In July 2022, Apple fixed a serious vulnerability—now known as CVE-2022-32844—that impacted the security of iPhones, iPads, Apple Watch, and Apple TV. The bug allowed apps with kernel access to bypass Pointer Authentication, a powerful defense against attacks that try to take control over the device. In this write-up, I'll break down what this means, why it matters, how the flaw worked, and show you simplified code to help you understand the race condition involved.
What is Pointer Authentication?
Pointer Authentication (PAC) is a security feature on modern ARM-based Apple devices. PAC uses cryptographic signatures to make sure pointers (like addresses to code or data in memory) haven't been tampered with by attackers. If you can bypass PAC, you can potentially turn small bugs into full-blown device takeovers.
Patched in: iOS 15.6, iPadOS 15.6, watchOS 8.7, tvOS 15.6
- Impact: An app with arbitrary kernel read/write (often post-exploitation) could bypass Pointer Authentication.
Apple’s note: “A race condition was addressed with improved state handling.”
References:
- Apple Security Release Notes
- NIST CVE Details
How Did the Bug Work?
Race conditions happen when multiple tasks run at the same time, and the system doesn't handle their timing properly. In the context of CVE-2022-32844, a malicious app could abuse this timing flaw to make the kernel skip an important authentication step.
One sets up a pointer with a valid authentication signature.
2. The other swaps it out with an attacker-controlled pointer just in time for it to be used, but before authentication happens.
If the timing is just right, the pointer is accepted without proper validation. As a result, an attacker can trick the system into using a bad pointer, bypassing Pointer Authentication.
Simplified Exploit Concept and Code
Note: This code is for educational/demo purposes only, and will NOT work as a real exploit. Apple has patched this bug, so it's safe to discuss at a high level.
Let's imagine a simplified kernel function
// Pseudocode: Vulnerable kernel function
void use_pointer(void *ptr) {
if (authenticate(ptr)) { // Step 1: Authenticate pointer (PAC check)
do_something(*ptr); // Step 2: Use pointer if valid
}
}
In a race condition scenario, a malicious app can do something like
// Thread 1: Get pointer authenticated
void thread1() {
void *p = create_valid_pointer();
use_pointer(p);
}
// Thread 2: Swap pointer after check, before use
void thread2() {
while (true) {
swap_pointer_to_attacker_controlled();
}
}
// Main: Launch both threads to win the race
int main() {
start(thread1); // Auth check
start(thread2); // Swapper
}
If thread2 acts between the authentication and the actual use of the pointer, the kernel could be tricked into using an unauthenticated, attacker-controlled pointer.
Real-World Impact
- Privilege escalation: An attacker with read/write kernel memory (such as after a sandbox escape) could use this bug to fully compromise the system.
- Bypassing PAC: Since PAC is there to prevent code injection and exploitation, bypassing it gives attackers a big advantage.
- Tied to other exploits: Attackers could chain this vulnerability from another one that already gave partial kernel access.
Fixing the Bug
Apple's fix in iOS 15.6 and other releases added improved state handling. This means they made sure the authenticated pointer is never swapped out or tampered with before it's actually used—a classic fix for a race condition.
Conclusion
CVE-2022-32844 is a perfect example of how even advanced security features like Pointer Authentication can be made ineffective by subtle bugs like race conditions. By fixing state handling and avoiding improper pointer swaps, Apple closed the gap that let attackers trick the system. While you couldn't hit this bug accidentally, it was a valuable tool for attackers with kernel access—which is why timely updates are crucial.
If you want to learn more, check out the official Apple release notes:
Apple Security Updates for iOS 15.6 and More
Stay updated and always install security fixes—race conditions like this are subtle, but their effects can be severe!
Timeline
Published on: 02/27/2023 20:15:00 UTC
Last modified on: 03/07/2023 21:01:00 UTC