Summary of Critical and Exploitable iOS Vulnerabilities in 2016_weixin_34261415的博客-程序员宅基地

技术标签: 操作系统  大数据  嵌入式  

Summary of Critical and Exploitable iOS Vulnerabilities in 2016

Author:Min (Spark) Zheng, Cererdlong, Eakerqiu @ Team OverSky

0x00 Introduction

iOS security is far more fragile than you believe. And there are lots of critical and exploitable iOS vulnerabilities in the wild. We summarized these critical iOS vulnerabilities which can be used for remote code execution or jailbreaking in this report. Hopefully, it can bring some help for your mobile security research.

0x01 iOS 10.1.1 Critical and Exploitable Vulnerabilities

  1. Mach_portal exploit chain: The exploit chain was published by Ian Beer of Google Project Zero. The whole exploit chain consists of three vulnerabilities:

CVE-2016-7637: Broken kernel Mach port name uref handling on iOS/MacOS can lead to privileged port name replacement in other processes.
CVE-2016-7661: MacOS/iOS arbitrary port replacement in powerd.
CVE-2016-7644: XNU kernel UaF due to lack of locking in set_dp_control_port.

The attacker first uses CVE-2016-7637 to replace launchd's send right to “com.apple.iohideventsystem” with a send right to a port which belongs to the attacker. The attacker also holds the receive right of that port. Then the attacker uses CVE-2016-7661 to crash the “powerd” daemon which runs as root. Because of the daemon mechanism, the “powerd” will automatically restart but its startup process will look up the “com.apple.iohideventsystem” Mach service and send its own task port to that service. Because the attacker holds the receive right of that port which means the “powerd” actually sends its task port to the attacker. After that, the attacker uses “powerd”'s task port to get the host_priv port which is used to trigger the XNU kernel UaF bug (CVE-2016-7644). Because the kernel forgets to lock the set_dp_control_port when releasing a reference on a port, the attacker can get a send right to the kernel task port. After getting the kernel task port, the attacker can use mach_vm_read() and mach_vm_write() which provided by the XNU system to modify kernel memory.

In 2016.12.22, based on the Beer’s Mach_portal exploit chain, qwertyoruiop added KPP bypass, kernel patch, and Cydia installation on this project. Then he released iOS 10.0./10.1. jailbreak for arm64 devices on yalu.qwertyoruiop.com.

0x02 iOS 9.3.4 Critical and Exploitable Vulnerabilities

  1. PEGASUS/Trident exploit chain: The exploit chain was found from an apt issue for a human rights activist. There are three vulnerabilities in the Trident exploit:

CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution.
CVE-2016-4655: An application may be able to disclose kernel memory.
CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges.

For Safari browser, the vulnerability exists within the slowAppend() method of MarkedArgumentBuffer in JavaScriptCore library and can be exploited via the usage of a MarkedArgumentBuffer in the static defineProperties() method. The Pegasus exploit chain triggers this vulnerability by passing a specially crafted sequence of properties to the defineProperties() method and then gets read/write and code execution ability.

For the XNU kernel, the vulnerability exists in the OSUnserializeBinary() method which is used to unserialize the data from the user land input. Because OSUnserializeBinary() doesn’t check the length of serialized OSNumber, the attacker can get leaked kernel stack information using io_registry_entry_get_property_bytes(). On the other hand, by using a crafted serialized OSString Object, the attacker can trigger UaF vulnerability in the kernel and then get the read and write ability of the kernel memory.

In addition, by using JavaScriptCore vulnerability, PEGASUS exploit chain can persist after rebooting which means untethered jailbreak. Last but not least, more details about this exploit chain can be referred to our previous article: https://jaq.alibaba.com/commu... and DEMOs:

Youtube: https://www.youtube.com/watch...
Youku: http://v.youku.com/v_show/id_...

0x03 iOS 9.3.3 Critical and Exploitable Vulnerabilities

  1. IOMobileFramebuffer Kernel Heap Overflow: This vulnerability exists in the IOMobileFramebuffer IOKit kernel service. Because IOMobileFramebuffer::swap_submit(IOMFBSwap *) doesn’t check the IOMFBSwap data from the user land, the attacker can use a crafted IOMFBSwap data to achieve a heap overflow in the kernel and then translate it into kernel read/write ability. This vulnerability can be triggered in the sandbox (do not need sandbox escapes) and it was used in the Pangu’s iOS 9.3.3 jailbreak.

0x04 iOS 9.3.2 Critical and Exploitable Vulnerabilities

  1. WebKit heapPopMin Remote Code Execution: This vulnerability exists in the WebCore ::TimerBase::heapPopMin() and the attacker can use this vulnerability to achieve arability code execution in Safari through a crafted html webpage. Note that the Safari process is sandboxed. So, the attacker needs to do a sandbox escape if he wants to get more user data or attack the kernel.

  2. GasGauge Race Condition: This vulnerability was disclosed by qwertyoruiop. Because GasGauge kernel service doesn’t lock the process when it frees the memory, the attacker can use multi-thread to do the race. If the race wins, the vulnerability will cause double free. In addition, the attack can translate it into UaF in any zone and achieve kernel read/write ability. Note that this kernel service cannot be reached in the sandbox. So the attacker needs a sandbox escape before using this vulnerability.

0x05 iOS 9.3.1 Critical and Exploitable Vulnerabilities

  1. InpuTbag Heap Overflow: This vulnerability was disclosed by Team OverSky of Alibaba mobile security. The vulnerability exists in the postElementValues() method of IOHIDDevice kernel service. Because the postElementValues() method doesn’t check the size of input report, the attacker can use a crafted input report to overflow the kernel heap and then achieve kernel read/write ability. Note that this kernel service cannot be reached in the sandbox and it needs “com.apple.hid.manager.user-access-device” entitlement. So the attack needs a sandbox escape and an entitlement bypass before using this vulnerability.

0x06 iOS 9.1 Critical and Exploitable Vulnerabilities

  1. CVE-2015-7037 Photos Sandbox Escape: The vulnerability exists in the com.apple.PersistentURLTranslator.Gatekeeper XPC service. By using a crafted XPC message, the attacker can achieve arbitrary file read/write ability of “mobile” user outside the sandbox. Combining with the vulnerability of dyld, the attacker can achieve arbitrary code execution outside the sandbox.

  2. CVE-2015-7084 IORegistryIterator Race Condition: The vulnerability exists in the IOKit kernel service. Because the kernel does not lock the process when it frees the IORegistryIterator object, the attacker can use multi-thread to do the race. If the race wins, the vulnerability will cause a double free. Then the attacker can use the vulnerability to achieve kernel read/write ability and jailbreak the iOS devices.

0x07 iOS 9.0 Critical and Exploitable Vulnerabilities

  1. CVE-2015-6974 IOHIDFamily UaF: The vulnerability exists in the IOHIDResource kernel service. The kernel service does not set the “device” pointer to NULL after releasing the device in the terminateDevice() method. The attacker can use this vulnerability to trigger UaF in the kernel and then translate into kernel read/write ability. This vulnerability was used in the Pangu’s iOS 9.0 jailbreak. Note that this kernel service cannot be reached in the sandbox. So the attacker needs a sandbox escape before using this vulnerability.

0x08 Summary

We can clearly observe that the number of critical and exploitable vulnerabilities in 2016 is very large. However, lots of iOS devices cannot upgrade to the latest iOS version. In addition, there are minor changes in recent iOS systems. So, more and more people lack interest in upgrading their devices.

According to one professional mobile statistics platform, only 3.28% devices are using the latest iOS 10.2 in December of 2016. It means 96.72% devices can be exploited by Mach_portal exploit chain at that time. Therefore, we kindly remind customers to upgrade their devices and be careful with the potential threats in the future.

Last but not least,you can find iOS jailbreak vulnerabilities and materials related to this article in our Github:https://github.com/zhengmin19...

版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_34261415/article/details/89155711

智能推荐

关于字符数组以及字符串数组_一尾鱼汤的博客-程序员宅基地

例题13://13.编写一程序,将两个字符串连接起来,结果取代第一个字符串(mark下来加深印象),加油加油加油!(1)自己编写一个strcat函数int main(){ int strcat(char a[100],char b[100]); char a[100]={0}, b[100]={0}; //初始化字符数组; int i=0,j=0; cout<<"请输入两个字符串:"; cin>>a>>b;

Python配置Qt Designer与PyUIC_热心市民付先生的博客-程序员宅基地_python pyuic

Python配置Qt Designer与PyUIC安装pyqt相关包pip install pyqtpip install pyqt5-toolsPyCharm中选择相应的python解释器3. 添加外部工具名称填写自己方便易记得即可,我的名称添加为QTDesigner程序选择designer.exe,位置为当前解释器路径下的Lib\site-packages\pyqt5-tools\designer.exe工作目录为当前项目文件的目录添加选择完毕界面为:确定即可,再次

关于WebSocket_彪彪_的博客-程序员宅基地

原文链接:https://www.liaoxuefeng.com/wiki/1022910821149312/1103303693824096WebSocket是HTML5新增的协议,它的目的是在浏览器和服务器之间建立一个不受限的双向通信的通道,比如说,服务器可以在任意时刻发送消息给浏览器。为什么传统的HTTP协议不能做到WebSocket实现的功能?这是因为HTTP协议是一个请求-响应协议,...

FineUI初学手册_star_2008_的博客-程序员宅基地

女朋友鄙视我原创少...1.下载 进入官方论坛:http://www.fineui.com/bbs/要用到下载源代码和空项目下载http://fineui.codeplex.com/http://fineui.com/bbs/forum.php?mod=viewthread&tid=2123源代码直接下载,注意FineUI版本空项目里下载 对应版本的空项

NSStringDrawingOptions_yinachong的博客-程序员宅基地

NSStringDrawingTruncatesLastVisibleLine:如果文本内容超出指定的矩形限制,文本将被截去并在最后一个字符后加上省略号。如果没有指定NSStringDrawingUsesLineFragmentOrigin选项,则该选项被忽略。NSStringDrawingUsesLineFragmentOrigin:绘制文本时使用 line fragement or

随便推点

Chromium多进程架构初探-兼谈Android平台版本_coloriy的博客-程序员宅基地

Chromium以多进程架构著称,它主要包含四类进程,分别是Browser进程、Render进程、GPU进程和Plugin进程。之所以要将Render进程、GPU进程和Plugin进程独立出来,是为了解决它们的不稳定性问题。也就是说,Render进程、GPU进程和Plugin进程由于不稳定而引发的Crash不会导致整个浏览器崩溃。本文就对Chromium的多进程架构进行简要介绍,以及制定学习计划。

Mybatis源码分析_风铃峰顶的博客-程序员宅基地

实例import org.apache.ibatis.io.Resources;import org.apache.ibatis.session.*;import org.junit.Before;import org.junit.Test;import java.io.IOException;import java.io.InputStream;import java.util.ArrayList;import java.util.List; private SqlSessionF

Composer常见问题汇总_cicibi6696的博客-程序员宅基地

问题一: [Composer\Downloader\TransportException] ...

什么时候不能使用箭头函数_一水茶缘YY的博客-程序员宅基地

共 2670 字,读完需 5 分钟。编译自 Dmitri Pavlutin 的文章,对原文内容做了精简和代码风格优化。ES6 中引入的箭头函数可以让我们写出更简洁的代码,但是部分场景下使用箭头函数会带来严重的问题,有哪些场景?会导致什么问题?该怎么解决,容我慢慢道来。能见证每天在用的编程语言不断演化是一件让人非常兴奋的事情,从错误中学习、探索更好的语言实现、创造新的语言特性是推动编程语言版本迭代的动

vassist的安装_kgduu的博客-程序员宅基地

在网上下载vassist安装压缩文件。1、运行VA_X_Setup

全方位讲解VoIP 的原理及技术知识_demon_evil的博客-程序员宅基地_voip工作原理

通过因特网进行语音通信是一个非常复杂的系统工程,其应用面很广,因此涉及的技术也特别多,其中最根本的技术是VoIP (Voice over IP)技术,可以说,因特网语音通信是VoIP技术的一个最典型的、也是最有前景的应用领域。因此在讨论用因特网进行语音通信之前,有必要首先分析VoIP的基本原理,以及VoIP中的相关技术问题。一、VoIP的基本传输过程传统的电话网是以电路交换方式传输语音,所要求的传