Submit Search
Upload
CanSecWest 2017 - Port(al) to the iOS Core
•
5 likes
•
8,116 views
Stefan Esser
Follow
Introduction to a previously private iOS Kernel Exploitation Technique
Read less
Read more
Technology
Report
Share
Report
Share
1 of 51
Download now
Download to read offline
Recommended
Find your own iOS kernel bug
Find your own iOS kernel bug
Gustavo Martinez
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in Fail
Stefan Esser
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
OS X Drivers Reverse Engineering
OS X Drivers Reverse Engineering
Positive Hack Days
WSL Reloaded
WSL Reloaded
Anthony LAOU-HINE TSUEI
Recommended
Find your own iOS kernel bug
Find your own iOS kernel bug
Gustavo Martinez
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in Fail
Stefan Esser
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
OS X Drivers Reverse Engineering
OS X Drivers Reverse Engineering
Positive Hack Days
WSL Reloaded
WSL Reloaded
Anthony LAOU-HINE TSUEI
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat Security Conference
Practical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
Hackito Ergo Sum
Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
QEMU Sandboxing for dummies
QEMU Sandboxing for dummies
Eduardo Otubo
Android Task Hijacking
Android Task Hijacking
Positive Hack Days
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
Sniffing Mach Messages
Sniffing Mach Messages
Mikhail Sosonkin
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
VodqaBLR
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
Joe Desimone
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
Advanced heap exploitaion
Advanced heap exploitaion
Angel Boy
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
CODE BLUE
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
OWASP Delhi
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
Csaba Fitzl
Java Shellcode Execution
Java Shellcode Execution
Ryan Wincey
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities Revisited
Priyanka Aash
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger
리눅스 드라이버 #2
리눅스 드라이버 #2
Sangho Park
More Related Content
What's hot
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat Security Conference
Practical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
Hackito Ergo Sum
Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
QEMU Sandboxing for dummies
QEMU Sandboxing for dummies
Eduardo Otubo
Android Task Hijacking
Android Task Hijacking
Positive Hack Days
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
Sniffing Mach Messages
Sniffing Mach Messages
Mikhail Sosonkin
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
VodqaBLR
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
Joe Desimone
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
Advanced heap exploitaion
Advanced heap exploitaion
Angel Boy
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
CODE BLUE
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
OWASP Delhi
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
Csaba Fitzl
Java Shellcode Execution
Java Shellcode Execution
Ryan Wincey
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities Revisited
Priyanka Aash
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
What's hot
(20)
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
Practical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
Pwning in c++ (basic)
Pwning in c++ (basic)
QEMU Sandboxing for dummies
QEMU Sandboxing for dummies
Android Task Hijacking
Android Task Hijacking
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Sniffing Mach Messages
Sniffing Mach Messages
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
Advanced heap exploitaion
Advanced heap exploitaion
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
Java Shellcode Execution
Java Shellcode Execution
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities Revisited
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Similar to CanSecWest 2017 - Port(al) to the iOS Core
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger
리눅스 드라이버 #2
리눅스 드라이버 #2
Sangho Park
Usernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root user
Akihiro Suda
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
Synack
Attack your Trusted Core
Attack your Trusted Core
Di Shen
Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...
Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...
Codemotion
Kubernetes Architecture and Introduction – Paris Kubernetes Meetup
Kubernetes Architecture and Introduction – Paris Kubernetes Meetup
Stefan Schimanski
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NoSuchCon
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
Koan-Sin Tan
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018
Codemotion
Strata - Scaling Jupyter with Jupyter Enterprise Gateway
Strata - Scaling Jupyter with Jupyter Enterprise Gateway
Luciano Resende
An Introduction to the Kubernetes API
An Introduction to the Kubernetes API
Stefan Schimanski
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
PROIDEA
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Liang Chen
Auditing the Opensource Kernels
Auditing the Opensource Kernels
Silvio Cesare
Operating Flink on Mesos at Scale
Operating Flink on Mesos at Scale
Biswajit Das
HKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP Workshop
Linaro
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
armmbed
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith Wiles
Jim St. Leger
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIO
Chris Simmonds
Similar to CanSecWest 2017 - Port(al) to the iOS Core
(20)
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
리눅스 드라이버 #2
리눅스 드라이버 #2
Usernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root user
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
Attack your Trusted Core
Attack your Trusted Core
Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...
Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...
Kubernetes Architecture and Introduction – Paris Kubernetes Meetup
Kubernetes Architecture and Introduction – Paris Kubernetes Meetup
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018
Strata - Scaling Jupyter with Jupyter Enterprise Gateway
Strata - Scaling Jupyter with Jupyter Enterprise Gateway
An Introduction to the Kubernetes API
An Introduction to the Kubernetes API
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Auditing the Opensource Kernels
Auditing the Opensource Kernels
Operating Flink on Mesos at Scale
Operating Flink on Mesos at Scale
HKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP Workshop
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith Wiles
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIO
More from Stefan Esser
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
Stefan Esser
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
Stefan Esser
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
Stefan Esser
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Stefan Esser
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
Stefan Esser
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
Stefan Esser
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
Stefan Esser
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
Stefan Esser
More from Stefan Esser
(8)
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
Recently uploaded
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Antenna Manufacturer Coco
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
The Digital Insurer
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Recently uploaded
(20)
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
CanSecWest 2017 - Port(al) to the iOS Core
1.
Port(al) to the
iOS Core Introduction to a previously private iOS Kernel Exploitation Technique March, 2017
2.
| © 2017
by ANTID0TE All rights reserved Who am I? • Stefan Esser • from Germany • in Information Security since 1998 • SektionEins GmbH from (2007 - 2016) • Antid0te UG (2013 - now) 2
3.
| © 2017
by ANTID0TE All rights reserved What is this talk about? • a “new” (set of) iOS kernel exploitation technique(s) • previously only discussed in my iOS Kernel Exploitation trainings • part of teaching material since around 2015 • trainee from Dec 2016 leaked it within one month to developers of Yalu • who then distributed an iOS 10.2 jailbreak using this technique in Jan 2017 3
4.
| © 2017
by ANTID0TE All rights reserved Previous iOS Kernel Heap Feng Shui / Exploitation Techniques • BlackHat 2012 - iOS Kernel Heap Armageddon Revisited – Author: Stefan Esser – Idea: Fill kernel heap with C++ objects via OSUnserializeXML() and overwrite them – Status: Apple mitigated but a slightly modified technique still usable in iOS 10 • Hack In The Box 2012 - iOS 6 Security – Author(s): Mark Dowd / Tarjei Mandt – Idea: Fill heap with vm_copy_t structures and get information leaks and extended buffer overflows from overwriting them – Status: Apple added mitigations so that technique got less and less valuable 4
5.
| © 2017
by ANTID0TE All rights reserved Status of public iOS Kernel Exploitation • everybody is using the public heap feng shui techniques • bugs are often overflows or UAF • exploitation often targets vm_map_copy_t or kernel C++ objects • Apple keeps adding mitigations against the publicly seen techniques • public techniques become less and less usable ➡ we need a different / new technique 5
6.
| © 2017
by ANTID0TE All rights reserved Ingredients of our Kernel Exploitation Technique(s) 1. idea for a different / new kernel data structure to attack 2. way to fill the kernel heap with this structure or pointers to it 3. strategy how to continue once overwritten 6
7.
| © 2017
by ANTID0TE All rights reserved What Kernel Data Structure should we attack? • there are for sure many data structures in the kernel • but when you look at the Mach part of the kernel • one data structure jumps into your face immediately ➡ mach ports! 7
8.
What are Mach
Ports?
9.
| © 2017
by ANTID0TE All rights reserved What are Mach Ports? • likely the most important data structure in Mach part of kernel • have multiple purposes – act like handles to kernel objects / subsystems – allow sending / receiving messages for IPC • stored internally in ipc_port_t structure 9
10.
| © 2017
by ANTID0TE All rights reserved ipc_port_t (I) IPC ports are internally hold in the following structure defined in /osfmk/ipc/ipc_port.h 10 struct ipc_port { /* * Initial sub-structure in common with ipc_pset * First element is an ipc_object second is a * message queue */ struct ipc_object ip_object; struct ipc_mqueue ip_messages; union { struct ipc_space *receiver; struct ipc_port *destination; ipc_port_timestamp_t timestamp; } data; union { ipc_kobject_t kobject; ipc_importance_task_t imp_task; uintptr_t alias; } kdata; struct ipc_port *ip_nsrequest; struct ipc_port *ip_pdrequest; struct ipc_port_request *ip_requests; struct ipc_kmsg *ip_premsg; mach_port_mscount_t ip_mscount; mach_port_rights_t ip_srights; mach_port_rights_t ip_sorights;
11.
| © 2017
by ANTID0TE All rights reserved ipc_port_t (II) IPC ports are internally hold in the following structure defined in /osfmk/ipc/ipc_port.h 11 natural_t ip_sprequests:1, /* send-possible requests outstanding */ ip_spimportant:1, /* ... at least one is importance donating */ ip_impdonation:1, /* port supports importance donation */ ip_tempowner:1, /* dont give donations to current receiver */ ip_guarded:1, /* port guarded (use context value as guard) */ ip_strict_guard:1, /* Strict guarding; Prevents user manipulation of context values directly */ ip_reserved:2, ip_impcount:24; /* number of importance donations in nested queue */ mach_vm_address_t ip_context; #if MACH_ASSERT #define IP_NSPARES 4 #define IP_CALLSTACK_MAX 16 queue_chain_t ip_port_links; /* all allocated ports */ thread_t ip_thread; /* who made me? thread context */ unsigned long ip_timetrack; /* give an idea of "when" created */ uintptr_t ip_callstack[IP_CALLSTACK_MAX]; /* stack trace */ unsigned long ip_spares[IP_NSPARES]; /* for debugging */ #endif /* MACH_ASSERT */ };
12.
| © 2017
by ANTID0TE All rights reserved ipc_object_t (I) common data structure for IPC objects like ports defined in /osfmk/ipc/ipc_object.h 12 /* * The ipc_object is used to both tag and reference count these two data * structures, and (Noto Bene!) pointers to either of these or the * ipc_object at the head of these are freely cast back and forth; hence * the ipc_object MUST BE FIRST in the ipc_common_data. * * If the RPC implementation enabled user-mode code to use kernel-level * data structures (as ours used to), this peculiar structuring would * avoid having anything in user code depend on the kernel configuration * (with which lock size varies). */ struct ipc_object { ipc_object_bits_t io_bits; ipc_object_refs_t io_references; lck_spin_t io_lock_data; };
13.
| © 2017
by ANTID0TE All rights reserved Ports as Handles to Kernel Objects / Data Structures • io_bits field filled with kobject type • receiver field points to ipc_space_kernel • kobject field points to kernel data structure 13
14.
| © 2017
by ANTID0TE All rights reserved Possible Kobject Types IPC Kobject types are defined in /osfmk/ipc/ipc_kobject.h 14 #define IKOT_NONE 0 #define IKOT_THREAD 1 #define IKOT_TASK 2 #define IKOT_HOST 3 #define IKOT_HOST_PRIV 4 #define IKOT_PROCESSOR 5 #define IKOT_PSET 6 #define IKOT_PSET_NAME 7 #define IKOT_TIMER 8 #define IKOT_PAGING_REQUEST 9 #define IKOT_MIG 10 #define IKOT_MEMORY_OBJECT 11 #define IKOT_XMM_PAGER 12 #define IKOT_XMM_KERNEL 13 #define IKOT_XMM_REPLY 14 #define IKOT_UND_REPLY 15 #define IKOT_HOST_NOTIFY 16 #define IKOT_HOST_SECURITY 17 #define IKOT_LEDGER 18 #define IKOT_MASTER_DEVICE 19 #define IKOT_TASK_NAME 20 #define IKOT_SUBSYSTEM 21 #define IKOT_IO_DONE_QUEUE 22 #define IKOT_SEMAPHORE 23 #define IKOT_LOCK_SET 24 #define IKOT_CLOCK 25 #define IKOT_CLOCK_CTRL 26 #define IKOT_IOKIT_SPARE 27 #define IKOT_NAMED_ENTRY 28 #define IKOT_IOKIT_CONNECT 29 #define IKOT_IOKIT_OBJECT 30 #define IKOT_UPL 31 #define IKOT_MEM_OBJ_CONTROL 32 #define IKOT_AU_SESSIONPORT 33 #define IKOT_FILEPORT 34 #define IKOT_LABELH 35 #define IKOT_TASK_RESUME 36 #define IKOT_VOUCHER 37 #define IKOT_VOUCHER_ATTR_CONTROL 38
15.
| © 2017
by ANTID0TE All rights reserved Examples • kobject always points to an IKOT specified data structure 15
16.
What are Mach
Messages?
17.
| © 2017
by ANTID0TE All rights reserved What are Mach Messages? • data structures sent to or received from Mach Ports – header with routing information for kernel – optionally descriptors for COMPLEX messages – data that is only between sender and receiver • used for IPC and the Mach API • sent to kernel via mach traps 17
18.
| © 2017
by ANTID0TE All rights reserved Simple vs. Complex Messages • simple messages are just data blobs • complex messages contain descriptors with special meaning for kernel – MACH_MSG_PORT_DESCRIPTOR - embedding a port in a message – MACH_MSG_OOL_DESCRIPTOR - attaching OOL data to message – MACH_MSG_OOL_PORTS_DESCRIPTOR - attaching OOL ports array to message 18 typedef struct { mach_msg_header_t header; char body[]; } mach_msg_simple_t; typedef struct { mach_msg_header_t header; mach_msg_body_t body; mach_msg_descriptor_t desc[x]; char data[]; } mach_msg_complex_t;
19.
| © 2017
by ANTID0TE All rights reserved Mach Message Header 19 typedef struct { mach_msg_bits_t msgh_bits; mach_msg_size_t msgh_size; mach_port_t msgh_remote_port; mach_port_t msgh_local_port; mach_port_name_t msgh_voucher_port; mach_msg_id_t msgh_id; } mach_msg_header_t; where to send to where to get reply from id between sender and receiver
20.
| © 2017
by ANTID0TE All rights reserved Sending and Receiving Messages • Mach messages are sent via mach traps 20 mach_msg_return_t mach_msg(msg, option, send_size, rcv_size, rcv_name, timeout, notify) mach_msg_header_t *msg; mach_msg_option_t option; mach_msg_size_t send_size; mach_msg_size_t rcv_size; mach_port_t rcv_name; mach_msg_timeout_t timeout; mach_port_t notify; mach_msg_return_t mach_msg_overwrite(msg, option, send_size, rcv_limit, rcv_name, timeout, notify, rcv_msg, rcv_scatter_size) mach_msg_header_t *msg; mach_msg_option_t option; mach_msg_size_t send_size; mach_msg_size_t rcv_limit; mach_port_t rcv_name; mach_msg_timeout_t timeout; mach_port_t notify; mach_msg_header_t *rcv_msg; mach_msg_size_t rcv_scatter_size;
21.
| © 2017
by ANTID0TE All rights reserved Sending Mach Messages (Function Overview) 21
22.
| © 2017
by ANTID0TE All rights reserved What is the Mach API? • programming interface offering huge number of functions • internally converts C style function calls into messages • first parameter is always the kernel object port to send message to • usually they manipulate the objects behind the kernel object ports • special code path detects if receiver=ipc_space_kernel • header’s id field selects what API is called 22
23.
| © 2017
by ANTID0TE All rights reserved Mach API Example: vm_write() • C level call to vm_write() automatically converted into Mach message – target_task set as remote port – id set to 3807 23 typedef struct { mach_msg_header_t Head; /* start of the kernel processed data */ mach_msg_body_t msgh_body; mach_msg_ool_descriptor_t data; /* end of the kernel processed data */ NDR_record_t NDR; vm_address_t address; mach_msg_type_number_t dataCnt; } __Request__vm_write_t; kern_return_t vm_write (vm_task_t target_task, vm_address_t address, pointer_t data, mach_msg_type_number_t data_count);
24.
Heap-Feng-Shui for Ports?
25.
| © 2017
by ANTID0TE All rights reserved Ports as Target • kernel object ports point to kernel data structures • overwriting/replacing them would allow calling APIs on fake data structures • wide variety of IKOT types means many types to choose from – IKOT_FILEPORT - fileglob structure has function pointer list – IKOT_IOKIT_CONNECT - C++ object with vtable pointer – … 25
26.
| © 2017
by ANTID0TE All rights reserved Filling the Heap with Ports? • so should we create a lot of ports to fill the heap? • would be possible but ports are stored in their own memory zone • memory corruptions usually involve other memory zones • cross zone attacks are possible but not KISS ➡ let’s add a level of indirection 26
27.
| © 2017
by ANTID0TE All rights reserved Filling the Heap with Pointers to Ports? • instead of filling the heap with ipc_port_t structures fill it with pointers • overwriting a pointer to an ipc_port_t still allows to create a fake port • idea is that pointers are likely allocated in same memory zones as buffers • when in same memory zone exploitation gets a lot easier 27
28.
| © 2017
by ANTID0TE All rights reserved How to fill the memory with Port pointers? • we can fill the memory with pointers to ports by Mach messages • we use MACH_MSG_OOL_PORTS_DESCRIPTOR for this • kernel will allocate memory via kalloc() to store pointers in memory • arbitrary sized allocations by sending right amount of ports 28 /* calculate length of data in bytes, rounding up */ ports_length = count * sizeof(mach_port_t); names_length = count * sizeof(mach_port_name_t); if (ports_length == 0) { return user_dsc; } data = kalloc(ports_length);
29.
| © 2017
by ANTID0TE All rights reserved How to fill the memory with Port pointers? (II) • sending enough messages will fill up the heap pretty quickly • we can send MACH_PORT_NULL or MACH_PORT_DEAD 29
30.
| © 2017
by ANTID0TE All rights reserved Poking holes… • poking holes in the allocation is done by receiving selected messages • kernel code will free the previously allocated memory • deallocation is fine grained because we select what messages to receive • keep in mind the heap randomization since iOS 9.2 30 /* copyout to memory allocated above */ void *data = dsc->address; if (copyoutmap(map, data, rcv_addr, names_length) != KERN_SUCCESS) *mr |= MACH_MSG_VM_SPACE; kfree(data, ports_length);
31.
| © 2017
by ANTID0TE All rights reserved Corrupting Port Pointers • when messages are received all ports within are registered in IPC space • corrupting any of the allocated pointer lists allows injecting a fake port • user space can access the fake port 31 /* copyout port rights carried in the message */ for ( i = 0; i < count ; i++) { ipc_object_t object = (ipc_object_t)objects[i]; *mr |= ipc_kmsg_copyout_object(space, object, disp, &names[i]); }
32.
Faking Ports
33.
| © 2017
by ANTID0TE All rights reserved How to fake a port? (I) • fake pointer must point to something that looks like a port • we need to setup a number of fields for our port to work – io_bits - select one of the possible types and make it active – io_references - better give it some references – io_lock_data - must be valid lock data – kobject - pointer to a fake data structure – receiver - we cannot fill out because we don’t know ipc_space_kernel 33
34.
| © 2017
by ANTID0TE All rights reserved How to fake a port? (II) • fake port and fake data must be in attacker controlled memory • it is required to know address of that memory • easy to do for 64 bit devices (except iPhone 7) because of user land dereferences • requires additional information leaks for iPhone 7 and 32 bit devices (unless already privileged outside the sandbox) 34
35.
| © 2017
by ANTID0TE All rights reserved What can we do with such a faked port? • because we cannot fill in receiver not a fully usable port • it works fine when used as argument to – syscalls – mach traps – as additional parameter Mach API (not 1st argument) • but it will NOT work as first argument to a MachAPI (for this we need the receiver to be ipc_space_kernel) 35
36.
| © 2017
by ANTID0TE All rights reserved Some Examples • some examples of ports we can fake – IKOT_IOKIT_CONNECT - driver connection to a IOUserClient derived object – IKOT_CLOCK - clock object – IKOT_TASK - task object 36
37.
| © 2017
by ANTID0TE All rights reserved Faking IOKit Driver Connection Ports • ports of type IKOT_IOKIT_CONNECT can be used via iokit_user_client_trap() • kobject pointer points to a C++ object • good target because it allows control of the method table • see “HITB2013 - Tales from iOS 6 Exploitation” for example 37
38.
| © 2017
by ANTID0TE All rights reserved Faking Clock Ports (I) • ports of type IKOT_CLOCK can be used via clock_sleep_trap() • kobject pointer points to a struct clock • looks like a good target because there is a function pointer list 38 /* * Actual clock object data structure. Contains the machine * dependent operations list and clock operation ports. */ struct clock { clock_ops_t cl_ops; /* operations list */ struct ipc_port *cl_service; /* service port */ struct ipc_port *cl_control; /* control port */ }; pointer to list of function pointers
39.
| © 2017
by ANTID0TE All rights reserved Faking Clock Ports (II) • code of clock_sleep_internal() will not allow a fake clock struct • only the valid SYSTEM_CLOCK pointer is accepted • otherwise function errors out - triggering code execution not possible 39 validation against our fake clock struct pointer if (clock == CLOCK_NULL) return (KERN_INVALID_ARGUMENT); if (clock != &clock_list[SYSTEM_CLOCK]) return (KERN_FAILURE); /* * Check sleep parameters. If parameters are invalid * return an error, otherwise post alarm request. */ (*clock->cl_ops->c_gettime)(&clock_time); chkstat = check_time(sleep_type, sleep_time, &clock_time); if (chkstat < 0) return (KERN_INVALID_VALUE);
40.
| © 2017
by ANTID0TE All rights reserved if (clock == CLOCK_NULL) return (KERN_INVALID_ARGUMENT); if (clock != &clock_list[SYSTEM_CLOCK]) return (KERN_FAILURE); /* * Check sleep parameters. If parameters are invalid * return an error, otherwise post alarm request. */ (*clock->cl_ops->c_gettime)(&clock_time); chkstat = check_time(sleep_type, sleep_time, &clock_time); if (chkstat < 0) return (KERN_INVALID_VALUE); Faking Clock Ports (III) • wait a second! • a wrong clock pointer will lead to KERN_FAILURE • a good pointer with bad other arguments leads to KERN_INVALID_VALUE 40 error if our pointer is not pointing to the SYSTEM_CLOCK error if our pointer was okay but other arguments bad
41.
| © 2017
by ANTID0TE All rights reserved Faking Clock Ports (IV) • if we can change kobject we can bruteforce the SYSTEM_CLOCK address • userland dereference makes this easy on 64 bit pre iPhone 7 • this reveals pointer inside kernel image and therefore breaks KASLR 41 our_fake_port->io_bits = IKOT_CLOCK | IO_BITS_ACTIVE; our_fake_port->kobject = low_kernel_address; while (1) { our_fake_port->kobject+= 8; kret = clock_sleep_trap(magicport, 0x12345, 0, 0, NULL); if (kret != KERN_FAILURE) { break; } }
42.
| © 2017
by ANTID0TE All rights reserved Faking Task Ports (I) • ports of type IKOT_TASK have kobject pointer pointing to a task struct • unfortunately cannot be used directly in task Mach API functions • but there are other usages like pid_for_task() - return the pid for a given task 42 t1 = port_name_to_task(t); if (t1 == TASK_NULL) { err = KERN_FAILURE; goto pftout; } else { p = get_bsdtask_info(t1); if (p) { pid = proc_pid(p); reads pointer to struct proc from our fake struct task returns pid from without struct proc
43.
| © 2017
by ANTID0TE All rights reserved Faking Task Ports (II) • our fake IKOT_TASK port points to a fake task struct • the bsd_info fields points anywhere in memory • pid_for_task() will read back at offset 0x10 • allows to read from anywhere in kernel memory 43
44.
| © 2017
by ANTID0TE All rights reserved Faking Task Ports (III) • if we can change kobject we can read everything • userland dereference makes this easy on 64 bit pre iPhone 7 • this allows to read important variables like ipc_space_kernel • this means afterwards we can use Mach API with our fake port 44
45.
Our Port(al) to
the Core Kernel Task Port
46.
| © 2017
by ANTID0TE All rights reserved Kernel Task Port • among all the ports in an iOS system the kernel task port is the holy grail • with access to the kernel task port we can manipulate the kernel memory – vm_read - allows reading kernel memory – vm_write - allows writing kernel memory – vm_allocate - allows allocating memory inside the kernel address space – … • whoever has access to the kernel task port more or less controls the system • to turn out fake task port into a kernel task port we need to know kernel_task and ipc_space kernel 46
47.
| © 2017
by ANTID0TE All rights reserved Attack Plan for 64 bit devices (except iPhone 7) • Corruption Phase - perform heap feng shui with OOL_PORTS_DESCRIPTORS - corrupt any of the “sprayed” port pointers - receive all messages to get access to port • Post Corruption Phase - fake a CLOCK port to break KASLR - via bruteforce of clock address - fake a TASK port and TASK struct to have arbitrary kernel read - read ipc_space_kernel and kernel_task - fake a kernel TASK port 47
48.
| © 2017
by ANTID0TE All rights reserved Faking the KERNEL TASK Port (I) • with ipc_space_kernel our fake ports can be used in Mach API • with kernel_task we can fake a kernel task port • mach API gives us read/write access to kernel memory • Game Over! 48
49.
Conclusion
50.
| © 2017
by ANTID0TE All rights reserved Conclusion • overwriting port pointers – allows to gain code execution – or full read write access to kernel memory • heap feng shui with mach messages and OOL_PORTS_DESCRIPTOR – gives fine grained control over heap – fills heap with port pointers that when corrupted • post corruption code is fully reusable for different corruptions (64bit before i7) 50
51.
Questions ? www.antid0te.com stefan@antid0te.com © 2017
by ANTID0TE. All rights reserved
Download now