Trigon: Latest iOS Kernel Exploit Uncovered

A sophisticated kernel exploit leveraging CVE-2023-32434, an integer overflow vulnerability in Apple’s XNU virtual memory subsystem, has been unveiled by security researchers.

Dubbed Trigon, this exploit chain enables deterministic kernel read/write primitives on A10(X) devices, bypassing Apple’s KTRR and PPL protections through physical memory mapping techniques.

Initially exploited in the Operation Triangulation campaign against Kaspersky researchers, the vulnerability highlights critical weaknesses in iOS’s memory management architecture.

Technical Breakdown of CVE-2023-32434

The root cause lies in mach_make_memory_entry_64, where an integer overflow in boundary checks allows attackers to create memory entries spanning 18,000 petabytes—far exceeding device capacities.

The flawed validation logic:

if ((offset + *size + parent_entry->data_offset) > parent_entry->size) { 

    kr = KERN_INVALID_ARGUMENT; 

    goto make_mem_done; 

}

Fails to account for 64-bit integer overflows when user-controlled size and offset values wrap around, permitting invalid memory entries. 

Attackers exploit this by crafting a parent memory entry in the privileged PurpleGfxMem region. Due to its non-internal flag configuration, this entry bypasses vm_page_insert_internal panic checks.

This grants unrestricted access to physical memory regions typically protected by kernel integrity mechanisms.

Exploitation Workflow

Trigon’s attack chain follows four phases:

1. Malicious Memory Entry Creation

By abusing the PurpleGfxMem region via IOSurface APIs, the exploit constructs a rogue memory entry covering 0xFFFFFFFFFFFFC000 bytes.

This enables mapping arbitrary physical addresses into userspace via mach_vm_map, circumventing KTRR’s lockdown on kernel text.

2. Physical Memory Analysis

The exploit parses the iboot-handoff structure—a physical memory carveout containing DRAM layout details—to calculate the mapping base address.

This allows the translation of virtual kernel addresses to physical offsets using:

uint64_t amccOffset = calculate_phys_addr_offset(AMCC_BASE, NULL); 

mach_vm_map(..., largeMemoryEntry, amccOffset, ...);

MMIO reads then retrieve KTRR limit registers, revealing the protected kernel text region (RoRgn).

3. Kernel Base Discovery

Scanning RoRgn for Mach-O headers identifies the kernel’s physical base. Virtual slide is derived from the __TEXT segment’s vmaddr, enabling virtual-to-physical translation for kernel structures.

4. Kernel Read/Write Primitive

To bypass page table panics (e.g., “unexpected PV head”), Trigon sprays ~20,000 IOSurface objects and scans physical memory for their signatures.

By leveraging the pv_head_table—a per-page metadata array—the exploit identifies non-PTEP pages hosting IOSurface data, enabling safe object hijacking. This provides stable read/write via IOSurface property manipulation.

Challenges and Bypasses

Older ARMv8-A SoCs (A7–A9) lack reliable MMIO-based KTRR register access, forcing probabilistic kernel base guessing.

On ARMv8.3-A (A12+), CTRR protections block RoRgn mapping attempts, while PPL sanitizes page table entries.

The exploit currently avoids arm64e due to PAC-enforced pv_head_table isolation and PMAP lockdowns on kernel pages.

Kaspersky’s Operation Triangulation chain reportedly combined this vulnerability with a WebKit renderer exploit, userspace PAC bypass, and PPL escape—components Trigon omits for simplicity.

Future work may integrate these stages for arm64e compatibility, pending Apple’s mitigation analysis.

Trigon demonstrates that hardware-backed kernel protections (KTRR, PPL) remain vulnerable when paired with memory subsystem flaws.

The GitHub release includes A10(X) support for iOS 13+, though A11 and newer SoCs require architectural adjustments.

This exploit underscores the need for robust integer overflow checks in XNU’s memory APIs and hardware-assisted bounds enforcement.

As Apple hardens against lateral privilege escalation, researchers urge enterprises to prioritize zero-day detection for Mach-level anomalies.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.