18.05.20, 10:30 Seite 1 von 1 Mehr Blog erstellen Anmelden Project Zero News and updates from the Project Zero team at Google Thursday, August 29, 2019 Search This Blog In-the-wild iOS Exploit Chain 1 Search Posted by Ian Beer, Project Zero Pages About Project Zero TL;DR Working at Project Zero This exploit provides evidence that these exploit chains were likely written 0day "In the Wild" contemporaneously with their supported iOS versions; that is, the exploit techniques which Vulnerability Disclosure FAQ were used suggest that this exploit was written around the time of iOS 10. This suggests that this group had a capability against a fully patched iPhone for at least two years. Archives This is one of the three chains (of five chains total) which exploit only one kernel vulnerability 2020 that was directly reachable from the Safari sandbox. Fuzzing ImageIO (Apr) You Won't Believe what this In-the-wild iOS Exploit Chain 1 - One Line Change Did to... (Apr) AGXAllocationList2::initWithSharedResourceList heap overflow TFW you-get-really-excited-you- patch-di!ed-a-0day... (Apr) We'll look first at the earliest chain we found. This targets iOS 10.0.1-10.1.1 and has probably been active since September 2016. Escaping the Chrome Sandbox with RIDL (Feb) targets: 5s through 7, 10.0.1 through 10.1.1 Mitigations are attack surface, too (Feb) supported version matrix: A day^W^W Several months in iPhone6,1 (5s, N51AP) the life of Project Ze... (Feb) iPhone6,2 (5s, N53AP) A day^W^W Several months in iPhone7,1 (6 plus, N56AP) the life of Project Ze... (Feb) iPhone7,2 (6, N61AP) Part II: Returning to Adobe iPhone8,1 (6s, N71AP) Reader symbols on macO... (Jan) iPhone8,2 (6s plus, N66AP) Remote iPhone Exploitation Part iPhone8,4 (SE, N69AP) 3: From Memory Cor... (Jan) iPhone9,1 (7, D10AP) Remote iPhone Exploitation Part iPhone9,2 (7 plus, D11AP) 2: Bringing Light ... (Jan) iPhone9,3 (7, D101AP) Remote iPhone Exploitation Part iPhone9,4 (7 plus, D111AP) 1: Poking Memory v... (Jan) Policy and Disclosure: 2020 version support is slightly different between platforms: Edition (Jan) iPhone 6,*;7,*;8,*: 14A403 (10.0.1 - 13 Sep 2016) this is the first public version of iOS 10 2019 14A456 (10.0.2 - 23 Sep 2016) Calling Local Windows RPC 14B72 (10.1 - 24 Oct 2016) Servers from .NET (Dec) 14B100 (10.1.1 - 31 Oct 2016) SockPuppet: A Walkthrough of a 14B150 (10.1.1 - 9 Nov 2016) Kernel Exploit for ... (Dec) Bad Binder: Android In-The-Wild iPhone 9,*: Exploit (Nov) 14A403 (10.0.1 - 13 Sep 2016) KTRW: The journey to build a 14A456 (10.0.2 - 23 Sep 2016) debuggable iPhone (Oct) 14A551 (10.0.3 - 17 Oct 2016) : NOTE: this version was iPhone 7 only; "cellular connectivity The story of Adobe Reader problem) symbols (Oct) 14B72c (10.1 - 24 Oct 2016) Windows​ ​Exploitation​ ​Tricks:​ 14B100 (10.1.1 - 31 Oct 2016) ​Spoo#ng​ ​Name... (Sep) 14B150 (10.1.1 - 9 Nov 2016) A very deep dive into iOS Exploit chains found in ... (Aug) First unsupported version: 10.2 - 12 December 2016 In-the-wild iOS Exploit Chain 1 (Aug) The first kernel vulnerability In-the-wild iOS Exploit Chain 2 The first kernel vulnerability is a heap overflow in the function (Aug) AGXAllocationList2::initWithSharedResourceList, part of the com.Apple.AGX In-the-wild iOS Exploit Chain 3 kext, a driver for the embedded GPU in the iPhone. The vulnerability is reachable from the (Aug) WebContent sandbox, there is no separate sandbox escape vulnerability. In-the-wild iOS Exploit Chain 4 (Aug) AGXAllocationList2::initWithSharedResourceList is a C++ virtual member In-the-wild iOS Exploit Chain 5 method which takes two arguments, a pointer to an IOAccelShared2 object and a pointer (Aug) to an object. That resource list header pointer IOAccelSegmentResourceListHeader Implant Teardown (Aug) points to memory which is shared with userspace and the contents are fully attacker- controlled. The bug lies in the code which parses that resource list structure. The structure JSC Exploits (Aug) looks like this: The Many Possibilities of CVE- 2019-8646 (Aug) Down the Rabbit-Hole... (Aug) The Fully Remote Attack Surface of the iPhone (Aug) Trashing the Flow of Data (May) Windows Exploitation Tricks: Abusing the User-Mode... (Apr) Virtually Unlimited Memory: Escaping the Chrome Sa... (Apr) Splitting atoms in XNU (Apr) Windows Kernel Logic Bug Class: Access Mode Mismat... (Mar) Android Messaging: A Few Bugs Short of a Chain (Mar) The Curious Case of Convexity Confusion (Feb) Examining Pointer Authentication on the iPhone XS (Feb) voucher_swap: Exploiting MIG There's an byte header structure, the last dword of which is a count of the number of 0x18 reference counting in... (Jan) following sub-descriptor structures. Each of those sub-descriptor structures is 0x40 bytes, Taking a page from the with the last two bytes being a uint16_t count of sub-entries contained in the sub- kernel's book: A TLB issue ... descriptor. (Jan) The sub-descriptor contains two arrays, one of dword resource-id values, and one of two- 2018 byte flags. They are meant to be seen as pairs, with the first flag matching up with the first On VBScript (Dec) resource id. Searching statically-linked vulnerable library fun... (Dec) The driver reads the n_entries value from shared memory and multiplies it by 6 to Adventures in Video determine what it believes should be the maximum total number of sub-resources across all Conferencing Part 5: Where Do ... the sub-descriptors: (Dec) Adventures in Video n_entries = *(_DWORD *)(shmem_ptr + 0x14); Conferencing Part 4: What Didn... n_max_subdescriptors = 6 * n_entries; (Dec) Adventures in Video Conferencing Part 3: The Even ... This value is then multiplied by 8, as for each subresource_id they'll store a pointer: (Dec) Adventures in Video Conferencing Part 2: Fun with ... resources_buf = IOMalloc(8 * n_max_subdescriptors); (Dec) Adventures in Video The code then continues on to parse the sub-descriptors: Conferencing Part 1: The Wild ... (Dec) Injecting Code into Windows n_entries = *(_DWORD *)(shmem_ptr + 0x14); Protected Processes us... (Nov) ... Heap Feng Shader: Exploiting SwiftShader in Chrome... (Oct) void* resource = NULL; size_t total_resources = 0; Deja-XNU (Oct) input = (struct input*)shmem_ptr; Injecting Code into Windows struct sub_desc* desc = &input->descs[0]; Protected Processes us... (Oct) for (i = 0; i < n_entries; i++) { 365 Days Later: Finding and for (int j = 0; j < desc->n_sub_entries; j+) { Exploiting Safari Bugs... (Oct) A cache invalidation bug in Linux int err = IOAccelShared2::lookupResource(ioaccel_shared, memory managemen... (Sep) desc->resource_ids[j], OATmeal on the Universal Cereal &resource); Bus: Exploiting An... (Sep) if (err) { The Problems and Promise of goto fail; WebAssembly (Aug) } Windows Exploitation Tricks: Exploiting Arbitrary ... (Aug) unsigned short flags = desc->flags[j]; Adventures in vulnerability reporting (Aug) if (flags_invalid(flags)) { Drawing Outside the Box: goto fail; Precision Issues in Graph... (Jul) } Detecting Kernel Memory resources_buf[total_resources++] = resource; Disclosure – Whitepaper (Jun) } Bypassing Mitigations by ... Attacking JIT Server in M... (May) } Windows Exploitation Tricks: Exploiting Arbitrary ... (Apr) The issue is that the code never validates the assumption that each sub-descriptor has at- Reading privileged memory with a side-channel (Jan) most 6 sub-entries; there's actually space in the structure for 7 completely controlled and pairs. The code assumes that was allocated for resource_id flag resources_buf 2017 the worst case of 6 entries per sub-descriptor, so there are no bounds checks when the loop writes to . aPAColypse now: Exploiting resources_buf Windows 10 in a Local N... (Dec) Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi... (Oct) Since n_entries is completely controlled, the attacker can control the size passed to IOMalloc. They can also control the number of sub-descriptors which contain 7 rather than Using Binary Di$ng to Discover Windows Kernel Me... (Oct) 6 entries, allowing them to write a controlled number of pointers off the end of the target IOMalloc allocation. Those will be pointers to IOAccelResource2 objects. Over The Air - Vol. 2, Pt. 2: Exploiting The Wi-Fi... (Oct) Note that the second fetch of n_entries from shared memory isn't a decompiler error; it's Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi... (Sep) really there in the binary: The Great DOM Fuzz-o! of 2017 (Sep) fetch 1: Bypassing VirtualBox Process com.apple.AGX:__text:FFFFFFF006B54800 LDR W8, [X19,#0x14] Hardening on Windows (Aug) ... Windows Exploitation Tricks: fetch 2: Arbitrary Directory C... (Aug) com.apple.AGX:__text:FFFFFFF006B548B4 LDR W8, [X19,#0x14] Trust Issues: Exploiting TrustZone TEEs (Jul) This is not the bug which was exploited; in fact this variant wasn't fixed until iOS 12. See the Exploiting the Linux kernel via code in Appendix A for the trigger for this variant. Note that this would have meant that with packet sockets (May) only minor changes the exploit would have continued to work for years after the initial patch. Exploiting .NET Managed DCOM The variant overflows the same buffer with the same values. (Apr) start Exception-oriented exploitation on iOS (Apr) All the exploits start by calling then in a loop to task_threads() thread_terminate() Over The Air: Exploiting stop all other running threads in the WebContent task where the attackers get initial remote Broadcom’s Wi-Fi Stack (P... (Apr) code execution. Notes on Windows Uniscribe Fuzzing (Apr) This first chain uses the system loader to resolve symbols but they chose to not link against Pandavirtualization: Exploiting the IOSurface framework which they use, so they call dlopen() to get a handle to the the Xen hypervisor... (Apr) IOSurface.dylib userspace library and resolve two function pointers Over The Air: Exploiting (IOSurfaceCreate and IOSurfaceGetID) via dlsym().