36C3 - Tales of old: untethering iOS 11

Title:
36C3 - Tales of old: untethering iOS 11
Description:

https://media.ccc.de/v/36c3-11034-tales_of_old_untethering_ios_11

Spoiler: Apple is bad at patching

This talk is about running unsigned code at boot on iOS 11. I will demonstrate how you can start out with a daemon config file and end up with kernel code execution.

This talk is about achieving unsigned code execution at boot on iOS 11 and using that to jailbreak the device, commonly known as "untethering". This used to be the norm for jailbreaks until iOS 9.1 (Pangu FuXi Qin - October 2015), but hasn't been publicly done since. I will unveil a yet unfixed vulnerability in the config file parser of a daemon process, and couple that with a kernel 1day for full system pwnage. I will run you through how either bug can be exploited, what challenges we faced along the way, and about the feasibility of building a kernel exploit entirely in ROP in this day and age, on one of the most secure platforms there are.

littlelailo

https://fahrplan.events.ccc.de/congress/2019/Fahrplan/events/11034.html

more » « less
Video Language:
English
Duration:
39:15
Format: Youtube Primary Original
Format: Youtube
This video is part of Amara Public.

Subtitles download

Completed subtitles (1)