Exploitations of Uninitialized Uses on macOS Sierra Zhenquan Xu, Gongshen Liu School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University Tielei Wang, Hao Xu PWNZEN InfoTech Co., LTD. Abstract plied to entire modern operating systems. In this paper, we will share our experience of gaining arbitrary kernel An uninitialized use refers to a common coding mistake code execution in the latest macOS Sierra by exploiting where programmers directly use variables on the stack two uninitialized use vulnerabilities in Pwnfest 2016. or the heap before they are initialized. Uninitialized macOS Sierra is the thirteenth major release in ma- uses, although simple, can lead to severe security con- cOS, Apple Inc.’s desktop and server operating system sequences. In this paper, we will share our experience for Macintosh computers. It was released to end users in gaining arbitrary kernel code execution in the latest on September 20, 2016. Pwnfest is a security contest macOS Sierra by exploiting two uninitialized use vul- held on November 10-11, 2016, in Seoul, South Korea nerabilities for Pwnfest 2016. Specifically, we first ana- that aims to improve the security of current popular lyze the attack surface of the XNU kernel and mitigation operating systems by awarding hackers that are able to techniques, and then study common types of uninitial- hack the latest operating systems and browsers. There ized uses and potential threats. Then we elaborate on the are eight main targets (listing in Table-1) for hackers in vulnerabilities and exploitation techniques. Lastly, we Pwnfest 2016. summarize the whole exploitation and discuss the relia- bility of the exploitation. Table 1: Targets in Pwnfest 2016 1 Introduction Target Although not directly leading to memory corruptions, Microsoft Edge + Windows 10 x64 RS1 uninitialized use has become a kind of severe security Microsoft Hyper-V + Windows Server 2016 vulnerability. The uninitialized use may result in infor- Google Chrome + Windows 10 x64 RS1 mation leaks or control of the instruction pointer, in the Android 7.0 + Google Pixel case that attackers can effectively control memory lay- Adobe Flash + Microsoft Edge + Windows 10 x64 RS1 out and usage by using advanced exploitation techniques Apple Safari + macOS Sierra such as stack based or heap based spraying. Apple iOS 10 + iPhone 7 Plus Many researchers have proposed different methods or VMWare Workstation Pro 12 + Windows 10 x64 RS1 systems to detect, eliminate, or mitigate uninitialized uses. For example, MemorySanitizer [21] and kmem- check [19] perform checks on each memory read and In Pwnfest 2016, our target was Safari on macOS write operation to detect uninitialized reads but they in- Sierra. We first exploited an info-leak vulnerability cur significant overhead. STACKLEAK [22], proposed (CVE-2017-2355) and a UAF vulnerability (CVE-2017- by PaX, clears the kernel stack when returning to the user 2356) to gain remote code execution in the context of space but it does not prevent uninitialized use in the ker- Safari, when Safari processed a crafted web page. How- nel heap. Kangjie Lu’s UniSan [17], which is effective in ever, to win the contest and get the bonus, we needed to detecting stack based and heap based uninitialized uses escape the Safari sandbox and gain the root privilege. To and has slight overhead, requires rebuilding the source achieve this, we exploited two uninitialized value vul- code thus it can only be applied to open-source projects. nerabilities in the kernel. This paper will focus on the In short, such methods or systems are still hard to be ap- kernel exploitation. Specifically, the contribution of this research includes: compromised. The kernel implements a Mandatory Ac- cess Control (MAC) sandbox model. When a sandboxed • A detailed demonstration and analysis of exploit- process tries to access some system resource, the kernel ing uninitialized value bugs to bypass modern ker- will consult the app’s sandbox file to determine whether nel mitigations such as kernel ALSR and SMAP/S- to allow or to deny this operation. MEP on macOS Sierra. Safari is also partially sandboxed. The WebProcess, the NetworkProcess and the PluginProcesses are sand- • State-of-the-art exploitation techniques for exploit- boxed but the UIProcess is not sandboxed. After ex- ing macOS Sierra kernel. ploiting some vulnerabilities in WebCore or JavaScript- • A systematic review of attack surfaces of macOS Core, attackers usually gain arbitrary code execution in Sierra. the sandboxed WebContent process (aka WebProcess). It is still quite restricted to do something further so sandbox The rest of the paper is organized as follows. We re- escape is necessary. view Safari, XNU kernel and the mitigations systemati- Commonly, two different paths are available. The first cally in x2. Then we analyze the common types of unini- one is attacking system services which are not sandboxed tialized use and the potential threats in x3. We analyze and accessible in the WebProcess sandbox. Target ser- and exploit the vulnerabilities in detail in x4. We summa- vices could be WindowServer, fontd, launchd, etc.. Ex- rize our exploitation and make discussion in x5. Related ploiting vulnerabilities in these services help escape the work is summarized in x6. Lastly, we conclude in x7. sandbox and gain root privileges (if the target service is running as root). The other choice is exploiting kernel vulnerabilities directly. Attackers can gain kernel priv- 2 An Analysis of macOS Sierra ilege and break out of the sandbox at the same time by exploiting kernel vulnerabilities. However, this way is 2.1 Safari Browser & Sandbox much harder than the first one because of the sandbox. Safari is developed by Apple Inc. and it is the default Only a small number of user clients are accessible from browser on macOS Sierra. In this part, the process model a WebProcess sandbox (Table 2). Nevertheless, in Pwn- of Safari browser will be first introduced and then the fest 2016, the second way was used and two vulnerabili- sandbox will be discussed. The Safari browser is com- ties were exploited to gain the kernel privileges. posed of several separated processes. Safari employs an isolated process model and obeys least privilege princi- Table 2: User clients allowed to be opened in ples which means each of its components can only access WebProcess limited system resources which it requires. Specifically, Safari can be divided into four parts [11]: # User Client Name KEXT Name 1 AppleUpstreamUserClient AppleUpstreamUserClient.kext 2 AppleMGPUPowerControlClient AppleGraphicsControl.kext • WebProcess, which is also called WebContent, is re- 3 RootDomainUserClient System.kext sponsible for parsing HTML files, rendering DOM 4 IOAudioControlUserClient IOAudioFamily.kext 5 IOAudioEngineUserClient IOAudioFamily.kext objects and drawing layouts for a webpage. It deals 6 IOAccelerator IOGraphicsFamily.kext with Javascript and other active web contents as 7 IOAccelerationUserClient IOGraphicsFamily.kext 8 IOSurfaceRootUserClient IOSurface.kext well. 9 IOSurfaceSendRight IOSurface.kext 10 IOFramebufferSharedUserClient IOGraphicsFamily.kext • NetworkProcess is responsible for network commu- 11 AppleSNBFBUserClient AppleIntelSNBGraphicsFB.kext 12 IOHIDParamUserClient IOHIDFamily.kext nication of a browser like loading pages, loading 13 AppleGraphicsControlClient AppleGraphicsControl.kext resources (pictures, audios, videos) and posting re- 14 AppleGraphicsPolicyClient AppleGraphicsControl.kext quests. 15 AGPMClient AppleGraphicsPowerManagement.kext • PluginProcesses is responsible for managing plug- ins of a browser like Adobe Flash. 2.2 XNU attack surface • UIProcess is the parent process of all the other pro- cesses mentioned before. It is responsible for dis- XNU [6] is a computer operating system developed at patching events and messages between other pro- Apple Inc. and is used widely as the kernel for macOS, cesses. iOS, tvOS, and watchOS operating systems. XNU is a recursive abbreviation of “XNU is Not Unix”. In this macOS uses the sandbox mechanism [7] to minimize part, the attack surface of XNU will be detailedly dis- the damage to the system and user data if an app becomes cussed. On the top view of XNU, XNU is a hybrid kernel to communicate with drivers in the kernel and each which contains features of both monolithic kernels and device driver may have dozens methods for user microkernels. XNU can be considered as a mixture of space programs to call, which leaves a large attack the Mach kernel and the BSD kernel. XNU’s BSD com- surface for attackers. ponent uses FreeBSD as the primary codebase and it is responsible for process management, basic security poli- To start a communication with an IOKit driver in the cies, BSD system calls, network stack, filesystems, etc.. kernel, the following three steps are usually taken: XNU’s Mach component is based on Mach 3.0 devel- 1. Get the name of the service that the driver corre- oped by CMU in the middle 1980s. Mach is responsi- sponds to. The name can be obtained from the out- ble for multitasking, memory management, process com- put of “ioreg” command in a terminal. Then pass munication and so on [16]. Besides BSD and Mach, the name to IOServiceMatching(), which is an XNU contains a special driver framework called I/O Kit. API provided by the IOKit framework, to create a The I/O Kit [9] is a collection of system frameworks, matching dictionary for the next step. libraries, tools, and other resources for creating device drivers in OS X. It is implemented in a restricted form 2. Pass the matching dictionary in step 1 to IOSer- of C++ which omits features like multiple inheritance viceGetMatchingServices() to get an iterator and exception handling, which are unsuitable for a mul- of all the services which match the name in the tithreaded kernel. It also provides user space programs matching dictionary. Objects in the iterator are with the capability of communicating with the drivers in IOService ports, which correspond to the devices’ the kernel. instances in the kernel. Basically, any communication channels between the 3.