In-depth exploration found in the wild iOS exploit chain a-vulnerability warning-the black bar safety net

Series Foreword
Project Zero One of the tasks is the analysis of the 0-day vulnerability, we often partner with other companies to find security vulnerabilities and submit, the final goal is to promote the popular system architecture of the security improvements to help protect throughout end users.
Earlier this year time, Google’s threat analysis team TAG find a part of the attacked website. These are the attacker’s invasion website use iPhone 0-day vulnerabilities for visitors to carry out no difference in the puddle attacks.
Considering that these attacks have no specific target, the user only need to visit is the fall of the site to cause the device to be attacked, once the attack is successful, it installs the implant of malicious monitoring tools. We expect that these sites each week there will be thousands of visitors the user.
The threat analysis team discovered five separate, complete and unique iPhone exploit chain, which exploit the chain cover from the iOS 10 to the latest version iOS 12 almost all versions. The above facts indicate that there may be a malicious organization’s continued commitment to attack certain community of iPhone users, this process at least up to two years.
We will exploit the fundamental reasons for the study, and the discussion we at the Apple of the software development life cycle and draw some conclusions. Here we would like to emphasize the vulnerability the root cause is not fresh, and often neglected–in the code, we found some never seem to the entry into force of the code, it seems that without good quality control, or in the before the release of no perfect test or review.
! [](/Article/UploadPic/2019-9/201999171013320. png)
With the threat analysis team, We according to the five vulnerability using the chain found a total of 14 vulnerabilities: 7 located in the iPhone’s Web browser, the 5 bits in the kernel, the 2 are separate sandbox escape vulnerability. Through our analysis, we found that at least one elevation of privilege vulnerability using the chain still belongs to the 0-day, and when found has not released the corresponding patch（CVE-2019-7287 and CVE-2019-7286 to. We in 2019 2 January 1, to Apple to report these issues, resulting in a 7 days, Apple in the 2 on 7, released iOS 12.1.4 version upgrade. We are also working with Apple to share more information, which in 2019 2 May 7, has been publicly disclosed.
Now, after almost several months of each vulnerability using the chain almost byte-by-Byte a careful analysis, we now can share about the iPhone exploit chain real use case analysis.
This series of articles will include:
（1）five elevation of privilege vulnerabilities the use of the chain of the detailed analysis;
（2）the attacker the use of the implantation tool in the detailed analysis included in our test equipment running on the implantation tool demonstrates, by reverse engineering, analysis and command and control C2 server communication process, presentation the implant tool of features such as: real steal iMessages, photos, GPS location and other personal data;
（3）cooperation with team members Samuel Groß for the initial entry point of the browser vulnerability analysis. All of our analysis results for the attacker is undoubtedly a blow. However, this analysis is we have to monitor the malicious activity, but almost to be sure, there are some yet to be discovered malicious activities.
We recommend that the end-user according to these devices of the security situation make risk decisions. The current situation is, if you become the target of the attack, the security protection absolutely will not completely eliminate the attack of the risk. The attacker is likely to launch for a geographical area or directed against a racial group attack, all the people are likely to become a target. The user should be aware that large-scale exploits still exist, although today’s modern life has been the mobile device as an integral part of, but everyone should also be aware that the mobile device also may be subject to attack, the user of each behavior are likely to be uploaded to the database, and likely is an attacker to abuse.
I want everyone to be able to for the exploit to carry out extensive discussion, not only focus on the so-called“Million Dollar bugs”and try to how to find the next potential“million dollar loophole.” I will not discuss these vulnerabilities, whether worth millions or worth millions, on the contrary, I’m in the process of analysis does not reflect these vulnerabilities in the economic value, but suggest that you ignore this point, as far as possible real-time discovery and closely monitoring the attacker’s complete exploit activities.
This series of articles there are 7 articles, top 5 articles, respectively, a detailed analysis of the 5 iOS the exploit chain, No. 6 article the analysis of JSC exploits, the 7th article is the malicious implant attack tool for detailed analysis, please sustained attention.

This article provides an overview
In the exploit analysis process, we found evidence of these vulnerabilities in the use of chain possible with the support of the iOS version of contemporaneous writing. That is, the attacker using the exploit techniques indicate that this exploit is in iOS 10 the period of writing. This shows that the malicious organization at least in the last two years of the time having a full fall of the iPhone’s capabilities.
This is the third one exploits a chain in a, in total, we found five exploits the chain, the exploit chain just use a can from the Safari sandbox direct access to kernel vulnerabilities.

iOS exploit chain#1: the AGXAllocationList2::initWithSharedResourceList Stack Overflow
We turn first to the earliest discovery of the exploit chain analysis, which is based on iOS 10.0.1-10.1.1 is the target of the vulnerability May 2016 9 months since it had appeared.
Attack target: iPhone 5s to iPhone 7 running iOS version 10. 0. 1 – 10.1.1
Supported versions include:
iPhone6,1 (5s, N51AP)iPhone6,2 (5s, N53AP)iPhone7,1 (6 plus, N56AP)iPhone7,2 (6, N61AP)iPhone8,1 (6s, N71AP)iPhone8,2 (6s plus, N66AP)iPhone8,4 (SE, N69AP)iPhone9,1 (7, D10AP)iPhone9,2 (7 plus, D11AP)iPhone9,3 (7, D101AP)iPhone9,4 (7 plus, D111AP)
Each platform version support is slightly different, as follows:
iPhone 6,;7,;8,:
14A403 (10.0.1 – 2016 Years 9 months 13 days) this is iOS 10 the first publicly released version 14A456 (10.0.2 – 2016 Years 9 months 23 days)14B72 (10.1 – 2016 10 November 24)14B100 (10.1.1 – 2016 10 31 March)14B150 (10.1.1 – 2016 11 January to 9 December)
iPhone 9,:
14A403 (10.0.1 – 2016 Years 9 months 13 days)14A456 (10.0.2 – 2016 Years 9 months 23 days)14A551 (10.0.3 – 2016 10 month 17 days) this version is only for the iPhone 7, is used to solve the cellular network communication problems 14B72c (10.1 – 2016 10 November 24)14B100 (10.1.1 – 2016 10 31 March)14B150 (10.1.1 – 2016 11 January to 9 December)
The first one is not supported version: 10.2 – 2016 12 on 12 day

The first kernel vulnerability
First a kernel vulnerability is a function of the AGXAllocationList2::initWithSharedResourceList in the presence of a heap overflow, the function is com. Apple. AGX kext in part, this is iPhone embedded GPU driver. The vulnerability may be from the WebContent sandbox is triggered, no separate sandbox escape vulnerability.
AGXAllocationList2::initWithSharedResourceList is a C++virtual member method, which accepts two parameters, one is pointing to the IOAccelShared2 object pointer, the other is a pointer to the IOAccelSegmentResourceListHeader object pointer. The resource list head pointer to the user space shared memory, its contents are completely under the attacker’s control. The problem is that parsing the list of resources the structure of the code. The structure is as follows:

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] next