7 8 9 10 11 12 o Security researcher at Lookout o iOS/tvOS/WatchOS jailbreak author o Lead researcher on Pegasus exploit chain o Focused on software and hardware exploitation
code execution o Leak kernel base o Dump whole kernel (for encrypted kernels) o Find gadgets and setup primitives o Disable security restrictions o Run ssh client on a watch 1 2 3 4 5 6 7 8 9 10 11 12
CVE-2016-4680 o Object constructor missing bounds checking o OSNumber object with high number of bits o Object length used to copy value from stack o Kernel stack memory leaked o Can be triggered from an app’s sandbox 1 2 3 4 5 6 7 8 9 10 11 12
OSUnserializeBinary o OSString object deallocated o retain() called on deallocated object o Fake object with fake vtable –> code exec o Can be triggered from an app’s sandbox 13 14 15 16 17 18 19 20 21 22 23 24
o No decryption keys for WatchOS kernels o Idea: read kernel as OSString chunks o vtable offset required to fake OSString o vtable stored in __DATA.__const in kernel Dumping WatchOS 2.x kernel 13 14 15 16 17 18 19 20 21 22 23 24
can control pointer to vtable o Use address to leak as vtable address o vtable will be dereferenced by retain() call o Kernel will crash, but save panic log o Address content appear in register state 13 14 15 16 17 18 19 20 21 22 23 24
address to leak as fake vtable address o Watch will crash, wait until it restore o ssh to a iPhone and run synchronization service o Copy panic from Watch to iPhone and to Mac o Parse panic, read 4 bytes and disassemble ! o Update address with 4 bytes delta and upload app o Repeat 13 14 15 16 17 18 19 20 21 22 23 24
Now use fake OSString obj to read kernel o Read data via IORegistryEntryGetProperty o Leak kernel header, calculate kernel size o Dump full kernel to userland by chunks 13 14 15 16 17 18 19 20 21 22 23 24
not encrypted now o No need to dump and symbolicate anymore o New heap layout, some AMFI fixes o More sandbox restrictions o Vurnerable to CVE-2017-2370 13 14 15 16 17 18 19 20 21 22 23 24
o Usermode pointer is used as copyin size arg o We can corrupt mach message to get kernel RW o Allocate userclient and read obj vtable -> KASLR o Can be triggered from an app’s sandbox 25 26 27 28 29 30 31 32 33 34 35 36
Or save kernel sself in task bootstrap port o Read it back via task_get_special_port() o Restore original bootstrap port value 25 26 27 28 29 30 31 32 33 34 35 36
client for ARMv7k o Compile basic tools package for ARMv7k o More restricted sandbox than iOS o Null out WatchOS specific sandbox ops 25 26 27 28 29 30 31 32 33 34 35 36
connected to 2.4Hz WiFi o Can be a little bit tricky but it works o iPhone is not involved at all J o Just leak address and connect 25 26 27 28 29 30 31 32 33 34 35 36
system functions o Catch data on sync with a iPhone o Call recordings o Create tweaks for a watch o Run frida and radare 37 38 39 40 41 42 43 44 45 46 47 48