Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201565010
HistoryJul 24, 2015 - 12:00 a.m.

iPhone blue screen of 0day vulnerabilities analysis: playback video trigger kernel denial of service-vulnerability warning-the black bar safety net

2015-07-2400:00:00
佚名
www.myhack58.com
4
JSON

Recent find someone in wechat group to share the video link when using the Apple device users click on this video link while a video is playing will cause the Apple device to restart. Found this problem after 360NirvanTeam core members@Proteas first time take samples for analysis, in a non-jailbroken iPhone device iOS 8.0.2, iOS 8.4, iOS 8.4.1 Beta 1, iOS 9 Beta 3 System tested, are cause the device to blue screen and restart, it is determined 0Day caused by the decision of the detailed analysis lead to iPhone blue screen reasons.
By dump arm64-bit kernel and the Panic Log detailed analysis, determine the crash happens the kernel extension AppleVXD393. kext. The kernel extension is mainly used to decode a video frame, resulting in vulnerability to the use of reason: did not check the pointer of the legitimacy of a null pointer de-reference due; in addition, in the analysis process, we found that the expansion module there is another exploit 0Day, already submitted to Apple waiting for confirmation.
In order to facilitate the test, we first write a simple App, the purpose is to facilitate the test, the trigger system crash, after the trigger causing the blue screen of restart the following figure the video demo: http://v.youku.com/v_show/id_XMTI5MTgzNjc2NA, then in order to locate the kernel crash happens the module and the specific code, The following will do detailed analysis.
! [](/Article/UploadPic/2015-7/2 0 1 5 7 2 4 1 8 2 5 7 3 4 0. png)
Vulnerability
One, the DoS affect non-jailbroken devices, integrated in the hands of test equipment and reverse analysis, may affect iOS 8 all of the above 6 4-bit devices: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini, etc.
Second, if the use of the site or by means of a platform, you can cause massive denial of service.
The preparation of a secondary crash of the program
Because in the process of analysis we may need to repeatedly cause a kernel crash, if every time, from the micro to trigger the collapse will be very troublesome, but also very unreasonable, and therefore we need to first obtain the video, and then use their app to play the video.
This app is very simple, running up the interface as shown below:
! [](/Article/UploadPic/2015-7/2 0 1 5 7 2 4 1 8 2 5 8 9 4 9. png)
Just click on“Play Video”will be transferred from the player to play the corresponding video, and then caused the system to crash. Here encountered a small problem, before playing the video using MPMoviePlayerController, but MPMoviePlayerController when playing the problematic video has been in the loaded state, thus change the AVPlayer to play the video, in order to facilitate everyone to build a Demo to test, given the “Play Video”corresponding to the code:
@implementation ViewController
// Configuration interface
- (void)viewDidLoad {
[super viewDidLoad];

self. view. backgroundColor = [UIColor lightGrayColor];

UIButton *playBtn = [UIButton buttonWithType:UIButtonTypeRoundedRect];
playBtn. frame = CGRectMake(40.0 f, 40.0 f, 200.0 f, 48.0 f);
playBtn. center = self. view. center;
playBtn. backgroundColor = [UIColor darkGrayColor];
[playBtn setTitle:@“Play Video” forState:UIControlStateNormal];
[playBtn setTitle:@“Play Video” forState:UIControlStateHighlighted];
playBtn. titleLabel. font = [UIFont systemFontOfSize:32.0 f];

[playBtn addTarget:self action:@selector(onPlayButtonClicked:) forControlEvents:UIControlEventTouchUpInside];

[self. view addSubview:playBtn];
}
// Prevent screen rotation when interface disorder, affecting mood
- (NSUInteger)supportedInterfaceOrientations
{
return UIInterfaceOrientationMaskPortrait;
}
// Respond to button click to bring up the player
- (void)onPlayButtonClicked:(UIButton *)aSender
{
NSString *videoPath = [[NSBundle mainBundle] pathForResource:@“crash” ofType:@“mp4”];

self. avPlayer = [AVPlayer playerWithURL:[NSURL fileURLWithPath:videoPath]];

AVPlayerLayer *playerLayer = [AVPlayerLayer playerLayerWithPlayer:self. avPlayer];
self. avPlayer. actionAtItemEnd = AVPlayerActionAtItemEndNone;
playerLayer. frame = self. view. bounds;
[self. view. layer addSublayer: playerLayer];

[self. avPlayer play];
}
@end
Locate the crash point with the relevant module
The first play video, the system will crash when the device is rebooted from the device on to read crash logs, crash logs, the main content is as follows:
! [](/Article/UploadPic/2015-7/2 0 1 5 7 2 4 1 8 2 5 8 8 0 7. png)
On the figure the more important the value has to be ring out, which the pc and the lr is used to locate crash point. In addition the kernel slide is also very important, because on the figure of the register values is through slide after the value, and this slide every time you start will change KASLR, we first need to convert the real address:
pc = 0xffffff80020c92e0 = 0xffffff800e2c92e0 - 0x000000000c200000
lr = 0xffffff8003043a58 = 0xffffff800f243a58 - 0x000000000c200000
After obtaining the real crash after the address, we dump the kernel because there is no decryption of the arm64 kernel: the
[+] kernel slide: 0x2000000
[+] kernel start: 0xffffff8004002000
[+] vm perm value: 0x9d46a8bdc73a4755
You can see it starts the slide in the value of the collapse when the core slide is different, then we will collapse the address conversion to the current dump to the kernel:
pc = 0xffffff80040c92e0 = 0xffffff80020c92e0 + 0x2000000
lr = 0xffffff8005043a58 = 0xffffff8003043a58 + 0x2000000

[1] [2] [3] next

JSON