Then talk about CVE-2017-7047 Triple_Fetch and iOS 10.3.2 sandbox escape-vulnerability warning-the black bar safety net

ID MYHACK58:62201788562
Type myhack58
Reporter 佚名
Modified 2017-08-14T00:00:00


Ian Beer@google released a CVE-2017-7047Triple_Fetch of exp and it is[1], The chenliang@keenlab also published on Triple_Fetch analysis[2], but due to this vulnerability and exp there are a lot of highlights, so also the remaining lot can dig deep into the details. Thus, our simple analysis of vulnerability form the reasons for, and detailed description about the exploit details, as well as how to make use of this vulnerability to do iOS 10.3.2 on a sandbox escape. 0x01 CVE-2017-7047 Triple_Fetch vulnerability Reasons for the formation of ! Because chenliang of vulnerability cause analysis is very detailed, here I will simply describe, because the use of the XPC service to transfer large blocks of memory while it affect the efficiency of the Apple in order to reduce the transmission time, greater than 0x4000. OS_xpc_data data through mach_vm_map way to map this block of memory, then the block data of the send right to the port sent to the other party. But this memory sharing is based on shared physical page, that is the sender and receiver will share the same block of memory, so we will send the data later at the sending end of the data to be modified, the recipient of the data will also change. Therefore, by the race condition that can allow the receiving end to get different data, the receiving end that it is the same data, if the receiving end does not take into account this point while there may be vulnerabilities. For example, we have just begun to allow the receiving end to obtain a string is@”ABCD”, including the@and”, then the receiving end will be for this string is allocated 7 bytes of space. Then, in performing the string copy, we will string becomes@"ABCDOVERFLOW_OVERFLOW_OVERFLOW", the receiving end will have been copied to the encountered”symbol is reached, thus causing the overflow. Triple_Fetch attack the selected function is CoreFoundation.___NSMS1()Function, This function will be for us to construct a malicious string to be repeatedly read operation, if the Read gap fast on the string for three revisions that will make the function Read to a different string, let the function produce errors of judgment, resulting in the overflow and let us control the pc, which is why this vulnerability is called Triple_Fetch reasons. The following figure is to attack the use of three different sets of strings: ! Attack of the selected NSXPC service is“com. apple. CoreAuthentication. daemon of”. The corresponding binary file is/System/Library/Frameworks/LocalAuthentication. framework/Support/coreauthd it. The reason is this process is the root privileges and can be invoked processor_set_tasks() API to get the system to other processes send right[3]. Fig. The following figure is the control of the pc after the crash report is: ! 0x02 Triple_FetchJOP &ROP&arbitrary code execution The use of vulnerability Triple_Fetch although you can control the pc, but also can not control the stack, so you need to do stack_pivot, the good news is that the x0 register to point to the xpc_uuid object is that we can control:

! Therefore we can use the JOP jump to _longjmp function as to perform a stack pivot, thereby controlling the stack: ! ! The final transmission used to do the JOP format is forged xpc_uuid object as follows: ! Control of the stack can be very easy to write rop. But the beer target is not only the implementation of rop, it is also desirable to obtain the target process's task port and execute arbitrary binary files, so in addition to exp, the attack end also with mach msg send 0x1000 with a send right to the port to the target process: ! These port of mach msg in the memory of location and content are as follows msgh_id are 0x12344321: the ! Subsequently, the exp using rop method to these port traversal and sent back to the sender:

! Subsequently, the attack end will receive the mach msg, if you get to the msgh_id for 0x12344321 of the message, the description of our results has been the target process's task port: ! Got task_port, sploit()function is over, began to enter the do_post_exploit (a). do_post_exploit()also do a lot of things, the first is the use of coreauthd of the task port and processor_set_tasks()get all process's task port. This is how to do it? Use coreauthd the task port we can use mach_vm_* API any modifications coreauthd memory and a register, so we need to open up a segment of memory as a stack, and then sp to point to this memory, then the pc is pointing to we want to perform a function address allows the target process to perform any function, the specific implementation in call_remote ():

[1] [2] next