文档章节

Summary of Critical and Exploitable iOS Vulnerabilities in 2016

阿里聚安全
 阿里聚安全
发布于 2016/12/29 15:46
字数 1319
阅读 12
收藏 0

#Summary of Critical and Exploitable iOS Vulnerabilities in 2016

Author:Min (Spark) Zheng, Cererdlong, Eakerqiu @ Team OverSky

##0x00 Introduction

iOS security is far more fragile than you believe. And there are lots of critical and exploitable iOS vulnerabilities in the wild. We summarized these critical iOS vulnerabilities which can be used for remote code execution or jailbreaking in this report. Hopefully, it can bring some help for your mobile security research.

##0x01 iOS 10.1.1 Critical and Exploitable Vulnerabilities

  1. Mach_portal exploit chain: The exploit chain was published by Ian Beer of Google Project Zero. The whole exploit chain consists of three vulnerabilities:

CVE-2016-7637: Broken kernel Mach port name uref handling on iOS/MacOS can lead to privileged port name replacement in other processes. **CVE-2016-7661: **MacOS/iOS arbitrary port replacement in powerd. CVE-2016-7644: XNU kernel UaF due to lack of locking in set_dp_control_port.

The attacker first uses CVE-2016-7637 to replace launchd's send right to “com.apple.iohideventsystem” with a send right to a port which belongs to the attacker. The attacker also holds the receive right of that port. Then the attacker uses CVE-2016-7661 to crash the “powerd” daemon which runs as root. Because of the daemon mechanism, the “powerd” will automatically restart but its startup process will look up the “com.apple.iohideventsystem” Mach service and send its own task port to that service. Because the attacker holds the receive right of that port which means the “powerd” actually sends its task port to the attacker. After that, the attacker uses “powerd”'s task port to get the host_priv port which is used to trigger the XNU kernel UaF bug (CVE-2016-7644). Because the kernel forgets to lock the set_dp_control_port when releasing a reference on a port, the attacker can get a send right to the kernel task port. After getting the kernel task port, the attacker can use mach_vm_read() and mach_vm_write() which provided by the XNU system to modify kernel memory.

In 2016.12.22, based on the Beer’s Mach_portal exploit chain, qwertyoruiop added KPP bypass, kernel patch, and Cydia installation on this project. Then he released iOS 10.0./10.1. jailbreak for arm64 devices on yalu.qwertyoruiop.com.

##0x02 iOS 9.3.4 Critical and Exploitable Vulnerabilities

  1. PEGASUS/Trident exploit chain: The exploit chain was found from an apt issue for a human rights activist. There are three vulnerabilities in the Trident exploit:

CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution. CVE-2016-4655: An application may be able to disclose kernel memory. CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges.

For Safari browser, the vulnerability exists within the slowAppend() method of MarkedArgumentBuffer in JavaScriptCore library and can be exploited via the usage of a MarkedArgumentBuffer in the static defineProperties() method. The Pegasus exploit chain triggers this vulnerability by passing a specially crafted sequence of properties to the defineProperties() method and then gets read/write and code execution ability.

For the XNU kernel, the vulnerability exists in the OSUnserializeBinary() method which is used to unserialize the data from the user land input. Because OSUnserializeBinary() doesn’t check the length of serialized OSNumber, the attacker can get leaked kernel stack information using io_registry_entry_get_property_bytes(). On the other hand, by using a crafted serialized OSString Object, the attacker can trigger UaF vulnerability in the kernel and then get the read and write ability of the kernel memory.

In addition, by using JavaScriptCore vulnerability, PEGASUS exploit chain can persist after rebooting which means untethered jailbreak. Last but not least, more details about this exploit chain can be referred to our previous article: https://jaq.alibaba.com/community/art/show?articleid=532 and DEMOs:

Youtube: https://www.youtube.com/watch?v=EwRVvUKBSKQ **Youku: **http://v.youku.com/v_show/id_XMTg4NzA5OTEwOA==.html

##0x03 iOS 9.3.3 Critical and Exploitable Vulnerabilities

  1. IOMobileFramebuffer Kernel Heap Overflow: This vulnerability exists in the IOMobileFramebuffer IOKit kernel service. Because IOMobileFramebuffer::swap_submit(IOMFBSwap *) doesn’t check the IOMFBSwap data from the user land, the attacker can use a crafted IOMFBSwap data to achieve a heap overflow in the kernel and then translate it into kernel read/write ability. This vulnerability can be triggered in the sandbox (do not need sandbox escapes) and it was used in the Pangu’s iOS 9.3.3 jailbreak.

##0x04 iOS 9.3.2 Critical and Exploitable Vulnerabilities

  1. **WebKit heapPopMin Remote Code Execution: **This vulnerability exists in the WebCore ::TimerBase::heapPopMin() and the attacker can use this vulnerability to achieve arability code execution in Safari through a crafted html webpage. Note that the Safari process is sandboxed. So, the attacker needs to do a sandbox escape if he wants to get more user data or attack the kernel.

  2. GasGauge Race Condition: This vulnerability was disclosed by qwertyoruiop. Because GasGauge kernel service doesn’t lock the process when it frees the memory, the attacker can use multi-thread to do the race. If the race wins, the vulnerability will cause double free. In addition, the attack can translate it into UaF in any zone and achieve kernel read/write ability. Note that this kernel service cannot be reached in the sandbox. So the attacker needs a sandbox escape before using this vulnerability.

##0x05 iOS 9.3.1 Critical and Exploitable Vulnerabilities

  1. InpuTbag Heap Overflow: This vulnerability was disclosed by Team OverSky of Alibaba mobile security. The vulnerability exists in the postElementValues() method of IOHIDDevice kernel service. Because the postElementValues() method doesn’t check the size of input report, the attacker can use a crafted input report to overflow the kernel heap and then achieve kernel read/write ability. Note that this kernel service cannot be reached in the sandbox and it needs “com.apple.hid.manager.user-access-device” entitlement. So the attack needs a sandbox escape and an entitlement bypass before using this vulnerability.

##0x06 iOS 9.1 Critical and Exploitable Vulnerabilities

  1. CVE-2015-7037 Photos Sandbox Escape: The vulnerability exists in the com.apple.PersistentURLTranslator.Gatekeeper XPC service. By using a crafted XPC message, the attacker can achieve arbitrary file read/write ability of “mobile” user outside the sandbox. Combining with the vulnerability of dyld, the attacker can achieve arbitrary code execution outside the sandbox.

  2. CVE-2015-7084 IORegistryIterator Race Condition: The vulnerability exists in the IOKit kernel service. Because the kernel does not lock the process when it frees the IORegistryIterator object, the attacker can use multi-thread to do the race. If the race wins, the vulnerability will cause a double free. Then the attacker can use the vulnerability to achieve kernel read/write ability and jailbreak the iOS devices.

##0x07 iOS 9.0 Critical and Exploitable Vulnerabilities

  1. CVE-2015-6974 IOHIDFamily UaF: The vulnerability exists in the IOHIDResource kernel service. The kernel service does not set the “device” pointer to NULL after releasing the device in the terminateDevice() method. The attacker can use this vulnerability to trigger UaF in the kernel and then translate into kernel read/write ability. This vulnerability was used in the Pangu’s iOS 9.0 jailbreak. Note that this kernel service cannot be reached in the sandbox. So the attacker needs a sandbox escape before using this vulnerability.

##0x08 Summary

We can clearly observe that the number of critical and exploitable vulnerabilities in 2016 is very large. However, lots of iOS devices cannot upgrade to the latest iOS version. In addition, there are minor changes in recent iOS systems. So, more and more people lack interest in upgrading their devices.

According to one professional mobile statistics platform, only 3.28% devices are using the latest iOS 10.2 in December of 2016. It means 96.72% devices can be exploited by Mach_portal exploit chain at that time. Therefore, we kindly remind customers to upgrade their devices and be careful with the potential threats in the future.

Last but not least,you can find iOS jailbreak vulnerabilities and materials related to this article in our Github:https://github.com/zhengmin1989/GreatiOSJailbreakMaterial

© 著作权归作者所有

阿里聚安全
粉丝 29
博文 89
码字总数 191047
作品 0
杭州
私信 提问
iOS代码技巧之判断设备及状态

一、判断设备 //设备名称return [UIDevice currentDevice].name; //设备型号,只可得到是何设备,无法得到是第几代设备return [UIDevice currentDevice].model; //系统版本型号,如iPhone OS...

谁家的阿毛
2014/04/17
217
0
Opera 已确认解散 iOS 开发团队

挪威浏览器开发商 Opera 在苹果 iOS 平台上的产品 Opera Mini 和 Opera Coast 自 2017 年以来就没有更新过,用户联络了该公司询问发生了什么事情,结果被告知 Opera 已经没有了 iOS 开发团队...

局长
2017/05/27
4K
20
Genesis-3D新手入门——14.发布到iOS平台

发布到iOS平台 在游戏制作完毕后,需要进行平台打包才能最终发布。Genesis-3D是一个可以支持很多平台的编辑器,这一篇我们就来学习如何让你把制作出的游戏在iOS平台上运行。 准备步骤 1.注册...

lengche
2014/02/20
38
0
泄露 iOS 9 关键源码 iBoot 的人,居然是苹果的实习生

之前苹果公司确认自家的 iOS 9 部分源代码被泄露到 GitHub 上,大家惊呼怎么可能发生这种可怕的事情,外媒 Motherboard 再次深入调查了解背后的故事,最终他们找到了上传源代码的匿名人士,并...

局长
2018/02/11
7.8K
27
iOS冰与火之歌(番外篇) - 基于PEGASUS(Trident三叉戟)的OS X 10.11.6本地提权

0x00 序 这段时间最火的漏洞当属阿联酋的人权活动人士被apt攻击所使用的iOS PEGASUS(又称Trident三叉戟)0day漏洞了。为了修复该漏洞,苹果专门发布了一个iOS 9.3.5版本。这个漏洞的厉害之处...

阿里聚安全
2016/09/29
89
0

没有更多内容

加载失败,请刷新页面

加载更多

3_数组

3_数组

行者终成事
55分钟前
7
0
经典系统设计面试题解析:如何设计TinyURL(二)

原文链接:https://www.educative.io/courses/grokking-the-system-design-interview/m2ygV4E81AR 编者注:本文以一道经典的系统设计面试题:《如何设计TinyURL》的参考答案和解析为例,帮助...

APEMESH
今天
7
0
使用logstash同步MySQL数据到ES

概述   在生成业务常有将MySQL数据同步到ES的需求,如果需要很高的定制化,往往需要开发同步程序用于处理数据。但没有特殊业务需求,官方提供的logstash就很有优势了。   在使用logstas...

zxiaofan666
今天
10
0
X-MSG-IM-分布式信令跟踪能力

经过一周多的鏖战, X-MSG-IM的分布式信令跟踪能力已基本具备, 特点是: 实时. 只有要RX/TX就会实时产生信令跟踪事件, 先入kafka, 再入influxdb待查. 同时提供实时sub/pub接口. 完备. 可以完整...

dev5
今天
7
0
OpenJDK之CyclicBarrier

OpenJDK8,本人看的是openJDK。以前就看过,只是经常忘记,所以记录下 图1 CyclicBarrier是Doug Lea在JDK1.5中引入的,作用就不详细描述了,主要有如下俩个方法使用: await()方法,如果当前线...

克虏伯
今天
8
0

没有更多内容

加载失败,请刷新页面

加载更多

返回顶部
顶部