppressed vulnerability research. Apple quietly fixed the issue. But they never told you. This record stands for those who weren’t informed, warned, or credited. Joseph Goydish II _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists