Skip to content

multi_path (CVE-2018-4241)

XNU kernel heap overflow in the MPTCP connectx handler (mptcp_usr_connectx) caused by missing bounds checking on a non-IP sockaddr, exploited by Ian Beer to obtain the kernel task port on iOS 11.0–11.3.1.

Mechanism

Note

multi_path is Ian Beer / Project Zero's public exploit for CVE-2018-4241 in Apple's XNU kernel. Despite the "Multipath TCP UAF" alias, the root cause is a heap buffer overflow, not a use-after-free — the source repository and analyses describe it as "XNU kernel heap overflow due to bad bounds checking in MPTCP." We follow the primary source here.

The bug is in mptcp_usr_connectx(), the handler for the connectx syscall on AF_MULTIPATH sockets. The handler copies the user-supplied destination sockaddr into the per-session mptcp_session_entry (the mpte) via roughly:

memcpy(&mpte->mpte_dst, dst, dst->sa_len);

sa_len is an attacker-controlled 1-byte field (max 255). The validation logic checks sa_len only for AF_INET and AF_INET6 families. Critically, the code does not bail out when sa_family is neither AF_INET nor AF_INET6, so a sockaddr with an arbitrary family and an oversized sa_len reaches the memcpy unchecked. The mpte_dst field is small, so the copy overflows past it into adjacent fields of the mpte and beyond — notably the mpte_itfinfo_size field and the mpte_itfinfo pointer.

The invariant violated: "a sockaddr's declared length is validated against its address family before being used as a copy length." MPTCP enforced that invariant for the two IP families it understood and silently skipped it for everything else.

Reaching the path requires the com.apple.developer.networking .multipath entitlement (an Apple developer cert), so it is a local kernel LPE / sandbox-escape primitive rather than remote.

Walkthrough

The exploit chains the linear overflow into a full kernel read/write port using a well-known iOS heap-grooming pattern:

  1. Trigger: create an AF_MULTIPATH socket and call connectx with a crafted sockaddr whose sa_family is neither AF_INET nor AF_INET6 and whose sa_len is large, overflowing mpte_dst.

    // pseudo: oversize, non-IP sockaddr
    struct sockaddr sa = { .sa_len = 0xFF, .sa_family = 0 /* not IP */ };
    connectx(s, /* src */ NULL, 0, (struct sockaddr*)&sa, sa.sa_len, ...);
    
  2. Pointer rounding: the controlled overflow performs a 3-byte NULL overwrite that rounds the mpte_itfinfo pointer down to the next 16 MB-aligned boundary, redirecting a later kernel access to a chosen address.

  3. Heap grooming: alternate kalloc.2048 allocations with MPTCP socket creation so that an ipc_kmsg lands exactly at the 16 MB-aligned target boundary. kalloc.2048 is the critical zone.

  4. Object overlap: trigger a controlled kfree on the 16 MB-aligned address, then reallocate both an ipc_kmsg and a pipe buffer from the same zone so two kernel objects overlap the same backing memory.

  5. Fake port: drive Mach message passing through the overlapped ipc_kmsg / pipe pair to construct a fake port (mirroring the async_wake technique), yielding an early limited kernel read.

  6. Kernel task port: use the read primitive to locate the kernel task and build a full kernel read/write port (tfp0-style). The PoC prioritizes cleanup to avoid panics and "should work most of the time."

Warning

The aliases multipath_kfree and "Multipath TCP UAF" are misleading. The confirmed primary class is a heap overflow in mptcp_usr_connectx. The kfree/overlap behaviour appears in the exploitation stage (deliberate free + realloc to overlap objects), not as the root cause. Do not catalog the root bug as a UAF.

Affected: iOS 11.0–11.3.1 (and the corresponding tvOS, per Apple's advisory). Fixed in iOS 11.4.

Detection

  • This is a local privilege-escalation primitive gated behind the multipath entitlement; on production iOS the relevant signal is an unentitled or unexpected process reaching AF_MULTIPATH connectx.
  • Kernel panics with corruption in kalloc.2048 near MPTCP session structures are consistent with a failed exploitation attempt.

Mitigation

  • Update to iOS 11.4 or later (the authoritative fix adds the missing family/length validation before the copy).
  • Entitlement gating limits reachability but is not a fix: any process that can legitimately use MPTCP could reach the vulnerable copy.

References