-
36c3 preroll
-
Herald: To everybody here, please be
welcome to this fantastic kid here. I
-
learned a lot from him, even though he's
only since two years playing around with
-
iOS. I mentioned as well the first
untethering case that I had with my phone
-
was something about iOS 5.1 and with every
update, you had to do the whole shebang
-
again. Of course, that's what I remember.
So please give a warm welcome here too
-
littlelailo. Do I spell this correctly?
Offscreen: Yeah.
-
Herald: Yes, littlelailo is really a very
fascinating geek. He actually hacks any
-
kind of OS device, to my opinion. Any kind
of. Yeah. So throw it to him and it comes
-
back in pieces. He's as sharp as a knife.
Please give him a warm, well, welcoming
-
applause. We're gonna untether iOS. Yay!
-
applause
-
littlelailo: Okay, so yeah, I'm
littlelailo, as already introduced. I'm
-
interested in I.T. security in general.
And I started to look into iOS about two
-
years ago and then I met three awesome
guys: @s1guza, @stek29 and @iBSparkes. And
-
we basically started to chat a lot and in
the end also released the "jailbreak me"
-
for iOS 10 on https://totally-
not.spyware.lol/. For everybody who isn't
-
familiar with the jailbreak scene, it's
like rooting on Android. So it basically
-
is a tool that gives the user the
capability to tweak the device, and that's
-
mostly done by basically installing a
jailbreak in this case. You just go to a
-
website on the slide there
[https://totally-not.spyware.lol/] and it
-
will install a package manager on your
phone and then the end user can install
-
tweaks. So just a little dynamic libraries
and they get injected into all the other
-
system processes and then they can
obviously modify their memory. And that,
-
for example, allows customization of the
home screen or something like that. And
-
basically with the release, we also formed
the team @Jakeblair420 was created with a
-
Twitter account. There are also a few
demos there if you want to check it out
-
after the talk. And I basically had this
pipe dream that in my life. I really want
-
to achieve an untethered jailbreak using
only some sort of plist or other save file
-
corruption. So basically there are
different kinds of jailbreaks. In modern
-
jailbreak the most common kind are semi-
untethered, which means that the users has
-
to connect their device to a PC when they
first install a jailbreak and then they
-
sideload an app onto the device or it just
installs itself there. And then on each
-
reboot, the user has to go into the app
and press a button to jailbreak the phone.
-
And basically, after they reboot, they
lose the jailbreak and have to go through
-
this process again. And with an untethered
jailbreak, the jailbreak gains persistent
-
installation and then they will
automatically jailbreak the device on each
-
boot. So the device automatically boots
jailbroke. The untether can be divided
-
into four stages. The first stage is when the
config file or database stage. I would go
-
over how we gain execution of the boot.
Then the config parser bug that gives us
-
the right opey primitive. And then I will
talk about the main bug, the ASLR bypass,
-
which allows us to get into ROP. Then
stage two is basically a kernel exploit
-
and completely written in ROP and there I
will go over the two main kernel bugs: the
-
kASLR leak and then the racy double free
we used to get the kernel read/write, and
-
I will also talk about the kASLR weakness
and RootDomain user client memory leak
-
which aided us in exploitation. And after
we get kernel read/write, we can remove a
-
few restrictions from Apple. Mainly we can
bypass code signing and that gives us the
-
ability to load an unsigned dynamic
library into our process. So now in stage
-
3, we are basically C, we are dynamic
library and there we are stashing the
-
kernel task port to host special port 4.
So iOS has this concept of ports and task
-
ports. And basically, if you have a send
right to a task port of a process, you can
-
read and write its memory. They're most
used for inter process communication. And
-
where modern jailbreaks used to stash the
kernel task port into a special port 4 so
-
that other user mode applications can then
retrieve it and with that retrieved and
-
with send right they can just read and
write process memory. And after that I
-
just fix up everything and then spawn
stage four and that's basically running in
-
a separate process. That has a few
advantages I will go into later. It's
-
basically performing the whole post
exploitation process, including launching
-
substrate - the framework that's used for
tweek injection and then performing
-
ldrestart to restart or launch demons on
the system and inject the tweaks into
-
them. In stage 1, we first need to get
execution after boot, and when iOS boots
-
launchd is the first process that's
running on the system and it then loads a
-
dynamic library with a list of executables
- that are LaunchDaemons - and there are a
-
few flags associated with them. If the
"run and load" flag is set, launchd will
-
then spawn all of those LaunchDaemons
afterwards. And we basically just take one
-
of those launch demons, namely Racoon. So
what is Racoon? Basically Racoon is part
-
of the ipsec package. And it's a VPN
client used to interact with an IPSec VPN
-
server. And the problem is though, that
IPsec-Tools project has been abandoned
-
since 2014. So they officially here state
on their website that the development of
-
the project has been abandoned and that
IPsec-Tools has security issues. You
-
should not use it. Apple still decided it
was a good idea to ship it after 2014 and
-
they now maintain their own fork on
https://opensource.apple.com . And yeah,
-
basically the only thing that's important
for the talk is that raccoon has a
-
configuration parser. So on startup it
will just look for a file on disk and
-
start to parse that. And that's written in
yacc so completely written in C. So memory
-
corruption might become a problem. And it
actually is a problem as we can see if the
-
config parser bug and for that when we
have to go back a bit. Basically in 2011
-
Pod2g released Corona for iOS 5, which was
also an untethered. He used a bug in
-
Racoon in the configuration parser and
Pod2g found this one on an old bug tracker
-
and basically the IPsec website had this
bug tracker there. There users could just
-
report problems with their programs and
one user in 2009 I think reported a bug
-
that if he would use the specific config
Racoon would just segfault, but nobody
-
looked at this for two years. So in 2011
Pod2g realized that this was actually
-
exploitable and then used in a jailbreak.
And after that, obviously Apple got aware
-
of it. And then they also said that they
fixed it. And it's got a CV, assigned
-
CVS-2012-2737. And yeah, they say that
this was improved through improved bounds
-
checking. So let's look at the patch.
That's the function before the patch and
-
that's the function after the patch. And
if this was too fast for you, here's the
-
diff. So basically there is no difference.
The bug is still there and Apple didn't
-
patch it. What really happened here was
that basically this is obviously a
-
configuration parser. So there are
different statements that nearly do the
-
same thing. There are these nbns4
statements to parse an IP address and
-
there are wins4 statement followed by an
IP address and both of them have to parse
-
the IP address. So the function for
parsing that was just copy pasted from
-
another one. And yeah, basically Apple
fixed the bug in the other function. Which
-
I don't get because basically the engineer
there had to look at PoC Pod2g provided
-
then they had to realize okay, the bug is
in there, fix it, then they had to
-
recompile and never tested against the
original PoC because otherwise Racoon
-
would have crashed again. Yeah, it's
basically an off by one which allows you
-
to overwrite the index of an array and
Pod2g gave a talk about this and we can
-
basically reuse his strategy from back in
2011 to get a write primitive.
-
Again, the one function here at the top.
You can see the yacc syntax so an addrwins
-
list has to consist of either an addrwins
statement or addrwins statement followed
-
by a comma, followed by an addrwins list.
So that's a recursion. There can be
-
multiple addrwins statements in a row. And
then below that, an addrwins statement is
-
defined as containing an address string.
And that's just a regex to match an IP
-
version 4 address. And if the parcel finds
that it would run the code between those
-
two brackets. So they get the pointer to a
global struct and then they check if this
-
nbns4_index is bigger than MAXWINS and if
so, they return an error. The problem here
-
is that this is off by 1. It shouldn't be
checking if it's greater than so, but it
-
should be a check for greater or equal
than MAXWINS. And after that, they use
-
thisinet_pton function to basically parse
the address, which is in this variable
-
into the nbns4 array at the nbns4 index
and then post-increment the index. And
-
that will also be coming in handy when
exploiting this bug. So yeah. How is
-
exploitation done? Basically there are
here the globals, there is this Lcconfig
-
pointer in the globals pointing to a heap
structure and that the parser also uses.
-
And then there is this dns4 array followed
by the dns_area_index and then the nbns4
-
array followed by the nbns_4_array_index
so we can just use mode_cfg statement
-
followed by this wins4 statement with the
IP address to parse the IP address in the
-
first array element and we can repeat this
process four times to then move the index
-
out of bounds. So now it's pointing to
itself and the cool thing is about that is
-
that therefore there would be a good idea
to use integers for those area indexes
-
instead of unsigned integers so we can
just point them... you just use negative
-
numbers to bypass the bounds check. So
we'll overwrite it with -1 to point it to
-
an dns_array_index and then we use another
wins statement to override the
-
dns_array_index with a negative number.
And the cool thing about this is that
-
because of the post-incrementation, it
will move it back to zero so we can repeat
-
this process as often times as we want,
and we will use a negative number to
-
basically point it to the Lcconfig
pointer. And then we can use two dns4
-
statements to override the Lcconfig
pointer and point it anywhere in memory.
-
And after that we can use a timer
statement with a counter. Then the
-
parsible just tried to write it to the
Lcconfig structure so it will de-reference
-
our pointer and write it there and the
interval statement will basically write to
-
an uint32, which is followed by the uint
where the counter statement is written so
-
we can turn this into a 64 bit write
anywhere primitive and write anywhere in
-
process memory and that gives us an
ability to basically exploit the ASLR
-
bypass. So this is the main bug of the
whole untethered and allows us to
-
basically have this primitive. And it's
also the reason why I decided to give this
-
talk this year and not last year, because
there the bug was pretty fresh and only
-
patched in iOS 12 and it gives to an
attacker the ability to exploit zero click
-
more easily because they just need the
write anywhere primitive. And that's why I
-
held back on it. Siguza found it after
looking into Apple's patches of the Corona
-
ASLR bypass and basically from Pod2g's
presentation, we as a team learned that
-
ASLR is always bypassed when a writable
region is larger than the maximum slide,
-
because then there's always a writable
address in process memory and you can use
-
this to brute force the slide and Siguza
found out that there was what was also the
-
same problem with the cache in iOS 11 and
a few versions of iOS 10 actually. So
-
what's the cache? Basically, the cache is
a pre compiled blob containing the dynamic
-
link libraries from Apple. So on each
released, you just move all of those into
-
one big file to optimize load times of
apps and keep memory pressure low. So it's
-
a pretty big file. And for that on boot
the kernel needs to calculate a slide and
-
slide it in memory. But they only slide it
once on boot because it's used in every
-
process. And so Apple defines an area of
memory for the cache with a base address
-
and the size and that's hardcoded on iOS
11. The cache got so big that a maximum
-
slide is now smaller than its data
segment. So the conditioning is satisfied
-
and ASLR can be bypassed, basically. And
the weird thing about this is that
-
actually the same thing also happened in
iOS 7. Back then, the size was defined as
-
500 megabytes and the cache got bigger
than 500 megabytes. But before that, it
-
was also in a few versions possible to
have the same condition that the data
-
segment again was bigger than the maximum
slide. And Apple was actually also aware
-
of this because Acer talked about it
in one of his talks, but they just
-
increased the maximum slide to 1 gigabyte
and didn't edit any asserts. And now in
-
iOS 11, it again got so big that the same
thing happened. And we believe that they
-
didn't even really notice that up until
iOS 12 where the cache was now bigger than
-
1 gigabyte so the kernel just couldn't fit
it in the memory region and paniced. And
-
because of that they just thought well,
then we will increase it to 4 gigabyte
-
while developing so we might see this
reoccurring in I don't know, iOS 15 or
-
something like that. Exploitation is also
pretty simple. We can just brute force the
-
slide now and there are a lot of function
pointers in the data segment. So we
-
decided to go with __platform_mem_move
because we can reach it via strlcpy from
-
the conflict parser. And the basic
strategy behind this is we write a slid
-
rop chain into an address we can always
write to for a specific slide abc and then
-
we overwrite the __platform_mem_move
pointer at its unslid address plus the
-
slide we just chose with a gadget that
would pivot to our slid rop chain and then
-
we call strlcpy. And now there are
basically two possibilities. Either we
-
guessed the right slide and then we jump
to our gadget and pivot the stack or we
-
guessed the wrong slide. But obviously
nothing happened because we can just write
-
there so we can go back to step one and
try again. And then with that we can just
-
brute force the slide till we get the
right one. The catch with this, however,
-
is that the write what were is pretty slow
and it also needs a lot of storage. So for
-
a 64 bit write I need about 120 bytes in
the config file. And because there are so
-
many possible slide values, the chain I
have currently is around... it's only to
-
rop gadgets, but the config file is
already 12 megabytes, I think. And because
-
of that, it takes around 10 seconds to run
if it's a really bad slide. So the rop
-
chain has to be as short as possible. And
the other problem is that if we have a bad
-
slide, we will basically smash the whole
data segment and we can't really recover
-
from that. So we had crashes in malloc and
stuff like that while developing,
-
basically. There are some solutions to
that, we can have a really short rop chain
-
in stage one and we can achieve this by
basically just opening the big cache file
-
to get a file descriptor to it and then we
can map it at a static address and then
-
get many gadgets there because the file is
obviously code signed by Apple so we can
-
just jump there after mapping it. But the
problem with that is that nothing is set
-
up. So malloc and other functions aren't
working. But as I said earlier, the
-
current cache has a smashed data segment
so we don't really lose anything. And
-
after having the cache at a static address
we can use the open and mmap functions
-
from that cache to basically map stage two
into the process memory and stage two is
-
just a really big rop stack. So, yeah. And
then we are basically in ROP, but we can
-
only use raw syscalls and not much more
because everything else will either use a
-
function that uses malloc or will use
malloc on it's own. And the other problem
-
is that basically errno is also broken. So
every syscall which fails will crush the
-
binary. So the first thing I do is
basically map a few pages so that errno
-
works again because we have a few syscalls
that might fail. And then the other big
-
problem is that we now need to implement
the whole kernel exploit in rop. So I
-
start to write a framework around this
awesome gadget which is present in all the
-
cache versions I looked at. Basically at the
top you can see that all the high
-
registers are moved into x0 through x7. So
all the registers used for the calling
-
convention are and then we branch with
link to register based on x27. So also
-
high register. And after that we load all
the register values back from the stack so
-
we can just chain those gadgets together
to call any functions. You basically rop
-
into the lower half and then chain another
one of those afterwards and then they can
-
load all the values, call the function and
then load all the values from the stack
-
again. And that's how the whole rop chain
works. So yeah, I also used another gadget
-
to basically add two registers together
and another one which stores x0 so that I
-
can store the return value on the stack
and later reuse it. And for loops I use a
-
gadget which just returns if x0 is zero.
So it's basically just a read instruction
-
then and otherwise it will tail call a
function using function pointer from the
-
data segment. And because I can control
the whole data segment, I can just put a
-
function pointer there that that will then
jump to an epilog and misasligning the stack
-
with that. And then I can call longjmp
with two different register values and
-
because of that pivot the stack to another
location. And when we basically didn't
-
jump outside of the loop, I just mmap the
part of stage 2 which has the loop in it
-
back over old stack again. And then I can
just reuse to stack every time. And then
-
pivot up using longjup. The problem wih
this, however, is obviously that it's
-
pretty slow because I use mmap as a
syscall. But this can be solved by just
-
unrolling your loops like for 10
iterations and then mmapping the file so
-
that I get more loop iterations basically
per second, which is important for the
-
race. So now we will go over the kernel
bug so the kASLR leak is CVS-2018-4413 by
-
panicall. It was fixed in iOS 12.1 and
it's luckily reachable from the Racoon
-
sandbox because Apple is sandboxing most
userland processes and the Racoon sandbox
-
is really tight. We didn't have that much,
many bugs that would work in Racoon, but
-
luckily this one does because Racoon has
access to the sysctl functions and this
-
one is in the sysctl_progargsx function.
The progargsx function basically allocates
-
a page using kmem_alloc. But it doesn't
zero it so it might contain old heap data
-
and then they copy the process arguments
to the front of the page. And now if you
-
supply a wrong size from user space and
there are a few other conditions that have
-
to be met for some weird reason it copies
from the end of the page into user space
-
which I don't get why does this even get
by code review. But here's a graphical
-
illustration: there is basically this page
is full of uninitialized data and then
-
they put the process arguments in the
front and copy out uniinitialized heap
-
data from the back into user land and we
can obviously just spray specific heap
-
objects with kernel pointers in them and
then free them again and use this
-
primitive to maybe leak them. And if we
find a kernel pointer in there, we can
-
just calculate this kernel slide. So yeah.
And then we come to the racy double free.
-
As I said, the main problem of the
untether is the racoon sandbox, so many of
-
the kernel bugs that would work in iOS 11
from an app, didn't work from racoon. But
-
luckily on Halloween Sparky told me about
Lightspeed bug from Synacktiv, which is
-
reachable from the sandbox. It's a double
free in kalloc.16. The kernel allocator's
-
based on zones and with different sizes.
So there's, for example, kalloc.16 and
-
then all objects in that zone have a size
of 16 or less bytes and they are obviously
-
also other zones for bigger objects. And
basically there is a structure in there
-
that then gets doubled. And there is the
syscall that's handling async file events.
-
So a user mode application can just call
it and tell the kernel, hey, please write
-
a buffer to a file and then move on with
execution and it uses a kernel thread to
-
perform those. And for that, that
basically allocates a structure to contain
-
some metadata like where the buffer is and
to which file it should write, and the
-
kernel thread obviously has to free the
structure after it's done because it just
-
gets into the query for
the kernel thread, that then wakes up and
-
maybe sees it has a new job, then performs
the operation and then it has to free it,
-
otherwise it will leak. But the problem
here is that if an error occurred while
-
setting the structure up, the second field
in the structure will be zero. And then
-
the structure also isn't included into the
jobs list. So the kernel thread will never
-
wake up and look at it. So the syscall has
to free it because otherwise it will leak.
-
And the problem here is that we can
basically reallocate the structure before
-
the syscall checks. So what happens here
is that the syscall allocates the
-
structure, fills it up, and then it gets
added to the list and then the kernel
-
thread is so fast that it runs while the
syscall isn't finished yet and basically
-
gets the gets the job done and frees it.
And then we can spray heap objects pretty
-
fast to overlay with that structure. And
then the syscall finishes and checks the
-
field and sees that it's zero because we
just replaced it with an object that has
-
zero at that location so it frees it again
leading to a double free. And yeah, we can
-
obviously exploit it. So for exploitation
I just spam the syscall on one thread
-
which is pretty hard to do in ROP, but I
just call threadCreate. We've appointed
-
two long jump and then pivot the stack to
the application and then in the other
-
thread I spray Mach messages with
MACH_PORT_NULL in it. And the thing with
-
Mach messages is they can be used to do
inter-process communication and you can
-
also transfer port rights from one process
to another. So in this case we just send
-
an empty port, but you could also place
something else there and that will create
-
a structure and kalloc.16 containing zero
at that location. And and then if the Mach
-
message gets freed, we can replace it with
something and basically point it to
-
somewhere in kernel where fake port
structure lives. And when we receive the
-
Mach message again, it will basically
think that this is a real port and treat
-
it as such. And with that we can create a
fake kernel task port. But for that we
-
obviously need to replace it and we need
to heap spray. And most commonly iOS
-
surface is used for that as a kernel
extension, but because of our sandbox we
-
are so limited that we don't have iOS
surface access. So the question is how we
-
actually spray and the
rootDomainUserClient comes to rescue with
-
a memory leak. So actually this function
secureSleepSystemOptions is reachable from
-
the raccoon sandbox and Apple has a way of
basically passing data to the kernel via
-
XML. So a userland application can just
pass the XML to the kernel and then they
-
will use this OSUnserializeXML function to
turn the XML back into C++ objects which
-
the kernel can then use. And if this
sounds dangerous to you, it actually is.
-
There were a few bugs in that. But in this
case we basically this just makes sure
-
with the OSDynamicCast that the data the
user mode application supplied isn't
-
always dictionaries so that it can use it
afterwards. And the problem here is that
-
we can basically just OSDataObject or an
always OSArray. So this OSDynamicCast
-
will fail and serialized options will
become null. But the original point of
-
return from OS under the XML will get lost
and so we will leak that memory and we
-
can just use this for spraying. So then
about those two primitives, I will use to
-
basically exploitation. The case law
weakness, Darrell Justice CCL buffers and
-
they are located in the kernel data region
and because of that they are stacked with
-
the same slide as the kernel text region.
And this means that as long as we know the
-
kernel slide we already do, that from the
case of largely and we can control the
-
contents of a CCL buffer and we can get
data to a known address and we can easily
-
do that with racoon because it runs US
route. And so we can just switch all of
-
this of CCL buffer, for example, place the
same point structure there will be later.
-
Also, place a fake trust constructively,
but I will get into that. So yeah, now we
-
can use that primitive to basically spray
tan or state objects pointing to the CCL
-
buffer. And then we just received the
message again and check if the polls are
-
now. And if that's the case, we best place
the structure. And then for the non SMP
-
version we can even get the case load by
traversing a few pointers. But that's not
-
needed for SMP Version because there we
already got it with the case logic but
-
young, Non CCL IP devices, we also don't
need a CCL buffers because we can just
-
place the fake port structure and use the
land and then we get the kernel slide this
-
way. And with the kernel slide and this
fake port, we can create a fake user
-
client and from there we can create a
called primitive and then we can use this
-
to override that pierce's trusses pointer
and pointed to a buffer with two hashes
-
and four stage 3 and stage 4. So basically
Apple has two ways of doing code signing.
-
Either it has a used land daemon that
verifies third party applications or a
-
test, so-called trust cache, which is a
list of hashes from all of their system
-
applications. And as soon as the process
spawned or dynamic link library is loaded
-
and they will basically first verify if
the hash of that file is inside of the
-
trust cache. And if so, they will just
trust a binary blindly because it comes
-
from Apple, basically. And now when we
override this trust cache point and
-
pointed to our buffer, we can basically
place the hash of stage 3 and 4 there. And
-
then the system will think those are apple
binaries and we can just load them. So.
-
Yeah. And for that we need to use a geter
open. We can't use the real deal open
-
because that uses malock. So we just
open stage 3 to get a file descriptor.
-
Then we attached a signature which now
succeeds as the caches and trust cache and
-
then we can map it as read executed and
jump there. And then we are after two
-
months of writing options. We are finally
in C and we can write code more easily.
-
And the problem there is that we still
don't have a working cache. So we are
-
still limited to the basic functionality
and because of the ghetto dlopen link is
-
obviously not working. So we just rely on
raw as somebody follows syscalls. And I
-
also pass some function pointers which I
already use for stage 2. So for example,
-
open and a map to stage 3. And from there
we remove the con task and session into
-
our special port 4 so that other user mode
applications can use it. And then we can
-
basically escape the sandbox by removing
the sandbox label in the process
-
structure, so that we can launch a new
binary, because otherwise the raccoons and
-
bugs doesn't allow it. But in the kernel,
those process structures basically have
-
this label, which tells the kernel of
which sandbox to use. And as you're doing
-
it, you can just tell it to not use any
samples. And and then we can launch stage
-
3, 4 and with that, get a working
cashback. And that's the big advantage
-
from like having a separate file. We now
have the full cache functions working and
-
can do work more easily. And then I it's
just called two opposing spawn and then a
-
raw exit. This to exit the daemon without
crashing because of launch. You would see
-
that one of the launch demons crashed and
the specifics flag inside it would try to
-
restart it. And then our option would run
again. We obviously want to prevent that.
-
So we use the exits as call to exit it.
And then we are in stage 4. And from my
-
side, that was just basically to block or
signal. So we don't get killed by launchd.
-
Because when launchd the launch and
exits, it will send the kill to all this
-
child process. And I need to catch that.
Otherwise Stage 4 would get killed. And
-
then I just called the Post Exploitation
Framework, which was written by Sparky.
-
And basically that does the following. It
first elevates the process to root with
-
current credentials, then it performs a
remount of the root file system because on
-
stock IOS, a file system was mounted as
read only and we obviously need to
-
mount it as read/write to modify some files
on there and then set non it sets the
-
nonce so that the user might be able to
downgrade to an older version if they are
-
flops. Verifies that the bootstrap was in
place from the installation. And then
-
checked substrates or the framework that's
used for them to perform tweak injection
-
and it's plugging into trust us and starts
them so that they can start to inject into
-
newly spawn processes. Then it's Ponce or
the launch demons associate with the
-
jailbreak and unloads or own demons so
that we don't respawned by extended
-
run. They kernel exploit again and then
performs an LUV start to basically restart
-
all of the launch teams off the system so
that subset can inject 3 STEM. And with
-
that the system is faulty, jail broken and
we can perform a few cleanup steps. But
-
yeah, basically the end user has
jailebroken system. Then as a little
-
side note while we are testing all the
demons, we got killed by jetsam a lot. So
-
basically jetsam is the kernel
extension from Apple. That is therefore
-
memory management. And they basically want
to make sure the user mode application
-
doesn't use too much memory because they
don't have that much on iPhone. And on all
-
the iPhones, actually. So there is this
list and jetsam, it jetsam seems easier to
-
use than process uses more than read and
should use. It would just kill it. So we
-
changed the values in the plist under
LaunchDaemons to actually allow the
-
LaunchDaemons to use more memory. But
the weird thing about this is that this
-
actually got us accepted by jetsam and we
had normal crashes while Apple actually
-
tried to mitigate that beforehand. So
because jailbreak is always modify those
-
configuration files on the LaunchDaemons,
they start to move all of them into a
-
dynamic library to guard them under code
signing. So the jailbreak just couldn't
-
change them anymore. But when you tried to
figure out the Launchdemon at the Launch
-
Demons, we dumped the dylib and ahm
there was also plist embedded for
-
Jetsam, but Apple was still using those
files on disk. So I really want to look
-
further into this because it seems like
Apple isn't always ignoring those
-
configurations files on disk. And then
thanks to the whole team. Siguza, Sparkey,
-
and Stek for bouncing ideas back and
forth and writing the many part of the
-
jailbreak. Then for Pod2g, Synacktiv for
the kernel bugs. And basically also a big
-
thanks to Saurik for substrate and the
whole jailbreaking framework and for
-
Swaggo, parrorgeek and Samg_is_a_Ninja
for testing a few things and keeping
-
motivated. And for Jonathan Levin for his
books basically because he bought a few
-
awesome books about IOS and that got me
into it two years ago. And yeah. And in
-
the future, I think exploiting kernel
vulnerability with other cache functions
-
and owning ROP really is a pain and that
probably won't do it again. Because he's
-
spent most of that. But yeah, the other
big problem now is that with a 12 so the
-
new iPhones pack. So point authentication
kills most of these types of exploits
-
because the problem there is that you
would now need an ASLA bypass and the pack
-
bypass to get into return oriented
programing. And it's pretty unlikely to
-
basically have both. And because Pegg
bypasses are really rare and yet I only
-
know about this one is a LA bypass. So you
would have to get pretty lucky. Also un-
-
tethering gets progressively harder. Apple
just fixed another good idea ahead in iOS
-
13.1. Basically the idea was to use printf
with the format string format modify
-
'%n' to get a Turing complete
machine because printf, this modifier
-
is basic Turing complete and then you
start to develop a pack bypass basically
-
and get them to ROP. But now we're in IS
13.1. I think Apple actually removed the
-
'%n' modifier, so you can no
longer do this. And yeah. So this idea is
-
also gone. And yeah. In the end, I was
able to complete my pipe dream, so I guess
-
I will need a new one. So watch out, Apple
and that spice. Are there any questions?
-
Applause
-
Herald: Thank you, littlelailo for is
fantastic work. I suppose we're going to
-
hear more from you in the future.
Littlelailo: Maybe.
-
Herald: Are there questions here in
this audience. No one who wants to hire
-
this guy now right away. No one. No one.
Can you describe to me what change
-
actually do times in these, you know, all
the ASICs? Oh, yeah. Oh, yes. versions.
-
Littlelailo: Well what they change to
make.
-
Herald: Yeah. What. Plus, you know, I told
you like I started the tethering challenge
-
actually at 5.1.
Littlelailo: Well, they added a lot new
-
mitigations and also obviously pitched a
few bugs like for example, those ASLR
-
bypasses that posterity used in Corona
got patched. And this one also now got
-
patched by accident. But yeah, I mean like
some bugs are still there. For example,
-
the Bug in racoon and the conflict pass.
The bug is still an all day. But yeah, I
-
don't really care about it. And the kernel
bugs got patched by Apple. But for
-
example, this synthetic one, they also
also patched wrong by accident. And now it
-
always leaked the strike. But I think they
also fixed that now.
-
Herald: Your team, you you're mentioning
your team. You're working not on
-
your own, of course.
Littlelailo: No.
-
Herald: And how would you restructured?
How are the roles divided? How was...
-
Littlelailo: Well, we are just like four
people. So and we have this group chat and
-
then we are just hanging out there and
bouncing ideas back and forth and maybe
-
working on some stuff.
Herald: A close contact with the Apple
-
developers.
Littlelailo: No, not at all.
-
Herald: More.
Littlelailo: I mean, I reported one bug to
-
their bounty once or like actually says to
them that their bounty and that one got
-
fixed and it was all fine. But yeah, for
now, I don't report bugs at the moment.
-
Herald: If you have time, you've time left
now actually, you're looking for a new
-
project doesn't it?
Littlelailo: Yeah. Yeah. And I might
-
report some of those bugs in the meantime
but I mean with the presentation they know
-
about them though so they might fix them.
Herald: They will be listening now and at
-
least probably I hope.
Littlelailo: Yes.
-
Herald: Is there anyone who has really,
you where sitting on a question here. None
-
of you? It's already noon. You know, noon
passed, so could be that none of you. You
-
can ask them something, maybe someone
asked them something, maybe they can help
-
you out with certain challenges that are
there.
-
Littlelailo: Well, I don't really have a
question either. Laughter I have my own
-
research project now. Well, like, I do
stuff at the moment and look at other
-
things. For example, to the bootrom
exploit came out now. And so I started
-
developing on the chick team with them.
And that's what I currently do, basically.
-
Herald: You're great, man. Littlelailo,
thank you. Giving him a warm applause!
-
Applause
-
36c3 Postroll music
-
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!
