multi_path (CVE-2018-4241)¶
XNU kernel heap overflow in the MPTCP
connectxhandler (mptcp_usr_connectx) caused by missing bounds checking on a non-IPsockaddr, exploited by Ian Beer to obtain the kernel task port on iOS 11.0–11.3.1.
Mechanism¶
Note
multi_path is Ian Beer / Project Zero's public exploit for
CVE-2018-4241 in Apple's XNU kernel. Despite the "Multipath TCP UAF"
alias, the root cause is a heap buffer overflow, not a
use-after-free — the source repository and analyses describe it as
"XNU kernel heap overflow due to bad bounds checking in MPTCP." We
follow the primary source here.
The bug is in mptcp_usr_connectx(), the handler for the connectx
syscall on AF_MULTIPATH sockets. The handler copies the
user-supplied destination sockaddr into the per-session
mptcp_session_entry (the mpte) via roughly:
sa_len is an attacker-controlled 1-byte field (max 255). The
validation logic checks sa_len only for AF_INET and AF_INET6
families. Critically, the code does not bail out when sa_family
is neither AF_INET nor AF_INET6, so a sockaddr with an arbitrary
family and an oversized sa_len reaches the memcpy unchecked. The
mpte_dst field is small, so the copy overflows past it into
adjacent fields of the mpte and beyond — notably the
mpte_itfinfo_size field and the mpte_itfinfo pointer.
The invariant violated: "a sockaddr's declared length is validated against its address family before being used as a copy length." MPTCP enforced that invariant for the two IP families it understood and silently skipped it for everything else.
Reaching the path requires the com.apple.developer.networking
.multipath entitlement (an Apple developer cert), so it is a local
kernel LPE / sandbox-escape primitive rather than remote.
Walkthrough¶
The exploit chains the linear overflow into a full kernel read/write port using a well-known iOS heap-grooming pattern:
-
Trigger: create an
AF_MULTIPATHsocket and callconnectxwith a craftedsockaddrwhosesa_familyis neitherAF_INETnorAF_INET6and whosesa_lenis large, overflowingmpte_dst. -
Pointer rounding: the controlled overflow performs a 3-byte NULL overwrite that rounds the
mpte_itfinfopointer down to the next 16 MB-aligned boundary, redirecting a later kernel access to a chosen address. -
Heap grooming: alternate
kalloc.2048allocations with MPTCP socket creation so that anipc_kmsglands exactly at the 16 MB-aligned target boundary.kalloc.2048is the critical zone. -
Object overlap: trigger a controlled
kfreeon the 16 MB-aligned address, then reallocate both anipc_kmsgand a pipe buffer from the same zone so two kernel objects overlap the same backing memory. -
Fake port: drive Mach message passing through the overlapped
ipc_kmsg/ pipe pair to construct a fake port (mirroring theasync_waketechnique), yielding an early limited kernel read. -
Kernel task port: use the read primitive to locate the kernel task and build a full kernel read/write port (
tfp0-style). The PoC prioritizes cleanup to avoid panics and "should work most of the time."
Warning
The aliases multipath_kfree and "Multipath TCP UAF" are misleading.
The confirmed primary class is a heap overflow in
mptcp_usr_connectx. The kfree/overlap behaviour appears in the
exploitation stage (deliberate free + realloc to overlap objects),
not as the root cause. Do not catalog the root bug as a UAF.
Affected: iOS 11.0–11.3.1 (and the corresponding tvOS, per Apple's advisory). Fixed in iOS 11.4.
Detection¶
- This is a local privilege-escalation primitive gated behind the
multipath entitlement; on production iOS the relevant signal is an
unentitled or unexpected process reaching
AF_MULTIPATH connectx. - Kernel panics with corruption in
kalloc.2048near MPTCP session structures are consistent with a failed exploitation attempt.
Mitigation¶
- Update to iOS 11.4 or later (the authoritative fix adds the missing family/length validation before the copy).
- Entitlement gating limits reachability but is not a fix: any process that can legitimately use MPTCP could reach the vulnerable copy.