In-depth exploration found in the wild iOS exploit chain V-vulnerability warning-the black bar safety net

This exploit chain are currently three different teams found, respectively, is the attacker’s malicious organization, Project Zero Brandon Azad and 360 Security@S0rryMybad it.
In 2018, 11 December 17,@S0rryMybad exploit this vulnerability in the Tianfu Cup PWN the race to win the 20 million dollar bonus. Brandon Azad in 2018, 12 on 6 may independently discover and to Apple report the same vulnerability. Apple in 2019 1 July 22, repair the problem, and in iOS 12.1.4 release notes fixes CVE-2019-6225 vulnerability to@S0rryMyBad and Brandon shows thanks. The vulnerability has even been named Blackhat 2019 in the optimum elevation of privilege vulnerability.
But why already have available the iOS the exploit chain#4 contains 2019 2 on to the Apple Report 0-day vulnerability, the attacker would temporarily abandon the use of the chain, using instead a new use of the chain it? We speculate that may be because this use of the chain is more reliable, uses only one vulnerability, but did not use the vulnerability of the portfolio, while also avoiding the iOS exploit chain#4 for sandbox escape based on the thread of the re-distribution inherent in the art of the defects.
However, more important is the vulnerability of nature reason. In 2014, Apple added a named“vouchers”of the new features of the unfinished implementation, and this new part of the code relates to a new system call from a technical point of view, is a task port to the MIG method, and as far as I know, this position has never been utilized before. To be clear, if there is a test with the expected parameters of the invoked system call, then it throws a kernel error, Kernel Panic is. If any Apple developers in this four years trying to use this feature, their phone will crash immediately, they will then be found to this problem.
In this detailed article, we will detail how could an attacker use the vulnerability to install malicious implant tool, and monitoring device on the user activity. My next article will analyze the implant tool itself, including command and control, as well as its ability to monitor the demonstration.

In the wild the iOS exploit chain#5 – task_swap_mach_voucher
Target: iPhone 5s – iPhone X, 11.4. 1 version to 12. 1. 2 version.
The first one is not supported version: 12.1.3 – 2019 1 May 22,
iPhone6,1 (5s, N51AP)iPhone6,2 (5s, N53AP)iPhone7,1 (6 plus, N56AP)iPhone7,2 (6, N61AP)iPhone8,1 (6s, N71AP)iPhone8,2 (6s plus, N66AP)iPhone8,4 (SE, N69AP)iPhone9,1 (7, D10AP)iPhone9,2 (7 plus, D11AP)iPhone9,3 (7, D101AP)iPhone9,4 (7 plus, D111AP)iPhone10,1 (8, D20AP)iPhone10,2 (8 plus, D21AP)iPhone10,3 (X, D22AP)iPhone10, 4 (8, D201AP)iPhone10,5 (8 plus, D211AP)iPhone10,6 (X, D221AP)
15G77 (11.4.1 – 2018 7 November 9)16A366 (12.0 – 2018 9 December 17)16A404 (12.0.1 – 2018 10 November 8)16B92 (12.1 – 2018 10 30 June)16C50 (12.1.1 – 2018 12 November 5)16C10 (12.1.2 – 2018 12 December 17)

Vouchers function
Vouchers are in 2014, iOS 8 introduced a feature. Vouchers code seems to have been written to theoperating system, but not fully implemented, the vulnerability exists in the code as follows:
/* Placeholders for the task set/get voucher interfaces /
kern_return_t
task_get_mach_voucher(
task_t task,
mach_voucher_selector_ __unused which,
ipc_voucher_t voucher)
{
if (TASK_NULL == task)
return KERN_INVALID_TASK;
voucher = NULL;
return KERN_SUCCESS;
}
kern_return_t
task_set_mach_voucher(
task_t task,
ipc_voucher_t __unused voucher)
{
if (TASK_NULL == task)
return KERN_INVALID_TASK;
return KERN_SUCCESS;
}
kern_return_t
task_swap_mach_voucher(
task_t task,
ipc_voucher_t new_voucher,
ipc_voucher_t in_out_old_voucher)
{
if (TASK_NULL == task)
return KERN_INVALID_TASK;
*in_out_old_voucher = new_voucher;
return KERN_SUCCESS;
}
Perhaps some readers can’t quickly find the code snippet in the presence of the vulnerability, actually it’s very normal. Since 2014, this vulnerability has been retained in the code library and all the iPhone can be from any sand box inside the trigger. If anyone try to use this code, and use a valid voucher call task_swap_mach_voucher, then it will trigger this vulnerability. In these four years, almost certainly is, although can be from any sandbox to trigger the vulnerability, but also without any actual code used task_swap_mach_voucher function.
This feature is likely to never be called any time, whether in development, test, QA or production process. Because as soon as someone tests, it will directly lead to a kernel error, Kernel Panic and forced reboot. We can only assume that this code passed the code audit, testing and QA process. task_swap_mach_voucher is a task port to the kernel on the MIG method, and it also cannot be the iOS sandbox is disabled, further aggravating the vulnerability of the threat level.
We want to understand why here there is an actual vulnerability, it requires an in-depth analysis of MIG auto-generated code, the code calls the task_swap_mach_voucher it. The following is task_swap_mach_voucher related to the MIG definition
routine task_swap_mach_voucher(
task : task_t;
new_voucher : ipc_voucher_t;
inout old_voucher : ipc_voucher_t);

[1] [2] [3] [4] [5] next