Update README.

kevinbackhouse · kevinbackhouse · commit b96b1cb2537e · 2018-10-29T11:44:00.000Z
diff --git a/apple/darwin-xnu/icmp_error_CVE-2018-4407/README.md b/apple/darwin-xnu/icmp_error_CVE-2018-4407/README.md
@@ -1,6 +1,6 @@
 ## Heap buffer overflow in icmp_error (CVE-2018-4407)
 
-Proof-of-concept exploit for a remotely triggerable heap buffer overflow vulnerability in iOS 11.4.1 and macOS 10.13.6. This exploit can be used to crash any vulnerable iOS or macOS device that is connected to the same network as the attacker's computer. The exploit involves sending a TCP packet with non-default options in the IP and TCP headers. Some routers refuse to deliver such packets, so the exploit might not work on some networks. In particular, most internet routers seem to drop such packets. However, it worked on every home and office network that I have tested it on.
+Proof-of-concept exploit for a remotely triggerable heap buffer overflow vulnerability in iOS 11.4.1 and macOS 10.13.6. This exploit can be used to crash any vulnerable iOS or macOS device that is connected to the same network as the attacker's computer. The vulnerability can be triggered without any user interaction on the victim's device. The exploit involves sending a TCP packet with non-zero options in the IP and TCP headers. It is possible that some routers or switches will refuse to deliver such packets, but it has worked for me on all the home and office networks that I have tried it on. However, I have found that it is not usually possible to send the malicious packet across the internet. 
 
 For more information about the vulnerability, see the [blog post on lgtm.com](https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407).
 
@@ -14,7 +14,9 @@ The exploit sets `icmplen == 120`, which is far too big for the destination buff
 
 ## Usage
 
-The exploit code is designed to be built and run on Linux. To build:
+The exploit code is designed to be built and run on Linux. The code uses a raw socket to send the malicious packet, because we need to have complete control over the contents of the IP and TCP headers. On Linux, root privileges are required to open a raw socket. Therefore, `sudo` is required to run the PoC. But this is on the attacker's computer, not the victim's, so it does not mitigate the severity of the vulnerability. The code does not do anything malicious to the Linux machine: the root privileges are only used to open a raw socket.
+
+To build the PoC:
 
 ```bash
 make
