DOCSLIB.ORG

Imessage Exploitation Remotely Compromising an Iphone Over Imessage

Imessage Exploitation Remotely Compromising an Iphone Over Imessage

iMessage Exploitation Remotely Compromising an iPhone over iMessage Samuel Groß (@5aelo), Project Zero iMessage iMessage Data Format { gid = "008412B9-A4F7-4B96-96C3-70C4276CB2BE"; gv = 8; p = ( "mailto:[email protected]", "mailto:[email protected]" ); pv = 0; r = "6401430E-CDD3-4BC7-A377-7611706B431F"; t = "Hello OBTS!"; v = 1; x = "<html><body>Hello OBTS!</body></html>"; } Enumerating Attack Surface ● “ATI” and “BP” keys of an iMessage contain NSKeyedUnarchiver data ● Deserializer had numerous bugs in the past ● NSKeyedUnarchiver is now 0-Click Attack Surface... NSKeyedUnarchiver ● Serialization format to serialize rather complex datastructures ○ Dictionaries, arrays, strings, selectors, arrays of c-strings, … ● Complex format, even supports cyclic object relationships ● Read Natalie’s blog post to appreciate the complexity Vulnerability - Timeline ● Found during joint research project with Natalie Silvanovich (@natashenka) ● Reported July 29 ○ PoC Exploit sent on August 9 ● Mitigated in iOS 12.4.1, August 26 ○ Vulnerable code no longer reachable via iMessage ● Fully fixed in iOS 13.2, October 28 ● Seemed most convenient to exploit… ● Bug: object used before it is fully initialized due to reference cycle SharedKeyDictionary SharedKeyDictionary SharedKeyDictionary (pseudocode, simplified) - values: [“v1”, “v2”, ”v3”] - keyset: SharedKeyDictionary::lookup(key): idx = keyset.lookup(key, 0) SharedKeySet1 return values[idx] - numKey: 2 - rankTable: [1, 0] SharedKeySet::lookup(key, start): - keys: [“k1”, “k2”] khash = hash(key) - subskset: idx = rankTable[khash % len(rankTable)] if idx < numKey and key == keys[idx]: SharedKeySet2 return start + idx if subskset: - numKey: 1 - rankTable: [0] return subskset.lookup(key, start + numKey) - keys: [“k3”] return -1; - subskset: nullptr CVE-2019-8641 SharedKeySet::initWithCoder(c): numKey = c.decode('NS.numKey') rankTable = c.decode('NS.rankTable') subskset = c.decode('NS.subskset') keys = c.decode('NS.keys') if len(keys) != numKey: raise DecodingError() for k in keys: if lookup(k) == -1: raise DecodingError() CVE-2019-8641 SharedKeySet::initWithCoder(c): numKey = c.decode('NS.numKey') rankTable = c.decode('NS.rankTable') subskset = c.decode('NS.subskset') keys = c.decode('NS.keys') SharedKeySet1 if len(keys) != numKey: raise DecodingError() - numKey: 0 - rankTable: nullptr for k in keys: - subskset: nullptr - keys = nullptr if lookup(k) == -1: raise DecodingError() CVE-2019-8641 SharedKeySet::initWithCoder(c): numKey = c.decode('NS.numKey') rankTable = c.decode('NS.rankTable') subskset = c.decode('NS.subskset') keys = c.decode('NS.keys') SharedKeySet1 if len(keys) != numKey: raise DecodingError() - numKey: 0xffffffff - rankTable: nullptr for k in keys: - subskset: nullptr - keys = nullptr if lookup(k) == -1: raise DecodingError() CVE-2019-8641 SharedKeySet::initWithCoder(c): numKey = c.decode('NS.numKey') rankTable = c.decode('NS.rankTable') subskset = c.decode('NS.subskset') keys = c.decode('NS.keys') SharedKeySet1 if len(keys) != numKey: raise DecodingError() - numKey: 0xffffffff - rankTable: [0x41414141] for k in keys: - subskset: nullptr - keys = nullptr if lookup(k) == -1: raise DecodingError() CVE-2019-8641 SharedKeySet2 - numKey: 0 SharedKeySet::initWithCoder(c): - rankTable: nullptr numKey = c.decode('NS.numKey') - subskset: nullptr - keys: nullptr rankTable = c.decode('NS.rankTable') subskset = c.decode('NS.subskset') keys = c.decode('NS.keys') SharedKeySet1 if len(keys) != numKey: - numKey: 0xffffffff raise DecodingError() - rankTable: [0x41414141] for k in keys: - subskset: SKS2 if lookup(k) == -1: - keys = nullptr raise DecodingError() CVE-2019-8641 SharedKeySet2 - numKey: 0 SharedKeySet::initWithCoder(c): - rankTable: nullptr numKey = c.decode('NS.numKey') - subskset: nullptr - keys: nullptr rankTable = c.decode('NS.rankTable') subskset = c.decode('NS.subskset') keys = c.decode('NS.keys') SharedKeySet1 if len(keys) != numKey: - numKey: 0xffffffff Start raise DecodingError() - rankTable: decoding [0x41414141] SKS2 now for k in keys: - subskset: SKS2 if lookup(k) == -1: - keys = nullptr raise DecodingError() CVE-2019-8641 SharedKeySet2 - numKey: 1 SharedKeySet::initWithCoder(c): - rankTable: nullptr - subskset: nullptr numKey = c.decode('NS.numKey') - keys: nullptr rankTable = c.decode('NS.rankTable') subskset = c.decode('NS.subskset') keys = c.decode('NS.keys') SharedKeySet1 if len(keys) != numKey: - numKey: 0xffffffff raise DecodingError() - rankTable: [0x41414141] for k in keys: - subskset: SKS2 if lookup(k) == -1: - keys = nullptr raise DecodingError() CVE-2019-8641 SharedKeySet2 - numKey: 1 SharedKeySet::initWithCoder(c): - rankTable: [42] numKey = c.decode('NS.numKey') - subskset: nullptr - keys: nullptr rankTable = c.decode('NS.rankTable') subskset = c.decode('NS.subskset') keys = c.decode('NS.keys') SharedKeySet1 if len(keys) != numKey: - numKey: 0xffffffff raise DecodingError() - rankTable: [0x41414141] for k in keys: - subskset: SKS2 if lookup(k) == -1: - keys = nullptr raise DecodingError() CVE-2019-8641 SharedKeySet2 - numKey: 1 SharedKeySet::initWithCoder(c): - rankTable: [42] numKey = c.decode('NS.numKey') - subskset: SKS1 - keys: nullptr rankTable = c.decode('NS.rankTable') subskset = c.decode('NS.subskset') keys = c.decode('NS.keys') SharedKeySet1 if len(keys) != numKey: - numKey: 0xffffffff raise DecodingError() - rankTable: [0x41414141] NSKeyedUnarachiver for k in keys: - subskset: SKS2 has special logic to handle this case if lookup(k) == -1: - keys = nullptr correctly (i.e not raise DecodingError() create a third object) CVE-2019-8641 SharedKeySet2 - numKey: 1 SharedKeySet::initWithCoder(c): - rankTable: [42] numKey = c.decode('NS.numKey') - subskset: SKS1 - keys: [“key1”] rankTable = c.decode('NS.rankTable') subskset = c.decode('NS.subskset') keys = c.decode('NS.keys') SharedKeySet1 if len(keys) != numKey: - numKey: 0xffffffff raise DecodingError() - rankTable: [0x41414141] for k in keys: - subskset: SKS2 if lookup(k) == -1: - keys = nullptr raise DecodingError() CVE-2019-8641 SharedKeySet2 - numKey: 1 SharedKeySet::initWithCoder(c): - rankTable: [42] numKey = c.decode('NS.numKey') - subskset: SKS1 - keys: [“key1”] rankTable = c.decode('NS.rankTable') subskset = c.decode('NS.subskset') keys = c.decode('NS.keys') SharedKeySet1 if len(keys) != numKey: - numKey: 0xffffffff raise DecodingError() - rankTable: [0x41414141] for k in keys: - subskset: SKS2 if lookup(k) == -1: - keys = nullptr raise DecodingError() CVE-2019-8641 SharedKeySet2 - numKey: 1 SharedKeySet::initWithCoder(c): - rankTable: [42] numKey = c.decode('NS.numKey') - subskset: SKS1 - keys: [“key1”] rankTable = c.decode('NS.rankTable') subskset = c.decode('NS.subskset') keys = c.decode('NS.keys') SharedKeySet1 if len(keys) != numKey: - numKey: 0xffffffff raise DecodingError() - rankTable: for k in keys: [0x41414141] - subskset: SKS2 if lookup(k) == -1: - keys = nullptr raise DecodingError() CVE-2019-8641 SharedKeySet2 - numKey: 1 SharedKeySet::initWithCoder(c): - rankTable: [42] numKey = c.decode('NS.numKey') - subskset: SKS1 - keys: [“key1”] rankTable = c.decode('NS.rankTable') subskset = c.decode('NS.subskset') keys = c.decode('NS.keys') SharedKeySet1 if len(keys) != numKey: - numKey: 0xffffffff raise DecodingError() - rankTable: for k in keys: [0x41414141] - subskset: SKS2 if lookup(k) == -1: - keys = nullptr raise DecodingError() CVE-2019-8641 SharedKeySet2 - numKey: 1 SharedKeySet::initWithCoder(c): - rankTable: [ 42] numKey = c.decode('NS.numKey') - subskset: SKS1 - keys: [“key1”] rankTable = c.decode('NS.rankTable') subskset = c.decode('NS.subskset') keys = c.decode('NS.keys') SharedKeySet1 1. idx > numKey, so if len(keys) != numKey: recurse to - numKey: 0xffffffff subskset (SKS1) raise DecodingError() - rankTable: for k in keys: [0x41414141] - subskset: SKS2 if lookup(k) == -1: - keys = nullptr raise DecodingError() CVE-2019-8641 SharedKeySet2 - numKey: 1 SharedKeySet::initWithCoder(c): - rankTable: [42] numKey = c.decode('NS.numKey') - subskset: SKS1 - keys: [“key1”] rankTable = c.decode('NS.rankTable') subskset = c.decode('NS.subskset') keys = c.decode('NS.keys') SharedKeySet1 1. idx > numKey, so if len(keys) != numKey: recurse to - numKey: 0xffffffff subskset (SKS1) raise DecodingError() - rankTable: 2. idx < numKey, so for k in keys: [0x41414141] access nullptr + - subskset: SKS2 0x41414141*8 if lookup(k) == -1: - keys = nullptr raise DecodingError() Checkpoint ✔ Vulnerability in NSUnarchiver API, triggerable without interaction via iMessage ? Exploitation primitives gained? Exploitation Primitive ● keys is nullptr, idx controlled ● During key comparison, some ObjC methods are called on SharedKeySet::lookup(key, start): the controlled object khash = hash(key) ○ E.g. isNSString idx = rankTable[khash % len(rankTable)] ● Also possible to get dealloc method (destructor) called on if idx < numKey and key == keys[idx]: controlled object return start + idx ● => Exploit Primitive: treat if subskset: arbitrary, absolute address as return subskset.lookup(key, start + numKey) pointer to Objective-C object return -1; and call some methods on it Checkpoint ✔ Vulnerability in NSUnarchiver API, triggerable without interaction via iMessage ✔ Can dereference arbitrary absolute address, treat as ObjC Object pointer ? How to exploit? ObjC Internals Bob* bob = [[Bob alloc] init]; Bob Class [Bob doSomething]; - Parent Class Pointer - Method Table doSomething @ 0x1c001350 dealloc @ 0x1c001470 - ... Bob Instance - Class Pointer (“ISA”) @ 0x1c001230 - Properties ... Process Address Space Exploitation

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    70 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us