wInd3x, the iPod Bootrom exploit 10 years too late
Original Post:
We discussed this vulnerability during Episode 180 on 17 January 2023
A trivial out of bounds access in the iPod nano 3rd-5th generation’s USB stack in the bootROM. The USB::HandlePendingSetup()
handler for SETUP packets would accept a request and dispatch it to different sub-handlers based on the bmRequestType
. In the case of bmRequestType == 3
, it would take an attacker controlled wIndex
value to index into an array of handlers then execute it. This index was unchecked and could access out of bounds of the array. This gave an attacker code execution immediately, and these devices don’t have no-execute (NX). By utilizing a bx r0
ARM gadget (r0
was set to point to the attacker’s request buffer which they control the contents of), they could execute their own shellcode and get stable code exec.