AWDL is a wireless protocol that Apple used for things like AirDrop. In the AWDL handling code in the kernel there is a 60-byte buffer that gets copied over by an up-to 1024 byte buffer supplied by an attacker. Using other bugs and poor address randomization Ian Beer from Google Project Zero discloses kernel memory, then constructs a kernel read and write primitive. Then he demonstrates how this can be used to gain privileged code execution in userspace by launching the calculator and making a program to extract user photos.
AWDL is a wireless protocol that Apple used for things like AirDrop. In the AWDL handling code in the kernel there is a 60-byte buffer that gets copied over by an up-to 1024 byte buffer supplied by an attacker. Using other bugs and poor address randomization Ian Beer from Google Project Zero discloses kernel memory, then constructs a kernel read and write primitive. Then he demonstrates how this can be used to gain privileged code execution in userspace by launching the calculator and making a program to extract user photos.