< Return to Video

34C3 - iOS kernel exploitation archaeology

  • 0:00 - 0:15
    34c3 preroll music
  • 0:15 - 0:20
    Herald Angel: And now I want to introduce
    our first speaker and the topic he's
  • 0:20 - 0:28
    talking about. iOS kernel exploitation
    archaeology. A kernel exploit from late
  • 0:28 - 0:35
    2013 early 2014 will be digged out and
    analyzed proper archaeology all the
  • 0:35 - 0:43
    digging... digging and analysis is done by
    argp here to my left on the stage and give
  • 0:43 - 0:47
    him a big round of applause. And the stage
    is yours, thanks.
  • 0:47 - 0:48
    Applause
  • 0:48 - 0:59
    argp: Thanks for the introduction. First
    of all, thank you all for being here. As
  • 0:59 - 1:04
    the person that did the introduction told
    you this is going to be an archeology talk
  • 1:04 - 1:10
    so I apologize in advance if it's not that
    interesting for you. So we'll talk about a
  • 1:10 - 1:16
    bit older stuff rather than new things.
    Okay so a bit a few things about myself.
  • 1:17 - 1:21
    Actually, I think from all these things,
    the most important are the the Phrack
  • 1:21 - 1:27
    papers, right? So, yeah. Let's ignore all
    the other stuff okay? So, what I'm going
  • 1:27 - 1:35
    to talk about. I'm going to talk about the
    evasi0n7 kernel exploit. Now evasi0n7 was
  • 1:35 - 1:42
    a jailbreak it was released by the evad3rs
    on the 22nd of December 2013. It supported
  • 1:42 - 1:50
    iOS7 to iOS7.1 beta 3. That's not the
    7.1 stable release, right? So that's a
  • 1:50 - 1:56
    beta. And this supported all devices at
    that time including the iPhone 5s which
  • 1:56 - 2:04
    was the first 64-bit device except the
    Apple TV. So, I decided to reverse
  • 2:04 - 2:09
    engineer the kernel exploit of the
    jailbreak focused just on that. Because I
  • 2:09 - 2:14
    was really interested, not so much in the
    bug itself, which was as we will see not
  • 2:14 - 2:19
    very complicated. But I was really
    interested to understand the exploitation
  • 2:19 - 2:26
    techniques that the evad3rs used. So, I
    started reversing it, and I understanding
  • 2:26 - 2:32
    it, and at some point I just said I'm just
    gonna do a reimplementation of the kernel
  • 2:32 - 2:37
    exploit. So, this talk is basically my
    notes on this whole process. And, of
  • 2:37 - 2:42
    course, it's not a jailbreak walkthrough,
    right? And I'm going to specifically focus
  • 2:42 - 2:50
    on the various problems I encountered
    during this task and how I overcame them.
  • 2:50 - 2:58
    And hopefully it's going to give you some
    helpful takeways for if you do iOS kernel
  • 2:58 - 3:05
    research nowadays. Okay, so, the general
    outline is I'm going to say a few things
  • 3:05 - 3:12
    about the version 7 to setup the stage.
    And then I'm going to explain the kernel
  • 3:12 - 3:19
    bug itself. And, then I'm going to talk in
    length about my debugging setup. And, I
  • 3:19 - 3:26
    think that's a very important step that
    usually phone or embedded talks
  • 3:26 - 3:30
    exploitation talks don't analyze that
    much, and I think it's a really important
  • 3:30 - 3:36
    part. Because usually having a working the
    debugging set up is, basically, maybe half
  • 3:36 - 3:41
    the job of doing a reliable exploit. Then
    I'm going to do to talk about my
  • 3:41 - 3:47
    reimplementation of the exploit, and
    hopefully, at the end, we're gonna have
  • 3:47 - 3:54
    some things to take away or maybe not. We
    will see. Okay so it was the evasi0n7
  • 3:54 - 3:59
    jailbreak was released about 4 years ago.
    And that's the archaeology in the title.
  • 3:59 - 4:05
    That's ancient history right? And if you
    were following the jailbreak community,
  • 4:05 - 4:12
    you might remember this huge drama around
    this jailbreak, initially, with geohot and
  • 4:12 - 4:17
    if he was planning or not to release it
    before the evad3rs. And who he was
  • 4:17 - 4:23
    planning to sell it to, and some leaked
    discussion that he had with some of that
  • 4:23 - 4:31
    he was offering money to buy. And geohot,
    his jailbreak supposedly using
  • 4:31 - 4:38
    some of the bugs the evad3rs were using so
    this is a huge drama. And then after the
  • 4:38 - 4:43
    evasi0n7 jailbreak released, like maybe a
    few hours ago, people realize that if your
  • 4:43 - 4:54
    phone had a Chinese locale then the
    jailbreak was installing a piracy app. So,
  • 4:54 - 4:57
    that was basically a third-party app that
  • 4:57 - 5:01
    was taking you to an
    app store not operated
  • 5:01 - 5:05
    by Apple but by TaiG that had some pirated
    versions of the real applications on the
  • 5:05 - 5:13
    App Store. And, of course, that also
    create like a huge drama, this practice.
  • 5:14 - 5:18
    Okay, so a lot of things were said about
    the jailbreak at that time and about the
  • 5:18 - 5:24
    TaiG pirate App Store. But what I really
    set apart was this tweet. And the really
  • 5:24 - 5:28
    important thing that I like about this
    tweet is, that it doesn't really make
  • 5:28 - 5:31
    sense. So he says that we have to decide
    to remotely disable the default
  • 5:31 - 5:35
    installation of TaiG in China for further
    investigations of the piracy. So that
  • 5:35 - 5:41
    whole thing doesn't make sense. So you
    mean, you didn't know what was happening?
  • 5:41 - 5:45
    You didn't bundle it with a jailbreak? Are
    you going to disable it for new
  • 5:45 - 5:50
    installations? And then, what does
    remotely then mean exactly? So what about
  • 5:50 - 5:56
    the people that already had the apps, the
    piracy app. How are you going to disable
  • 5:56 - 6:05
    that? Is that what remotely refers to? So
    that's an excellent tweet I think. Okay,
  • 6:05 - 6:11
    so some point after the evasi0n7 jailbreak
    was released geohot did a writeup on the
  • 6:11 - 6:19
    userland part of it. So, he analyzed how
    the userland part worked and he stopped at
  • 6:19 - 6:28
    the point of gaining root and basically,
    he mentioned in his writeup that the
  • 6:28 - 6:33
    evasi0n7 untethered binary, which
    basically what was good doing the kernel
  • 6:33 - 6:40
    exploit, was obfuscated. And as we will
    see this was indeed the case and as far as
  • 6:40 - 6:46
    I know that's the first jailbreak that
    used the deliberate obfuscation. I don't
  • 6:46 - 6:51
    know the reason, I assume it's
    partly to hide the the piracy
  • 6:51 - 6:57
    app store that was bundled with it and
    maybe partly to hide the bug, the kernel
  • 6:57 - 7:07
    bug, but I'm not sure about the reason.
    Now p0sixninja who found as far as I know
  • 7:07 - 7:12
    the bug, the kernel bug did a writeup on
    the kernel bug, it's on the iPhone wiki,
  • 7:12 - 7:18
    and he basically describes the bug and he
    stops at the point where he gets a crash
  • 7:18 - 7:26
    log from gdb. So he doesn't say anything
    about how to exploit it. Okay, so after
  • 7:26 - 7:31
    all these things happened then I decided
    to reverse engineer the untethered binary
  • 7:31 - 7:37
    and understand the exploitation techniques
    and I was really interested to reverse
  • 7:37 - 7:41
    engineer the obfuscation that the evad3rs
    were using, it seemed like an interesting
  • 7:41 - 7:46
    challenge, and... but as I also mentioned
    earlier I was really interested to
  • 7:46 - 7:50
    understand the exploitation techniques
    that they were using that was more
  • 7:50 - 7:59
    important for me at that time. And,
    okay, so the jailbreak was released
  • 7:59 - 8:06
    December 2013 and I started doing that
    around February 2014, and I did that while
  • 8:06 - 8:10
    having an actual day job, right, so I was
    spending at most two days per week on
  • 8:10 - 8:20
    that. So what was my setup? I had an
    iPhone 4, and if you know about iPhone 4s
  • 8:20 - 8:26
    they have a boot ROM bug called limera1n
    which basically allows you to load
  • 8:26 - 8:32
    arbitrary kernels, unsigned kernels, on
    the device and run them and that basically
  • 8:32 - 8:38
    means that you can very easily
    set up kernel debugging. So initially I
  • 8:38 - 8:46
    had an iPhone 4 device with iOS 7.0.6. I
    want to remind you that iPhone 4 is ARM32,
  • 8:46 - 8:53
    right. I also had an iPhone 5s with the
    same version of iOS and I had that in
  • 8:53 - 9:00
    order to verify all my findings and all my
    tests on - to redo my tests on an ARM64
  • 9:00 - 9:06
    device and as I told you - the iPhone 5s
    at that time was the only ARM64 device.
  • 9:06 - 9:10
    Actually, I think on the market, I don't
    think there was another consumer device
  • 9:10 - 9:19
    with ARM64 at that time. So that's the
    exact version of version 7 I was analyzing
  • 9:19 - 9:26
    and of course IDA, gdb, lldb. Now the lols
    in this slide they don't actually refer to
  • 9:26 - 9:31
    something funny they actually mean
    something very painful and that caused a
  • 9:31 - 9:37
    lot of like sleepless nights, but I'll get
    onto that. Okay, a few things about the
  • 9:37 - 9:44
    obfuscation. So, not all the functions of
    the entire binary were obfuscated, but
  • 9:44 - 9:52
    some of the important ones were, and those
    were the ones that were triggering the bug
  • 9:52 - 9:57
    and they were actually doing heap
    manipulation and all the other important
  • 9:57 - 10:01
    things. Now I have been told, I haven't
    checked that, but I have been told that
  • 10:01 - 10:05
    later versions remove the obfuscation but
    I'm not sure about that, I haven't
  • 10:05 - 10:10
    verified it and I already had my
    implementation done at that point so I
  • 10:10 - 10:20
    wasn't that interested to look at that. So
    as I mentioned the kernel bug that the
  • 10:20 - 10:27
    evasi0n7 untethered binary was based on
    was found by p0sixninja, and basically as
  • 10:27 - 10:34
    far as he says on that iPhone wiki page he
    used that six line bash script fuzzer to
  • 10:34 - 10:42
    find it. So as you can see he basically
    creates device nodes and, with
  • 10:42 - 10:50
    controlled arguments here like minor and
    major numbers. Now in order to get to the
  • 10:50 - 10:57
    point to create device nodes you basically
    need to be outside of the application
  • 10:57 - 11:04
    sandbox that exists on iOS and you also
    need root privileges and that's what I
  • 11:04 - 11:08
    refer to as the userland part of the
    evasi0n7 binary and I'm not going to cover
  • 11:08 - 11:15
    that at all. So I'm gonna start my
    analysis from the point on that we have
  • 11:15 - 11:19
    escaped the sandbox, we have obtained
    root and now we go to exploit the kernel
  • 11:19 - 11:29
    bug. Now that's code from that version of
    the XNU kernel that had the bug. Now this
  • 11:29 - 11:40
    ptsd_open function is called everytime
    userland code opens a /dev/ptmx device and
  • 11:40 - 11:44
    then this ptmx_get_ioctl function is
    called. Now the important thing here
  • 11:44 - 11:47
    is that dev here is completely
    user controlled and then
  • 11:47 - 11:49
    it's passed to this ptmx_get_ioctl
  • 11:49 - 11:55
    function with no checks at all, right, and
    then this ptmx_get_ioctl function uses
  • 11:55 - 12:00
    this to index an array without any checks.
    So basically the bug's an invalid indexing
  • 12:00 - 12:06
    bug, right, so since we can control that
    you can put here whatever. I have here the
  • 12:06 - 12:14
    ptmx_ioctl struct that, okay, this array
    here is, so this state struct here is
  • 12:14 - 12:22
    global to the kernel and this
    pis_ioctl_list array here is on the kernel
  • 12:22 - 12:30
    heap and it is an array of ptmx_ioctl
    structs and that's the PTMX ioctl struct
  • 12:30 - 12:36
    and the important thing here is, that
    I'm going to refer to again and again
  • 12:36 - 12:41
    during the talk, is that it has a pointer
    to a tty struct as the first element of
  • 12:41 - 12:51
    the structure. Okay, so we control the
    index to the array, so what can we do with
  • 12:51 - 12:57
    that? So here as you can see it return
    the ptmx_get_ioctl function returns
  • 12:57 - 13:05
    whatever it indexes, right. So, as you can
    see here is it assigns this pti variable
  • 13:05 - 13:11
    and then does all kinds of interesting
    things, so pti is controllable, tp is
  • 13:11 - 13:14
    controllable here as well after this
    dereference here to some controllable
  • 13:14 - 13:21
    value and, I mean in other code parts of
    the kernel this is called again and so
  • 13:21 - 13:27
    there are there are a lot of things to
    consider when you know the bug and
  • 13:27 - 13:34
    then you try to think how to exploit it.
    Okay, one important thing here that I
  • 13:34 - 13:44
    wanted to mention is that this ptmx,
    this function here ptmx_get_ioctl also
  • 13:44 - 13:52
    does the allocation of this struct here,
    of this tty struct here and that's
  • 13:52 - 14:00
    important because I'm going to use further
    on. Okay, another important thing is that
  • 14:00 - 14:06
    you basically, this bug what allows you
    to do is you can control the size of this
  • 14:06 - 14:15
    array here, so by, can you see that?
    Okay, so by repeatedly open the ptmx
  • 14:15 - 14:22
    device you can grow this array and you can
    grow it as you see here by this grow
  • 14:22 - 14:30
    vector that's 16, but it doesn't matter.
    What matters is that the size of this
  • 14:30 - 14:38
    array in bytes is controllable by you, the
    person who are trying to exploit this bug.
  • 14:38 - 14:45
    Now, for example these are notes from my
    exploit so if I did one allocation, if I
  • 14:45 - 14:51
    did one open of this ptmx device then this
    array was going into kalloc_64. If I was
  • 14:51 - 14:59
    doing 17 it was going to kalloc_128, if I
    was doing 33 opens here it was going to
  • 14:59 - 15:07
    kalloc_192 and so on and so forth. So I
    could decide in which kalloc zone I could
  • 15:07 - 15:14
    place the array. If you don't know kalloc
    zones, they are basically, you can think
  • 15:14 - 15:21
    them as container, you can think kalloc
    zones as containers for heap objects on
  • 15:21 - 15:27
    the kernel heap. All of them can be of
    different type but they're, all of them
  • 15:27 - 15:33
    are of the same size, right, so kalloc_64
    can have different structures of size 64
  • 15:33 - 15:43
    bytes, but all of them are our size 64
    bytes. Okay so I started debugging the
  • 15:43 - 15:50
    untethered binary in userland, that's how
    I started. So initially I was using gdb
  • 15:50 - 15:58
    and I found out that nothing worked with
    gdb. It was at that point Apple was
  • 15:58 - 16:02
    starting to move from gdb to lldb, so I
    don't, maybe that was the reason gdb
  • 16:02 - 16:06
    wasn't tested at all. So when I
    say nothing worked I mean that I was
  • 16:06 - 16:12
    placing break points and they weren't
    hitting and I was trying like stepping and
  • 16:12 - 16:16
    it was continuing execution and stuff like
    that. Sometimes I couldn't even attach the
  • 16:16 - 16:24
    binary. So then I moved to lldb, on lldb
    set up with debugserver and things were
  • 16:24 - 16:29
    much better. Now, while I was
    experimenting stealing from, just with
  • 16:29 - 16:35
    userland debugging my iPhone 4 device went
    to into a recovery loop and I wasn't able
  • 16:35 - 16:46
    to get out of it, so I was forced to do a
    clean restore of the device. The problem
  • 16:46 - 16:52
    was that at that time only iOS 7.1 was
    signed by Apple, so I couldn't install a
  • 16:52 - 16:56
    version of files that hit the kernel that
    hit the bug that I was interested to look
  • 16:56 - 17:00
    at, but on the other hand I couldn't not
    restore my device because that was the
  • 17:00 - 17:05
    only device I had at the point I could do
    kernel debugging with. So I updated my
  • 17:05 - 17:12
    device to 7.1. As I said just told you 7.1
    didn't have a vulnerable kernel
  • 17:12 - 17:22
    to this bug, so what I wanted to do was
    basically to boot an iOS 7.1 device with a
  • 17:22 - 17:28
    7.0.6 kernel, and in order to do that I
    could use the limera1n bug that allowed me
  • 17:28 - 17:33
    to boot arbitrary kernels and the utility
    to do that was redsn0w, right. The problem
  • 17:33 - 17:40
    was that redsn0w only supported up to iOS
    6 and it wasn't, it didn't have support
  • 17:40 - 17:46
    for iOS 7 so I left all the other things I
    was doing and I started reversing redsn0w
  • 17:46 - 17:52
    to understand how it worked. Redsn0w, if
    you don't know it's, it was back then
  • 17:52 - 17:56
    and still is closed source, right, so I
    started reversing that to understand how
  • 17:56 - 18:01
    it worked in order to support, for me to
    hot patch it, to binary
  • 18:01 - 18:07
    patch it to add support for iOS 7 and I
    spent like I don't know maybe a month on
  • 18:07 - 18:12
    that and then I realized that it was, it
    wasn't leading me anywhere, I couldn't
  • 18:12 - 18:17
    understand a lot of things about how
    redsn0w was implemented, so I I stopped
  • 18:17 - 18:26
    doing that, and at that point I found
    opensn0w which was an effort by winocm to
  • 18:26 - 18:32
    implement redsn0w as open source. So, it
    seemed to have support for iOS 7 and that
  • 18:32 - 18:40
    was good, I tested that and it was
    working. Now my problem was that I
  • 18:40 - 18:44
    couldn't have an arbitrary
    length of boot-args. Boot-args are the
  • 18:44 - 18:49
    arguments that you pass to the kernel when
    it boots and they are really important in
  • 18:49 - 18:58
    iOS because by passing certain boot-args
    to the kernel you can disable sign checks,
  • 18:58 - 19:02
    you can enable kernel debugging, so it's
    really important to be able to pass
  • 19:02 - 19:09
    arbitrary length boot-args. And iOS 7.1
    was using absurd 9 character so that was
  • 19:09 - 19:16
    the reason opensn0w couldn't support more
    So what I ended up doing was I patched
  • 19:16 - 19:23
    iBEC, which is basically the loader
    of the kernel, right, that passes boot-
  • 19:23 - 19:30
    args to the kernel when it boots and,
    basically I changed the pointer to the
  • 19:30 - 19:36
    boot-args to some other place that had
    much more space. So at that point I was
  • 19:36 - 19:42
    able to pass arbitrary-length boot-args to
    my kernel. So where we are at last? So I
  • 19:42 - 19:50
    had an iPhone 4 device with iOS 7.1 and I
    was using opensn0w to boot the 7.0.6
  • 19:50 - 19:57
    kernel that had the bug that I was
    interested to exploit. Now, one side note
  • 19:57 - 20:04
    here is that as I was doing that and I was
    trying to add to open snow all the patches
  • 20:04 - 20:10
    to the kernel to enable kernel debugging,
    I was reversing the evasi0n7 binary as
  • 20:10 - 20:15
    well. Now, the evasi0n7 binary was trying
    also to, after it exploited the kernel
  • 20:15 - 20:20
    it was patching it to enable kernel
    debugging, but, so I was just copying
  • 20:20 - 20:24
    their patches, right, and adding them to
    opensn0w, but I realized at some point
  • 20:24 - 20:30
    that they missed some check for the debug-
    enabled variable and KDP wasn't really
  • 20:30 - 20:36
    working, so the session was established
    and it seemed like it was working, but if
  • 20:36 - 20:41
    you tried to actually use the kernel,
    the KDP, the kernel debugging setup for
  • 20:41 - 20:45
    to do actual, like to attach debugger to
    the kernel and do whatever, like place a
  • 20:45 - 20:54
    breakpoint or step then KDP just froze. So
    I added another part that was required on
  • 20:54 - 21:03
    that. Ok, so kernel debugging at last, but
    that's not really what happened, because
  • 21:03 - 21:08
    you know breakpoints didn't always work so
    you were placing a breakpoint and it
  • 21:08 - 21:13
    wasn't hitting when execution was reaching
    there and you were trying to step
  • 21:13 - 21:17
    instructions and the execution just
    continues, so you were stepping one
  • 21:17 - 21:21
    instruction it was just like you would
    type in continue and if you were taking
  • 21:21 - 21:27
    too long to type an lldb command then KDP
    froze and then you had to restart your
  • 21:27 - 21:33
    device, re-establish the kernel debugging
    session and start from zero. And if you
  • 21:33 - 21:38
    issue commands too fast then KDB froze
    again, so you have to reboot again. It was
  • 21:38 - 21:47
    amazing, it was great time. And now I did
    similar stuff with iOS 6 and I distinctly
  • 21:47 - 21:53
    remember that was much easier and kernel
    debugging worked much better. And... I
  • 21:53 - 21:59
    mean the issue that comes to everyone's
    mind that does that is: do Apple engineers
  • 21:59 - 22:06
    really use KDP for debugging the iOS
    kernel or do they use something else?
  • 22:06 - 22:15
    Okay, so now I could debug the evasi0n7
    untethered binary both from the userland
  • 22:15 - 22:23
    side and from the kernel side, and that
    was good because I was analyzing at run
  • 22:23 - 22:32
    time and at the same time I was reversing
    it in IDA, so the obfuscation who... I
  • 22:32 - 22:38
    could do it much faster since I was taking
    hints from runtime. So I... at that point
  • 22:38 - 22:43
    things started moving fast and I quickly
    found that it was abusing the data by
  • 22:43 - 22:49
    structure to obtain read/write access to
    physical memory. I mean that was
  • 22:49 - 22:53
    interesting to me, but I was expecting
    something else. I was expecting something
  • 22:53 - 22:58
    like what they did in iOS in the evasi0n6
    jailbreak, that they did like a lot of
  • 22:58 - 23:04
    heap manipulation and that's my interest
    actually, heap exploitation. So at that
  • 23:04 - 23:10
    point I decided to stop reversing it and
    reimplement the exploit the way that I
  • 23:10 - 23:16
    wanted to do it. So obviously that wasn't
    work from scratch, it was from everything
  • 23:16 - 23:20
    that I understood up to that point, and
    what I really wanted to use was the
  • 23:20 - 23:25
    vm_map_copy structures technique by Dowd
    and Mandt and I'm going to explain that in
  • 23:25 - 23:32
    the following slides, how it works.
    Okay, so at that point I had the clear
  • 23:32 - 23:37
    understanding of the bug, what it was and
    I had the general idea like about how to
  • 23:37 - 23:42
    exploit it and I mean if you've done
    that you know then it takes a lot of pen
  • 23:42 - 23:48
    and paper like ideas you develop on paper,
    then you go test them and they don't work
  • 23:48 - 23:53
    and then you design them again and then
    again and you fail and you despair and
  • 23:53 - 23:58
    then you suddenly have an idea and you
    spend like I don't know like two nights
  • 23:58 - 24:04
    stay up until 5:00 in the morning testing
    things and they don't work and then you
  • 24:04 - 24:11
    despair again and ad nauseam. But
    eventually you get somewhere so let's talk
  • 24:11 - 24:19
    about exploitation now. Now, a few things
    to refresh your memory about the bug. So
  • 24:19 - 24:26
    as I said it was an invalid indexing bug.
    This pis_ioctl_list array was on the heap
  • 24:26 - 24:33
    and I could control in which kalloc zone
    it can go. I can grow it, but once I grow
  • 24:33 - 24:43
    it I cannot shrink it back. Now, that's
    code from that ptmx_get_ioctl function, so
  • 24:43 - 24:47
    what... basically what it does it
    allocates a new ptmx_ioctl structure and
  • 24:47 - 24:53
    then it uses the index that you provide...
    that you control to store the address on
  • 24:53 - 25:01
    the array. Now, this allocation here...
    this struct here goes into kalloc.88 and
  • 25:01 - 25:08
    that's useful for the next parts. Okay, a
    few things about the technique I wanted to
  • 25:08 - 25:13
    use... about the exploitation technique I
    wanted to use. So it's the vm_map_copy
  • 25:13 - 25:19
    technique, it was proposed by Dowd and
    Mandt and basically they were spraying the
  • 25:19 - 25:25
    heap with these structs here, the
    vm_map_copy structs, and assuming you have
  • 25:25 - 25:31
    like some way to corrupt this struct that
    you've sprayed on the heap if you can
  • 25:31 - 25:39
    overwrite this kdata element here, then
    basically what you have is a leak of
  • 25:39 - 25:45
    kernel memory other adjacent like next to
    the kdata, whatever is below or above the
  • 25:45 - 25:50
    kdata pointer or arbitrary if you put
    whatever address you want in there. By
  • 25:50 - 25:58
    overwriting the kalloc_size element here
    and then freeing the struct on the heap,
  • 25:58 - 26:04
    you put it on a wrong zone and basically
    when you allocate it back, since you put
  • 26:04 - 26:10
    it on on a different size zone, you can
    have a heap overflow. So that's a general
  • 26:10 - 26:14
    overview of this technique. So but you
    corrupt this struct and you get primitive
  • 26:14 - 26:22
    exploitation primitives. Okay, so what was
    the idea I had at that point? The idea
  • 26:22 - 26:29
    was to use the... this pis_ioctl_list
    index bug to corrupt this kdata pointer
  • 26:29 - 26:38
    here and to have arbitrarily... Sorry, we
    have a relative leak of kernel heap
  • 26:38 - 26:45
    memory, and that would be my first step
    towards exploiting the bug. Of course the
  • 26:45 - 26:52
    end goal is to have arbitrary read/write,
    right, and of course it was just a fuzzy
  • 26:52 - 26:56
    idea at that point and you know that's
    always the goal, but when you study the
  • 26:56 - 27:04
    bug and you see the different code paths
    and how the things you affect are used,
  • 27:04 - 27:08
    then you have some maybe not completely
    concrete things in your mind, but you know
  • 27:08 - 27:14
    that interesting things can happen, so
    that's what I had at that point.
  • 27:14 - 27:24
    Okay, so let's talk about the exploitation
    strategies now. So at stage one I sprayed
  • 27:24 - 27:31
    the kernel heap with vm_map_copy structs
    and I decided to work on the kalloc.256
  • 27:31 - 27:36
    zone, and the reason for that was
    completely arbitrary... was because of all
  • 27:36 - 27:41
    the kernel debugging I have done up to
    this point of this entire binary I saw
  • 27:41 - 27:46
    that this kalloc zone was not really used
    that much, either by the kernel or by
  • 27:46 - 27:52
    whatever the exploit was doing. So...
    that's good because it means that you
  • 27:52 - 27:56
    can... you as an exploiter can have much
    better control over the kernel heap if
  • 27:56 - 28:05
    there aren't other things placing
    allocations on the zone you work. So I
  • 28:05 - 28:13
    decided to use the kalloc.256 zone and I
    avoided of course kalloc.384 because the
  • 28:13 - 28:21
    tty structs were going there and that
    would really mess up my heap arrangements.
  • 28:21 - 28:30
    So the first... let me actually... ok. So
    what I wanted to do was to do this.
  • 28:30 - 28:37
    So initially you spray the heap with
    vm_map_copy structs and you control both
  • 28:37 - 28:42
    their size and their contents, the content
    don't matter at this point. So it... just
  • 28:42 - 28:48
    the size matters. So I spray with 256
    bytes vm_map_copy structs and then I free
  • 28:48 - 28:53
    every other second one and I create this
    kind of pattern like a vm_map_copy and a
  • 28:53 - 28:59
    free slot and a vm_map_copy and a free
    slot and then I grow the pis_ioctl_list
  • 28:59 - 29:09
    array to 256 bytes and then it goes into
    one of these free slots here. Now, the
  • 29:09 - 29:15
    code for doing that looks something like
    that, so what this basically does it
  • 29:15 - 29:25
    sends... it creates this... so if you see
    here the out of line mach messages as
  • 29:25 - 29:32
    basically these vm_map_copy structs and...
    Their size is 256, their buffer doesn't
  • 29:32 - 29:38
    matter at this point and you just send
    them like machs and methods. And then
  • 29:38 - 29:43
    after you've sprayed with them then you
    free every second one here... with this
  • 29:43 - 29:52
    loop here. So in order to make this free
    slot you just receive this mach out of
  • 29:52 - 29:58
    line messages that correspond to the
    vm_map_copy structs. And after you've
  • 29:58 - 30:05
    created the holes you basically grow the
    array to 256 bytes. How do you do that? As
  • 30:05 - 30:12
    I mentioned earlier you open the dev ptmx
    device a number of times. How many times
  • 30:12 - 30:18
    doesn't matter, like a specific number of
    times that I mentioned earlier, that I
  • 30:18 - 30:26
    have noticed grows it 256 bytes. So that's
    the arrangement you have at that first
  • 30:26 - 30:36
    stage. Okay, so the second stage is done
    on the kalloc.88 zone. So I spray again
  • 30:36 - 30:42
    with vm_map_copy structs and this
    time I make them 88 bytes to go to
  • 30:42 - 30:51
    the kalloc.88 zone and then I create again
    holes. And then I trigger the bug with an
  • 30:51 - 30:56
    invalid index value and remember that when
    you trigger the bug a ptmx_ioctl struct is
  • 30:56 - 31:02
    allocated and this goes to kalloc.88. But
    because on kalloc.88 I have created this
  • 31:02 - 31:07
    pattern of used free used free it goes
    into one of the free slots. So now I have
  • 31:07 - 31:14
    a ptmx_ioctl struct in one of my free
    slots. I don't know where that is but I
  • 31:14 - 31:23
    know that it falls into the pattern,
    right, so I trigger the bug and remember
  • 31:23 - 31:29
    that basically you control this index,
    right, so since I control the index I
  • 31:29 - 31:35
    point it to the vm_map... to the kdata
    element of the vm_map_copy struct that I
  • 31:35 - 31:40
    know is below the free slot that the array
    went into. I don't know the address,
  • 31:40 - 31:47
    right, I can't put like an address there,
    but I can... I know the relatives... the
  • 31:47 - 31:52
    relative distance in bytes because I
    created the pattern... the heap pattern.
  • 31:52 - 31:58
    So let's go to... okay. So it looks like
    that. So that's my first stage, right,
  • 31:58 - 32:03
    free, vm_map_copy, ... and this is the
    same pattern on the kalloc.88 zone.
  • 32:03 - 32:08
    When you trigger the bug, this ptmx_ioctl
    structure is allocated. It goes into one
  • 32:08 - 32:17
    of the free slots, right, and then the bug
    itself, which is what we see here is...
  • 32:17 - 32:21
    remember you control the index, so this is
    the new allocation that went here, and
  • 32:21 - 32:27
    then it goes and stores the address where
    the index tells it to store it. But
  • 32:27 - 32:31
    remember that this is controlled, we
    control that, so what I do I point this
  • 32:31 - 32:37
    here relatively to the neighboring
    vm_map_copy struct at the kdata field,
  • 32:37 - 32:42
    right. So in this kdata field here of the
    vm_map_copy struct I have now this
  • 32:42 - 32:53
    address, right. So that's how the heap
    looks like. I have here the code, it's
  • 32:53 - 33:01
    very similar to the first stage that you
    spray with vm_map_copy structs of size 88,
  • 33:01 - 33:06
    machs and methods, right, and then you
    receive every second one, you create the
  • 33:06 - 33:16
    holes on the 88 zone and then you trigger
    the bug here, right. This invalid pis
  • 33:16 - 33:30
    index number here is basically what points
    relatively here, right. So I have now the
  • 33:30 - 33:37
    address of this ptmx_ioctl struct which is
    an address on the kalloc.88 zone. I have
  • 33:37 - 33:43
    it on the kdata field of this vm_map_copy
    struct here. So what I do... I can simply
  • 33:43 - 33:51
    receive these methods and in its content I
    can see the address of that slot on the
  • 33:51 - 34:01
    kalloc.88 zone. So that's the code to do
    that, I simply receive all the messages
  • 34:01 - 34:12
    and that's my address. Okay, so at this
    point I only... what I only have is this
  • 34:12 - 34:22
    address here, right? I have the address of
    this heap slot. So, at that point I
  • 34:22 - 34:29
    started looking at other code paths that
    this invalid index... what other
  • 34:29 - 34:35
    variables this invalid index was
    influencing and I found the code path that
  • 34:35 - 34:40
    was actually giving... was giving me a
    write and... But in order to reach that I
  • 34:40 - 34:46
    needed to survive several dereferences,
    and what I only knew was just the
  • 34:46 - 34:51
    kalloc.88 address, right? Nothing else. So
    I will now walk you through everything
  • 34:51 - 35:01
    that gave me this write. So I clean up the
    kalloc.256 zone and I spray it again with
  • 35:01 - 35:06
    vm_map_copy structs and create holes
    exactly like the previous step...
  • 35:06 - 35:15
    the first stage. Again, next to the
    pis_ioctl_list array I have a vm_map_copy
  • 35:15 - 35:23
    struct, but at this time I... in all the
    the vm_map_copy structs I put a payload of
  • 35:23 - 35:30
    the... of this fake ptmx_ioctl address I
    have. And remember that the first element
  • 35:30 - 35:40
    of the ptmx_ioctl struct is a pointer to
    tty struct and I can use the leaked
  • 35:40 - 35:45
    address I have for this pointer that I
    don't know... I didn't know where to point
  • 35:45 - 35:53
    it to. So, the next step was to clean up
    the kalloc.88 zone and spray it again, and
  • 35:53 - 35:59
    again I sprayed with vm_map_copy structs,
    but at this time at their payload I can
  • 35:59 - 36:07
    put now the fake tty struct that the
    ptmx_ioctl struct is pointing to. The
  • 36:07 - 36:16
    problem at that point was that the tty
    struct with 256 bytes and kalloc.88 has...
  • 36:16 - 36:22
    the slots are only 88 bytes, so I couldn't
    just with the elements of the... just with
  • 36:22 - 36:29
    the first 88 byte elements, I couldn't get
    to the path that was giving the write, so
  • 36:29 - 36:45
    I needed to find some other way to host my
    fake tty struct. So remember that I
  • 36:45 - 36:51
    couldn't work on any other kalloc zone or
    anywhere else because what I only knew was
  • 36:51 - 36:59
    the address of that kalloc.88 zone, I had
    nothing else to build on. So at that point
  • 36:59 - 37:07
    I started doing a much more complicated
    heap arrangement. So instead of spraying
  • 37:07 - 37:16
    just one thing I was spraying... I was
    trying to create a pattern of two
  • 37:16 - 37:20
    controlled things. Now, I couldn't use
    vm_map_copy structs for both these slots
  • 37:20 - 37:25
    because the vm_map_copy structs has
    a header, right? So it would mess up my
  • 37:25 - 37:34
    fake tty struct. So by reading i0n1c's
    kernel heap exploitation slides, I
  • 37:34 - 37:41
    realized that I could spray the heap with
    XML properties of length 88 from that
  • 37:41 - 37:48
    AppleJPEGDriver and I could place as a
    second controlled object after the
  • 37:48 - 37:53
    vm_map_copy struct these XML properties
    which are completely controlled in
  • 37:53 - 37:58
    content, and I could host the second part
    of the tty struct there. I mean, it's
  • 37:58 - 38:06
    still not 256 bytes, but what it gives me
    is the ability to survive all dereferences
  • 38:06 - 38:14
    to reach the write that I was interested
    in. Okay. So, a few things about the
  • 38:14 - 38:20
    tty struct. So that's what I got... I
    wanted to create on the kalloc.88 zone,
  • 38:20 - 38:28
    right, so that's the tty struct that the
    ptmx_ioctl struct is pointing to. Now,
  • 38:28 - 38:38
    what basically I wanted to do here is I
    wanted to point... the final thing was
  • 38:38 - 38:46
    to use this clist struct to control this
    element here, c_cs, as a start of the ring
  • 38:46 - 38:51
    buffer for the tty, to give me an
    arbitrary write... Sorry, to give me a
  • 38:51 - 38:56
    controlled write. I started playing a bit
    with to use it to do arbitrary write, but
  • 38:56 - 39:04
    I found that I wasn't able to do it
    because at later stage some other parts of
  • 39:04 - 39:10
    the tty struct were needed that I wasn't
    able to control, so I only had two
  • 39:10 - 39:18
    88-slots to host my fake tty struct. So
    that wasn't stable. So I was only
  • 39:18 - 39:26
    using that to do a relative write. So
    we'll see the code later on, let's go to
  • 39:26 - 39:32
    the heap layout. So that's the third
    stage. Again, remember I sprayed the
  • 39:32 - 39:39
    kalloc.256 zone with vm_map_copy structs/
    frees, just place my pis_ioctl_list array
  • 39:39 - 39:43
    next to vm_map_copy struct. Remember that
    I control the contents of vm_map_copy,
  • 39:43 - 39:52
    right, so I placed in the buffer of
    vm_map_copy this ptmx_ioctl address that I
  • 39:52 - 40:00
    know and I point the invalid index that I
    control to this ptmx_ioctl... this address
  • 40:00 - 40:04
    that I put here. And what is this address?
    It's that leaked address that I got in the
  • 40:04 - 40:12
    previous stage which points to the
    kalloc.88 zone. And what's the arrangement
  • 40:12 - 40:17
    of that kalloc.88 zone? It's as I told you a
    vm_map_copy followed by an XML properties.
  • 40:17 - 40:21
    vm_map_copy, XML properties... And all
    this hosts this fake tty struct, right?
  • 40:21 - 40:28
    All these are the same, I just explained
    here how it looks like. So this points to
  • 40:28 - 40:35
    the kdata element here and the rest of
    it holds the rest of the... all this is
  • 40:35 - 40:40
    basically the fake tty struct, like the
    buffer of the vm_map_copy and then
  • 40:40 - 40:47
    following the XML contents of this heap
    allocation. And where do I... this c_cs
  • 40:47 - 40:53
    pointer that I told you that I wanted to
    control, where do I point it? I point it
  • 40:53 - 40:57
    relatively again, I don't know any
    addresses but I can put it relatively
  • 40:57 - 41:02
    since I know the... since I created this
    heap arrangement, I can put it relatively
  • 41:02 - 41:07
    to the size of the kalloc size of the
    neighboring vm_map_copy struct. And why do
  • 41:07 - 41:14
    I need this? Because I want to use the
    vm_map_copy technique by Mandt and Dowd
  • 41:14 - 41:20
    that I mentioned earlier, so that's the
    end goal. So what's the code looks like?
  • 41:20 - 41:26
    Okay, that's the spray of 256, we've seen
    that a lot of times, then we have the
  • 41:26 - 41:34
    freeze... wait, no, that's not the freeze.
    So that's the allocations of the 256...
  • 41:34 - 41:38
    that's... yeah, I don't have the freeze
    here because they don't matter, because we
  • 41:38 - 41:43
    have seen them before. So what I have here
    is the spray of the kalloc.88 zone and the
  • 41:43 - 41:47
    important thing here is that... what I
    wanted to show you that is that at every
  • 41:47 - 41:54
    step I took two allocations. One is the
    vm_map_copy struct here with the machs and
  • 41:54 - 42:01
    methods, and the second part is the XML
    properties, which are sprayed on the heap
  • 42:01 - 42:10
    when you open the device driver, the
    AppleJPEGDriver. And what are the contents
  • 42:10 - 42:16
    of that XML properties? They're basically
    that fake... the second part of the fake
  • 42:16 - 42:20
    tty struct that you have the controlled
    c_cs pointer that will give me the
  • 42:20 - 42:27
    relative write. So if you see here, I have
    this function setup_fake_tty that
  • 42:27 - 42:33
    basically creates the structs so I don't
    have to type all the time, and we are at
  • 42:33 - 42:38
    second stage here, and basically what you
    can see here is the creation of the
  • 42:38 - 42:42
    fake tty struct, right? So that's the
    different elements of the fake tty as we
  • 42:42 - 42:48
    saw it from the code. And that's the write
    offset I wanted to... that I pointed to
  • 42:48 - 42:54
    the kdata field of the neighboring
    vm_map_copy struct. So, again, that's how
  • 42:54 - 43:02
    it looks like in the heap. Okay, so after
    that, after we have arranged the... we
  • 43:02 - 43:09
    have arranged it this way, we trigger
    again the invalid index array bug, but at
  • 43:09 - 43:14
    this time on the slave ptmx device. I was
    only doing that on a master ptmx device,
  • 43:14 - 43:18
    but in order to reach that write code path
    that I mentioned, you need to get on a
  • 43:18 - 43:24
    slave ptmx device. So that's what happens
    here. And then you simply write to the
  • 43:24 - 43:30
    corresponding descriptor and it just
    dereferences this c_cs that you controlled
  • 43:30 - 43:34
    and your end... and it writes with
    whatever you want to write. And what do I
  • 43:34 - 43:39
    want to write? I want to write a new size
    for the vm_map_copy struct... for the
  • 43:39 - 43:43
    kalloc size field of the vm... of the
    neighboring vm_map_copy struct, so I can
  • 43:43 - 43:53
    use the Dowd and Mandt technique. So,
    putting everything together. So at that
  • 43:53 - 43:57
    point I have a controlled corruption of a
    vm_map_copy struct and I can use the
  • 43:57 - 44:04
    primitives to get arbitrary... an
    arbitrary leak, so I can leak for example
  • 44:04 - 44:10
    the KSLR-slide and I can do a heap
    overflow. Again these are how you can use
  • 44:10 - 44:19
    the primitives that Mandt and Dowd gave
    us. Now I also know my location on the
  • 44:19 - 44:25
    kernel heap, and remember that... that's
    basically... we found that on the stage...
  • 44:25 - 44:29
    on the first... on the first of stages and
    we only... we use only that, like where
  • 44:29 - 44:37
    that ptmx_ioctl struct was stored on the
    kernel heap, that's the only thing we
  • 44:37 - 44:42
    knew, that address, in order to
    successively build on it, in order to
  • 44:42 - 44:47
    reach like a much more useful primitive.
    And the important... the interesting thing
  • 44:47 - 44:51
    here is that everything up to this point
    is data only, right? So you haven't
  • 44:51 - 44:55
    injected any code, you haven't done
    anything at all that you could be caught
  • 44:55 - 45:01
    somehow by a kernel self-protection
    mechanism or these kind of things,
  • 45:01 - 45:10
    everything's data only. So once you reach
    that point, how do you get PC control? So
  • 45:10 - 45:18
    since you can use Dowd's and and Mandt's
    technique, you can basically do a heap
  • 45:18 - 45:23
    overflow, so you can again do a heap
    arrangement, you can place IOKit objects
  • 45:23 - 45:31
    next to vm_map_copy structs where you can
    overflow from, and you can corrupt IOKit
  • 45:31 - 45:37
    objects and from there you can have...
    also you can do an arbitrary write...
  • 45:37 - 45:43
    read/write, so you can... by the arbitrary
    read you can read the vtables of the IOKit
  • 45:43 - 45:49
    objects so you know the KSLR-slide
    and you can corrupt it in order to get PC
  • 45:49 - 45:56
    control. Of course getting to a whole
    jailbreak from that point is out of the
  • 45:56 - 46:01
    scope of this talk, and... but is not that
    hard actually from that point on. And
  • 46:01 - 46:10
    okay, so after doing all that how close
    was that exploit to the evasi0n... to the
  • 46:10 - 46:16
    real evasi0n7 kernel exploiter? I'd say it
    was pretty far off, but I mean it wasn't
  • 46:16 - 46:22
    my point to recreate it like completely,
    but it was my point to play with the heap
  • 46:22 - 46:29
    and to try to do complex heap arrangements
    and to see how much I understand the iOS
  • 46:29 - 46:37
    kernel heap, that was the point of this
    whole exercise for me. Okay, so some
  • 46:37 - 46:44
    lessons learned. So the real surprising
    thing for me at that point was that I
  • 46:44 - 46:53
    couldn't believe that Apple does kernel
    debugging by KDB. It was very flaky, it
  • 46:53 - 46:58
    was very unstable as I told you. If you
    type commands too fast it froze, if you
  • 46:58 - 47:03
    type commands very slowly it had like a
    go-stop timer and froze, I think.
  • 47:03 - 47:08
    there was a claim of something like that
    and it's unbeliev... I couldn't believe
  • 47:08 - 47:15
    that the Apple engineers were using this
    interface to do kernel debugging. So it
  • 47:15 - 47:24
    was really hard to do anything on the
    kernel side of idevices. But of course I
  • 47:24 - 47:27
    don't really mean that you shouldn't mess
    with these things, right? I mean, these
  • 47:27 - 47:32
    devices are really interesting and it's
    really becoming harder to hack them, but I
  • 47:32 - 47:37
    think it's much more fun and I think the
    only takeaway may be that you shouldn't
  • 47:37 - 47:41
    report bugs to Apple at all and if you
    need street cred you should just report
  • 47:41 - 47:48
    white elephant bugs now. I mean that's
    always good. And I mean this very... this
  • 47:48 - 47:52
    is getting very esoteric, right, there are
    not a lot of information and Apple keeps
  • 47:52 - 47:56
    changing stuff and everything is closed
    source, I mean, all the important parts
  • 47:56 - 48:01
    are closed source... and I mean, I really
    think people that work on that things
  • 48:01 - 48:08
    should share notes as much as possible.
    Okay, so these are some of the people I
  • 48:08 - 48:15
    was talking to while doing all this and I
    want to mention them, and basically that's
  • 48:15 - 48:22
    all of the material I have and I'm open to
    any questions you might have.
  • 48:22 - 48:33
    applause
    Herald: Thank you, argp, for the talk. So
  • 48:33 - 48:43
    we have prepared microphones 1, 2, 3 and 4
    in the room and we have a Signal Angel, I
  • 48:43 - 48:51
    think. You... when you have questions, you
    can give me a hand sign, but I
  • 48:51 - 48:58
    think we start with microphone 2 here in
    the front. And please ask questions and no
  • 48:58 - 49:02
    comments, there's time after the talk.
    Okay, go ahead.
  • 49:02 - 49:04
    Q: Thanks for the awesome talk.
    argp: Thanks.
  • 49:04 - 49:12
    Q: I have a question about heap spraying.
    Was your heap spraying really stable? If
  • 49:12 - 49:17
    it is not successful, did it crash the
    device?
  • 49:17 - 49:22
    argp: Yeah. So I haven't mentioned it
    here, but it was pretty stable I think.
  • 49:22 - 49:25
    It was something like... because I did a
    lot of tests for that because it was
  • 49:25 - 49:31
    really interesting for me to know. It was
    maybe something like 90%, so 9 out of 10
  • 49:31 - 49:35
    times it worked, but if it didn't work -
    yeah, then... yes it crashed the kernel
  • 49:35 - 49:40
    and crashed the device, yeah.
    Q: And did you try to return heap into
  • 49:40 - 49:45
    some kind of initial state to start your
    exploit from scratch?
  • 49:45 - 49:50
    argp: Yeah, that's true I haven't included
    that, but you're right. So the initial
  • 49:50 - 49:57
    step on every spray that I mentioned here
    was to spray a lot of objects of the
  • 49:57 - 50:02
    specific size you were targeting in order
    to get basically a new page of the kalloc
  • 50:02 - 50:07
    zone, right? So you... so even if as I
    told you the kalloc 256 zone wasn't
  • 50:07 - 50:11
    that busy, it's still... there were still
    allocations going on it, right? So if you
  • 50:11 - 50:16
    did a lot of initial spraying, you were
    making sure that when you're... the
  • 50:16 - 50:22
    allocations that mattered to you we're
    made, were on a new page that weren't...
  • 50:22 - 50:24
    wasn't too much noise from other
    allocations from the kernel. So yeah,
  • 50:24 - 50:27
    you're right I haven't included that, but
    yeah, that happened.
  • 50:27 - 50:30
    Q: Thanks, great.
    argp: Thanks.
  • 50:30 - 50:36
    Herald: Then microphone 1, please.
    Q: Also thank you for your awesome talk
  • 50:36 - 50:38
    again.
    argp: Thanks.
  • 50:38 - 50:44
    Q: My question was nowadays it's way
    harder to use vm_copy I think Apple truly
  • 50:44 - 50:49
    deprecated it, it's not possible anymore
    that due to security. Do you see hope in
  • 50:49 - 50:55
    reconstructing some function that does the
    same or is it totally dead now?
  • 50:55 - 50:58
    argp: Oh, you mean the vm_map_copy
    technique?
  • 50:58 - 51:01
    Q: Yes.
    argp: No, I think it's completely dead
  • 51:01 - 51:04
    now.
    Q: All right. And I recently saw on the
  • 51:04 - 51:10
    iOS logs vulnerabilities that again a
    vulnerability in AppleJPEGDriver was
  • 51:10 - 51:15
    found. Do you think... have you looked
    into it or...
  • 51:15 - 51:20
    argp: Well, Apple... the AppleJPEGDriver
    is one of the 4, I think, IOkit drivers
  • 51:20 - 51:26
    that you can reach from the container
    sandbox, right? So that means it's very
  • 51:26 - 51:31
    fast by everyone, Apple included, and
    very audited. So I'm not saying that there
  • 51:31 - 51:36
    aren't many... there aren't things there,
    like interesting findings, but if there
  • 51:36 - 51:39
    are they're not going to live much longer,
    I think.
  • 51:39 - 51:42
    Q: Okay, thank you.
    Herald: Thanks for your question and now
  • 51:42 - 51:45
    from the Signal Angel a question from the
    Internet.
  • 51:45 - 51:49
    Signal Angel: Yes, I have a question from
    the internet. How long did this research
  • 51:49 - 51:53
    take you? You said two weeks in the
    beginning, but from begin to end, how many
  • 51:53 - 51:55
    hours about? Because you also said it was
    during work?
  • 51:55 - 52:00
    argp: No, it didn't it didn't take two
    weeks, no. It took like maybe close to
  • 52:00 - 52:05
    three months or two months and something
    like that. So I spent... as I mentioned I
  • 52:05 - 52:09
    spent like a complete month, I think, like
    - maybe three weeks, maybe not a complete
  • 52:09 - 52:17
    month just on reversing redsn0w and trying
    to get redsn0w to play with iOS7. So I
  • 52:17 - 52:22
    wouldn't count this month in the exploit
    part of it, right? So if you're interested
  • 52:22 - 52:29
    just in the kernel exploit part I would
    say something like maybe seven weeks,
  • 52:29 - 52:36
    something like that. But just with 2 maybe
    3 days per week right, not complete weeks.
  • 52:36 - 52:40
    Herald: Okay, then microphone 1,
    please.
  • 52:40 - 52:46
    Q: Congratulations on your talk which was
    really interesting, I liked it a lot and
  • 52:46 - 52:51
    my question is if the technique you used
    to exploit the bug was in FreeBSD or any
  • 52:51 - 52:56
    other BSD as well?
    argp: Oh no, no. I mean, the vm_map_copy
  • 52:56 - 53:03
    struct doesn't exist anywhere else except
    the XNU kernel. But I think the
  • 53:03 - 53:07
    interesting takeaway is that you can do
    complex heap arrangements if you
  • 53:07 - 53:14
    understand the kernel heep allocator,
    right? So this process I described by
  • 53:14 - 53:19
    creating holes and maybe controlling 2
    allocations in order to host fake
  • 53:19 - 53:25
    structures that you are able then to use
    to get exploitation primitives then that's
  • 53:25 - 53:31
    applicable everywhere, right?
    Herald: Okay, then we go to microphone 2
  • 53:31 - 53:36
    again, please.
    Q: So I saw one sentence, just not report
  • 53:36 - 53:43
    or... just don't report the bugs. I would
    like to understand your thinking behind,
  • 53:43 - 53:49
    because I think this is really important
    for companies to know the bugs that they
  • 53:49 - 53:55
    made and yeah, make the products better
    and this is really beneficial for
  • 53:55 - 54:01
    researcher because for example Apple they
    pay a lot of money for the bugs. What...
  • 54:01 - 54:07
    argp: Okay, yeah, I don't have much to say
    on that. I mean, apart from: if all the
  • 54:07 - 54:11
    bugs are fixed then you won't be able to
    do this kind of work and it's no fun.
  • 54:11 - 54:18
    Sorry, I don't have anything else to say
    on that. Sorry, I don't have anything
  • 54:18 - 54:23
    else, no comment.
    Herald: Okay. Signal Angel, do we have
  • 54:23 - 54:31
    another question from the internet? Okay,
    then please a big round of applause for
  • 54:31 - 54:34
    our speaker!
    argp: Thanks.
  • 54:34 - 54:35
    applause
  • 54:35 - 54:40
    postroll music
  • 54:40 - 54:57
    subtitles created by c3subtitles.de
    in the year 2020. Join, and help us!
Title:
34C3 - iOS kernel exploitation archaeology
Description:

more » « less
Video Language:
English
Duration:
54:57

English subtitles

Revisions