In-depth exploration found in the wild iOS exploit chain III-vulnerability warning-the black bar safety net

ID MYHACK58:62201995969
Type myhack58
Reporter 佚名
Modified 2019-09-12T00:00:00


Overview This article exploits the chain's target is iOS 11-11. 4. 1, spanning nearly 10 months. This is what we observed first having a separate sandbox escape exploits chain. The sandbox escape vulnerability is libxpc in more serious security problem, wherein the reconstruction will lead to a We find it difficult to understand how the vulnerability is introduced to the end user of the core IPC library. Although the vulnerability in the software development is very common, but in unit testing, code auditing or fuzzing, it is easy to find such a serious problem. But unfortunately, in the actual case, the attacker is the first to discover the vulnerability of the people, I will be below described in detail.

In the wild the iOS exploit chain 3: the XPC + VXD393/D5500 the repeat IOFree Attack target: iPhone 5s – iPhone X, version from 11. 0 to 11. 4 Equipment: iPhone6,1 (5s, N51AP)iPhone6,2 (5s, N53AP)iPhone7,1 (6 plus, N56AP)iPhone7,2 (6, N61AP)iPhone8,1 (6s, N71AP)iPhone8,2 (6s plus, N66AP)iPhone8,4 (SE, N69AP)iPhone9,1 (7, D10AP)iPhone9,2 (7 plus, D11AP)iPhone9,3 (7, D101AP)iPhone9,4 (7 plus, D111AP)iPhone10,1 (8, D20AP)iPhone10,2 (8 plus, D21AP)iPhone10,3 (X, D22AP)iPhone10, 4 (8, D201AP)iPhone10,5 (8 plus, D211AP)iPhone10,6 (X, D221AP) Version: 15A372 (11.0 – 2017 9 November 19)15A402 (11.0.1 – 2017 9 May 26)15A403 (11.0.2 – 2017 9 November 26 – looks like only 8/8plus no update 15A402 version)15A421 (11.0.2 – 2017 10 on 3 May)15A432 (11.0.3 – 2017 10 May 11)15B93 (11.1 – 2017 10 month 31 day)15B150 (11.1.1 – 2017 11 November 9)15B202 (11.1.2 – 2017 11 September 16)15C114 (11.2 – 2017 12 November 2)15C153 (11.2.1 – 2017 12 May 13) 15C202 (11.2.2 – 2018 1 November 8)15D60 (11.2.5 – 2018 Year 1 month 23 day)15D100 (11.2.6 – 2018 2 November 19)15E216 (11.3 – 2018 3 December 29)15E302 (11.3.1 – 2018 4/24)15F79 (11.4 – 2018 Years 5 Months 29 days) The first one does not support the version: 11.4.1 – 2018 7 November 9

Binary structure From the third exploits the beginning of the chain privesc binary file has a different structure. Here, not using the system loader and link the desired symbol, but rather by dlsym to resolve all required symbols dlsym address by JSC exploits in the incoming one. The following is the symbol of analytic functions at the beginning of a fragment: syscall = dlsym(RTLD_DEFAULT, "syscall"); memcpy = dlsym(RTLD_DEFAULT, "memcpy"); memset = dlsym(RTLD_DEFAULT, "memset"); mach_msg = dlsym(RTLD_DEFAULT, "mach_msg"); stat = dlsym(RTLD_DEFAULT, "stat"); open = dlsym(RTLD_DEFAULT, "open"); read = dlsym(RTLD_DEFAULT, "read"); close = dlsym(RTLD_DEFAULT, "close"); ... Interestingly, this seems to be just one additional list, and there are many symbols not used. In Appendix A, I have listed these, and to guess the attacker could for this framework is the early version of the exploit.

Check whether there have been attacks With PE2 as the kernel exploit to run successfully after they system has been modified, can from the sand inside the tank were observed. This time, the attacker will be the string“iop114”added to the device bootargs, by kern. bootargs sysctl from the WebContent sandbox inside reads: sysctlbyname("kern. bootargs", bootargs, &v7, 0LL, 0LL); if (strcmp(bootargs, "iop114")) { syslog(0, "to sleep ..."); while (1) sleep(1000); }

xpc unchecked array indexing XPC(meanings may be Cross Process Communication, Cross-Process Communication is the IPC mechanism it uses mach messaging as a transport layer. This is the 2011 iOS 5 version introduced. XPC message is a serialized object tree, usually in the root directory there are the dictionary. XPC further comprising means for publication and management of the naming service features, the newer IPC services are often built on the XPC, rather than a conventional MIG system. XPC is used as a security boundary to use, at the 2011 Apple Worldwide Developers Conference WWDC on Apple specifically represented by the XPC isolation advantage“if the service is the exploit is almost no impact”, and to“minimize the attack impact.” But unfortunately, the XPC vulnerability of the historic, both present in the core library, also exists in the service using the API of the process. Details can refer to the following P0 problem:80,92,121,130,1247,1713。 Core XPC vulnerability is very effective, because this kind of vulnerability allows an attacker to use the XPC of any process for the target. This particular vulnerability seems to be in iOS 11 some refactoring introduced, like XPC code in the“quick mode”parse a sequence of the xpc dictionary object. The old version of the code is as follows: struct _context { xpc_dictionary dict; char target_key; xpc_serializer result; int found }; int64 _xpc_dictionary_look_up_wire_apply( char current_key, xpc_serializer serializer, struct _context context) { if ( ! current_key ) return 0; if (strcmp(context->target_key, current_key)) return _skip_value(serializer); // key matches; the result is the current state of serializer memcpy(context->result, serializer, 0xB0); (context->found) = 1; return 0; } xpc_serializer object is the original unresolved XPC message wrapper. xpc_serializer type is responsible for serialization and deserialization. The following is the sequence of the XPC message example: !

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] next