Paste Search Dynamic
Recent pastes
ios.xml
  1. <rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/" version="2.0">
  2. <channel>
  3. <title>Antid0te UG (iOS)</title>
  4. <link>https://www.antid0te.com/</link>
  5. <description/>
  6. <atom:link href="https://www.antid0te.com/categories/ios.xml" type="application/rss+xml" rel="self"/>
  7. <language>en</language>
  8. <lastBuildDate>Tue, 29 Oct 2019 04:51:12 GMT</lastBuildDate>
  9. <generator>Nikola <http://getnikola.com/></generator>
  10. <docs>http://blogs.law.harvard.edu/tech/rss</docs>
  11. <item>
  12. <title>MacOS and iOS Kernel Internals For Security Researchers (February 2020)</title>
  13. <link>https://www.antid0te.com/blog/20-02-17-macos-ios-kernel-internals-berlin.html</link>
  14. <dc:creator>Stefan Esser</dc:creator>
  15. <description><div><p>Antid0te organises an MacOS and iOS Kernel Internals For Security Researchers Training in Berlin in February 2020.</p> <!-- teaser_end: read more ... --> <img alt="/images/catalina.png" class="thumbnail" id="imgtc" src="https://www.antid0te.com/images/catalina.png"> <!-- --> <div class="line-block"> <div class="line"><strong>Instructor:</strong> Stefan Esser (Antid0te UG)</div> <div class="line"><strong>Dates:</strong> 17th February - 20th February 2020 (4 days)</div> <div class="line"><strong>Venue:</strong> Berlin Courtyard by Marriott, Germany</div> <div class="line"><strong>Availability:</strong> 10 Seats</div> <div class="line"><strong>Language:</strong> English</div> <div class="line"><br></div> </div> <p>With the release of MacOS Catalina and iOS 13 Apple has once again raised the bars in terms of kernel level security. This course will introduce you to the low level internals of the MacOS and iOS kernels from the perspective of a security researcher interested in kernel level vulnerability analysis, kernel rootkit/malware analysis/detection or driver development. While this course is concentrating on MacOS Catalina on the x64 cpu architecture the latest security enhancements of iOS 13 will also be discussed. The course material was updated to the latest security features of MacOS Catalina and iOS 13. This is the first course that introduces Apple's new concept of SystemExtensions and introduces you to DriverKit and EndpointSecurity.</p> <p>This training will be in February 2020 in Berlin. It will be happening between February 17th and February 20th 2020 in a the Marriott Courtyard hotel in Berlin and is therefore timewise and locationwise right next to Offensive Con. It is a full 4-day course and is targeted at security researchers that want to dive into MacOS or iOS kernel security topics.</p> <p>The course will focus on the MacOS side and therefore all training excercises will be performed on MacOS Catalina. However iOS security specifics will also be covered by the course, if they are different from the MacOS way.</p> <div class="section" id="topics"> <h2>Topics</h2> <p>The following list of topics shows what will be covered by the course.</p> <ul class="simple"> <li><strong>Introduction</strong><ul> <li>Setting up a development and debugging environment</li> <li>Developing your own kernel extensions (kext vs. systemextensions)</li> </ul> </li> <li><strong>Low Level x64 / ARM64</strong><ul> <li>Low level cpu details</li> <li>Physical memory management</li> <li>Exception Handling</li> <li>Hardware Page Tables</li> <li>Special Registers used by iOS</li> <li>PAN and PAC (Pointer Authentication)</li> <li>...</li> </ul> </li> <li><strong>Kernel Source Code</strong><ul> <li>Structure of the Kernel Source Code</li> <li>Where to look for Vulnerabilities</li> <li>Implementation of Mitigations</li> <li>...</li> </ul> </li> <li><strong>Kernel Drivers/(System)Extensions</strong><ul> <li>IOKit</li> <li>DriverKit / SystemExtensions</li> <li>EndpointSecurity</li> <li>Driver attack surface</li> <li>Kernel driver code-signing</li> <li>...</li> </ul> </li> <li><strong>Kernel Internals</strong><ul> <li>Important data structures of the kernel</li> <li>Mach-o fileformat / encryption</li> <li>Mach messages and IPC</li> <li>Security: MAC Policy Hooks, Sandbox, Code Signing, Kauth, socket filter</li> <li>Filesystems, networking stack</li> <li>...</li> </ul> </li> <li><strong>Kernel Debugging</strong><ul> <li>Panic Dumps</li> <li>Built-in Kernel Debugging / VMWARE based debugging</li> <li>Debugging with own kernel extensions</li> <li>Kernel Heap Debugging/Visualization</li> </ul> </li> <li><strong>Kernel Heap</strong><ul> <li>In-Depth Explanation of How the Kernel Heap works</li> <li>Discuss weaknesses in current heap implementation</li> </ul> </li> <li><strong>Kernel Exploit Mitigations</strong><ul> <li>Discussion of all the iOS Kernel Exploit Mitigations introduced</li> <li>Includes software and hardware based mitigations like (KTRR, KPP, PAC, PAN, APRR)</li> <li>Including newest mitigations already known in iOS 13</li> <li>Discussion of various weaknesses in these protections</li> </ul> </li> <li><strong>Kernel Rootkits</strong><ul> <li>Discussion of previously hooked / abused data structures in MacOS rootkits</li> <li>Rootkits and their detection in light on SystemExtensions and EndpointSecurity</li> </ul> </li> </ul> </div> <div class="section" id="training-takeaways"> <h2>Training Takeaways</h2> <ul class="simple"> <li>The whole training material (multiple hundred slides) will be handed to the students in digital form.</li> <li>Trainees will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software.</li> </ul> </div> <div class="section" id="training-requirements"> <h2>Training Requirements</h2> <ul class="simple"> <li><strong>Student Requirements</strong><ul> <li>Basic understanding of exploitation</li> <li>C and Python Programming knowledge</li> <li>Knowledge of X64 assembly</li> </ul> </li> <li><strong>Hardware Requirements</strong><ul> <li>Apple Mac Notebook capable of running latest MacOS within VMWARE</li> <li>Enough hard disk space to run VMs</li> </ul> </li> <li><strong>Software Requirements</strong><ul> <li>IDA Pro 6.x/7.x license (ARM64 support required)</li> <li>alternatively Ghidra/Hopper/Binary Ninja can be used but script support varies by tool</li> <li>Hexrays for ARM64 helpful, but not required</li> <li>BinDiff for IDA helpful, but not required</li> <li>Mac OS X 10.14/15, with latest XCode and iOS 12.x SDK (or newer)</li> <li>VMWARE Fusion</li> <li>Additional Software will be made available during the training</li> </ul> </li> </ul> </div> <div class="section" id="venue"> <h2>Venue</h2> <p>The training will be held at the Berlin Courtyard by Marriott Hotel (Germany). The hotel is central and located near the Hilton Hotel which is the venue of <a class="reference external" href="https://www.offensivecon.org">Offensive Con</a>.</p> <div class="line-block"> <div class="line"><strong>Address:</strong></div> <div class="line">Courtyard by Marriott</div> <div class="line">Axel-Springer-Straße 55</div> <div class="line">10117 Berlin</div> <div class="line"><br></div> </div> <a href="https://goo.gl/maps/qe9Vz6sEjpzxFgtHA" style="border:0"><img src="https://www.antid0te.com/images/map_berlin_courtyard_marriott.png" width="600px" style="border:0"></a><br><br><p>No special deal has been made with the hotel concerning rooms for the attendees. Attendees are free to choose whatever hotel is nearby.</p> </div> <div class="section" id="pricing"> <h2>Pricing</h2> <div class="line-block"> <div class="line">We offer the following rates for this training. All ticket prices include 19% mandatory VAT.</div> <div class="line"><br></div> </div> <table border="1" class="docutils"> <colgroup> <col width="65%"> <col width="35%"> </colgroup> <tbody valign="top"> <tr><td> </td> <td>Price (incl. 19% VAT)</td> </tr> <tr><td>Early Bird (before 21st November)</td> <td>3500,- EUR</td> </tr> <tr><td>Regular (before 1st February)</td> <td>4000,- EUR</td> </tr> <tr><td>Late (after 1st February)</td> <td>4500,- EUR</td> </tr> </tbody> </table> <p>The training ticket price include daily lunch, morning and afternoon coffee breaks, free soft drinks in the training room.</p> </div> <div class="section" id="register"> <h2>Register</h2> <p>If you have further questions or want to register for this training please contact us by e-mail <a class="reference external" href="mailto:training@antid0te.com">training@antid0te.com</a>. Please notice that signup, billing and execution of the training is performed by Antid0te UG (haftungsbeschränkt).</p> </div> <div class="section" id="in-house-training-conferences-additional-trainings"> <h2>In-House Training / Conferences / Additional Trainings</h2> <p>If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail <a class="reference external" href="mailto:training@antid0te.com">training@antid0te.com</a>.</p> </div></div></description>
  16. <category>Blog</category>
  17. <category>Training</category>
  18. <category>iOS</category>
  19. <category>Kernel</category>
  20. <category>Security</category>
  21. <category>Internals</category>
  22. <category>MacOS</category>
  23. <guid>https://www.antid0te.com/blog/20-02-17-macos-ios-kernel-internals-berlin.html</guid>
  24. <pubDate>Sat, 21 Sep 2019 09:10:00 GMT</pubDate>
  25. </item>
  26. <item>
  27. <title>iOS 12/13 Kernel Exploitation Training (November 2019)</title>
  28. <link>https://www.antid0te.com/blog/19-11-25-ios-kernel-exploitation-berlin.html</link>
  29. <dc:creator>Stefan Esser</dc:creator>
  30. <description><div><p>Antid0te organises an iOS Kernel Exploitation Training in Berlin in November 2019.</p> <!-- teaser_end: read more ... --> <img alt="/images/exploit_training.jpg" class="thumbnail" id="imgtc" src="https://www.antid0te.com/images/exploit_training.jpg"> <!-- --> <div class="line-block"> <div class="line"><strong>Instructor:</strong> Stefan Esser (Antid0te UG)</div> <div class="line"><strong>Dates:</strong> 25th November - 29th November 2019 (5 days)</div> <div class="line"><strong>Venue:</strong> Berlin Marriott Hotel, Germany</div> <div class="line"><strong>Availability:</strong> 15 Seats</div> <div class="line"><strong>Language:</strong> English</div> <div class="line"><br></div> </div> <p>The SektionEins and Antid0te iOS Kernel Exploitation Trainings in 2014-2019 have been so successful that former trainees, tricks, techniques and vulnerabilities from the training have been directly involved in the making of some of the public iOS jailbreaks up to iOS 10.2. Even the public iOS 11 and iOS 12 jailbreaks use some techniques that have been part of our training material since before they ever were used publicly. Furthermore several of our former attendees can now be seen credited by Apple for security bug fixes in recent iOS and OS X releases or even joined Apple as employees. However Apple's internal development of the iOS kernel never stands still and they keep adding new security mitigations to defeat previously used attacks.</p> <p>With the release of iOS 13 Apple will once again raise the bars in the world of iOS exploitation by introducing new software and hardware based mitigation. Because of this the training will shift its focus to these newly introduced mitigations so that trainees learn to deal with these up to date protections.</p> <p>This training will be in November 2019 in Berlin (if the date is inconvenient for you the same training will be done in Singapore one months earlier). It will be happening in the Berlin Marriott Hotel near Potsdamer Platz between November 25th and November 29th 2019. It is a full 5-day course and is targeted at exploit developers that want to switch over to iOS.</p> <p>The training excercises will be performed on a mixture of devices running on iOS 12.x. Some of these devices will be 64bit iPod touch (6th Gen) 32 GB devices that the trainees will take home after the training. However we will also give the trainees access to more modern devices to test out new hardware based mitigations like the ARM v8.3 pointer authentication.</p> <p>The goal of this training is to enable you to exploit new vulnerabilities in the iOS kernel that you discover on your own.</p> <div class="section" id="topics"> <h2>Topics</h2> <p>The following list of topics shows what is usually covered by the course.</p> <ul class="simple"> <li><strong>Introduction</strong><ul> <li>How to set up your Mac and Device for Vuln Research/Exploit Development</li> <li>How to load own kernel modules into the iOS kernel</li> <li>How to write Code for your iDevice</li> <li>Damn Vulnerable iOS Kernel Extension</li> </ul> </li> <li><strong>Low Level ARM / ARM64</strong><ul> <li>Differences between ARM and ARM64</li> <li>Exception Handling</li> <li>Hardware Page Tables</li> <li>Special Registers used by iOS</li> <li>PAN and PAC (Pointer Authentication)</li> <li>...</li> </ul> </li> <li><strong>iOS Kernel Source Code</strong><ul> <li>Structure of the Kernel Source Code</li> <li>Where to look for Vulnerabilities</li> <li>Implementation of Mitigations</li> <li>MAC Policy Hooks, Sandbox, Entitlements, Code Signing</li> <li>...</li> </ul> </li> <li><strong>iOS Kernel Reversing</strong><ul> <li>Structure of the Kernel Binary</li> <li>Finding Important Structures</li> <li>Porting Symbols</li> <li>Closed Source Kernel Parts and How to analyze them</li> <li>...</li> </ul> </li> <li><strong>iOS Kernel Debugging</strong><ul> <li>Panic Dumps</li> <li>Debugging with own Patches</li> <li>Kernel Heap Debugging/Visualization (new software package for new devices)</li> </ul> </li> <li><strong>iOS Kernel Heap</strong><ul> <li>In-Depth Explanation of How the Kernel Heap works (up to date for iOS 13)</li> <li>Different techniques to control the kernel heap layout (including non-public ones)</li> <li>Discuss weaknesses in current heap implementation</li> </ul> </li> <li><strong>iOS Kernel Exploit Mitigations</strong><ul> <li>Discussion of all the iOS Kernel Exploit Mitigations introduced</li> <li>Includes software and hardware based mitigations like (KTRR, KPP, PAC, PAN, APRR)</li> <li>Including newest mitigations already known in iOS 13</li> <li>Discussion of various weaknesses in these protections</li> </ul> </li> <li><strong>iOS Kernel Vulnerabilities and their Exploitation</strong><ul> <li>Full walkthrough through exploitation of multiple prior known iOS memory corruption vulnerabilities</li> <li>Analysis of public exploits and discussion how to improve them</li> <li>Overview over different vulnerability types commonly found in iOS kernel and exploit strategies</li> <li>Part of the training will be to reimplement bits and pieces of an iOS 12 kernel exploit</li> </ul> </li> <li><strong>iOS Kernel Jailbreaking</strong><ul> <li>Discussion of how recent iOS jailbreaks work</li> </ul> </li> <li><strong>Handling of New Devices</strong><ul> <li>Discussion of necessary steps to port exploits from old to new devices</li> </ul> </li> </ul> </div> <div class="section" id="training-takeaways"> <h2>Training Takeaways</h2> <ul class="simple"> <li>All students will take home an iPod Touch 32GB (64 bit) 6th generation that had a retail value of 229,- EUR (these iPods are running iOS 12.x for some of the hands-on during the training).</li> <li>The whole training material (multiple hundred slides) will be handed to the students in digital form.</li> <li>Trainees will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software. This software is currently going through a complete cleanup and modernization to ensure compatibility with all new devices</li> </ul> </div> <div class="section" id="training-requirements"> <h2>Training Requirements</h2> <ul class="simple"> <li><strong>Student Requirements</strong><ul> <li>This course will not give an introduction to ARM assembly basics. The trainee is required to understand basic ARM64 assembly. It is not required to have previous lowe level experience with ARM64 cpus, because the necessary information is discussed within the training. Low level ARM64 CPU knowledge will be helpful, but is not required for this course - all necessary parts will be explained within the course.</li> <li>This course will not give basic introduction to exploitation or ROP. Trainees are required to know concepts like ROP or buffer overflows, integer overflows, etc...</li> <li>About 3 weeks before the training trainees will receive a booklet that covers introductory information. Trainees are required to read and work through this document in order to ensure that all software is correctly installed and some basics are understood. NOTE: In order to fit more topics and hands on excercises into the training this booklet now contains 4h worth of material that previously was worked through on day 1 of the training.</li> </ul> </li> <li><strong>Hardware Requirements</strong><ul> <li>An Apple Mac Notebook is required in order to run MacOS and XCode.</li> <li>Training hands-on exercises will be performed on devices provided by Antid0te. It is not required for students to bring their own iOS devices.</li> <li>Every student will be handed an iPod Touch 32GB at the beginning of the training that they will work on and can take home after the training.</li> <li>Further more modern iOS devices will be provided throughout the course for gaining experience with hardware mitigations like PAN or PAC.</li> <li>Students can optionally bring their own iOS device for experiments. But these devices need to be jailbroken on iOS 12.</li> </ul> </li> <li><strong>Software Requirements</strong><ul> <li>IDA Pro 6.x/7.x license (ARM64 support required)</li> <li>alternatively Ghidra/Hopper/Binary Ninja can be used but script support varies by tool</li> <li>Hexrays for ARM64 helpful, but not required</li> <li>BinDiff for IDA helpful, but not required</li> <li>Mac OS X 10.14/15, with latest XCode and iOS 12.x SDK (or newer)</li> <li>Additional Software will be made available during the training</li> </ul> </li> </ul> </div> <div class="section" id="venue"> <h2>Venue</h2> <p>The training will be held at the Berlin Marriott Hotel (Germany). The hotel is located near the Potsdamer Platz in Berlin, which is easily reachable with public transportation from many parts of Berlin.</p> <div class="line-block"> <div class="line"><strong>Address:</strong></div> <div class="line">Berlin Marriott Hotel</div> <div class="line">Inge-Beisheim-Platz 1</div> <div class="line">10785 Berlin</div> <div class="line"><br></div> </div> <a href="https://goo.gl/maps/g2ThQo8E6Jq" style="border:0"><img src="https://www.antid0te.com/images/map_berlin_marriott.png" width="600px" style="border:0"></a><br><br><p>No special deal has been made with the hotel concerning rooms for the attendees. Attendees are free to choose whatever hotel is nearby.</p> </div> <div class="section" id="pricing"> <h2>Pricing</h2> <div class="line-block"> <div class="line">We offer the following rates for this training. Attention: Trainees paying for the training themselves or companies within the European Union have to pay VAT on top of the base price.</div> <div class="line"><br></div> </div> <table border="1" class="docutils"> <colgroup> <col width="58%"> <col width="22%"> <col width="21%"> </colgroup> <tbody valign="top"> <tr><td> </td> <td>Price</td> <td>VAT</td> </tr> <tr><td>Early Bird (before 12th August)</td> <td>4000,- EUR</td> <td>760,- EUR</td> </tr> <tr><td>Regular (before 28h October)</td> <td>4500,- EUR</td> <td>855,- EUR</td> </tr> <tr><td>Late (after 28th October)</td> <td>5000,- EUR</td> <td>950,- EUR</td> </tr> </tbody> </table> <p>The training ticket price include daily lunch, morning and afternoon coffee breaks, free soft drinks in the training room.</p> </div> <div class="section" id="register"> <h2>Register</h2> <p>If you have further questions or want to register for this training please contact us by e-mail <a class="reference external" href="mailto:training@antid0te.com">training@antid0te.com</a>. Please notice that signup, billing and execution of the training is performed by Antid0te UG (haftungsbeschränkt).</p> </div> <div class="section" id="in-house-training-conferences-additional-trainings"> <h2>In-House Training / Conferences / Additional Trainings</h2> <p>If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail <a class="reference external" href="mailto:training@antid0te.com">training@antid0te.com</a>.</p> </div></div></description>
  31. <category>Blog</category>
  32. <category>Training</category>
  33. <category>iOS</category>
  34. <category>Kernel</category>
  35. <category>Exploitation</category>
  36. <guid>https://www.antid0te.com/blog/19-11-25-ios-kernel-exploitation-berlin.html</guid>
  37. <pubDate>Sun, 19 May 2019 09:10:00 GMT</pubDate>
  38. </item>
  39. <item>
  40. <title>iOS 12/13 Kernel Exploitation Training (October 2019)</title>
  41. <link>https://www.antid0te.com/blog/19-10-21-ios-kernel-exploitation-singapore.html</link>
  42. <dc:creator>Stefan Esser</dc:creator>
  43. <description><div><p>Antid0te SG organises an iOS Kernel Exploitation Training in Singapore in October 2019.</p> <!-- teaser_end: read more ... --> <img alt="/images/exploit_training.jpg" class="thumbnail" id="imgtc" src="https://www.antid0te.com/images/exploit_training.jpg"> <!-- --> <div class="line-block"> <div class="line"><strong>Instructor:</strong> Stefan Esser (Antid0te SG Pte. Ltd.)</div> <div class="line"><strong>Dates:</strong> 21th October - 25th October 2019 (5 days)</div> <div class="line"><strong>Venue:</strong> Novotel Clarke Quay, Singapore</div> <div class="line"><strong>Availability:</strong> 10 Seats</div> <div class="line"><strong>Language:</strong> English</div> <div class="line"><br></div> </div> <p>The SektionEins and Antid0te iOS Kernel Exploitation Trainings in 2014-2019 have been so successful that former trainees, tricks, techniques and vulnerabilities from the training have been directly involved in the making of some of the public iOS jailbreaks up to iOS 10.2. Even the public iOS 11 and iOS 12 jailbreaks use some techniques that have been part of our training material since before they ever were used publicly. Furthermore several of our former attendees can now be seen credited by Apple for security bug fixes in recent iOS and OS X releases or even joined Apple as employees. However Apple's internal development of the iOS kernel never stands still and they keep adding new security mitigations to defeat previously used attacks.</p> <p>With the release of iOS 13 Apple will once again raise the bars in the world of iOS exploitation by introducing new software and hardware based mitigation. Because of this the training will shift its focus to these newly introduced mitigations so that trainees learn to deal with these up to date protections.</p> <p>This training will be in October 2019 in Singapore (if the date is inconvenient for you the same training will be done in Berlin one months later). It will be happening between October 21st and October 25th 2019 in a hotel in Singapore that will be announced soon. It is a full 5-day course and is targeted at exploit developers that want to switch over to iOS.</p> <p>The training excercises will be performed on a mixture of devices running on iOS 12.x. Some of these devices will be 64bit iPod touch (6th Gen) 32 GB devices that the trainees will take home after the training. However we will also give the trainees access to more modern devices to test out new hardware based mitigations like the ARM v8.3 pointer authentication.</p> <p>The goal of this training is to enable you to exploit new vulnerabilities in the iOS kernel that you discover on your own.</p> <div class="section" id="topics"> <h2>Topics</h2> <p>The following list of topics shows what is usually covered by the course.</p> <ul class="simple"> <li><strong>Introduction</strong><ul> <li>How to set up your Mac and Device for Vuln Research/Exploit Development</li> <li>How to load own kernel modules into the iOS kernel</li> <li>How to write Code for your iDevice</li> <li>Damn Vulnerable iOS Kernel Extension</li> </ul> </li> <li><strong>Low Level ARM / ARM64</strong><ul> <li>Differences between ARM and ARM64</li> <li>Exception Handling</li> <li>Hardware Page Tables</li> <li>Special Registers used by iOS</li> <li>PAN and PAC (Pointer Authentication)</li> <li>...</li> </ul> </li> <li><strong>iOS Kernel Source Code</strong><ul> <li>Structure of the Kernel Source Code</li> <li>Where to look for Vulnerabilities</li> <li>Implementation of Mitigations</li> <li>MAC Policy Hooks, Sandbox, Entitlements, Code Signing</li> <li>...</li> </ul> </li> <li><strong>iOS Kernel Reversing</strong><ul> <li>Structure of the Kernel Binary</li> <li>Finding Important Structures</li> <li>Porting Symbols</li> <li>Closed Source Kernel Parts and How to analyze them</li> <li>...</li> </ul> </li> <li><strong>iOS Kernel Debugging</strong><ul> <li>Panic Dumps</li> <li>Debugging with own Patches</li> <li>Kernel Heap Debugging/Visualization (new software package for new devices)</li> </ul> </li> <li><strong>iOS Kernel Heap</strong><ul> <li>In-Depth Explanation of How the Kernel Heap works (up to date for iOS 13)</li> <li>Different techniques to control the kernel heap layout (including non-public ones)</li> <li>Discuss weaknesses in current heap implementation</li> </ul> </li> <li><strong>iOS Kernel Exploit Mitigations</strong><ul> <li>Discussion of all the iOS Kernel Exploit Mitigations introduced</li> <li>Includes software and hardware based mitigations like (KTRR, KPP, PAC, PAN, APRR)</li> <li>Including newest mitigations already known in iOS 13</li> <li>Discussion of various weaknesses in these protections</li> </ul> </li> <li><strong>iOS Kernel Vulnerabilities and their Exploitation</strong><ul> <li>Full walkthrough through exploitation of multiple prior known iOS memory corruption vulnerabilities</li> <li>Analysis of public exploits and discussion how to improve them</li> <li>Overview over different vulnerability types commonly found in iOS kernel and exploit strategies</li> <li>Part of the training will be to reimplement bits and pieces of an iOS 12 kernel exploit</li> </ul> </li> <li><strong>iOS Kernel Jailbreaking</strong><ul> <li>Discussion of how recent iOS jailbreaks work</li> </ul> </li> <li><strong>Handling of New Devices</strong><ul> <li>Discussion of necessary steps to port exploits from old to new devices</li> </ul> </li> </ul> </div> <div class="section" id="training-takeaways"> <h2>Training Takeaways</h2> <ul class="simple"> <li>All students will take home an iPod Touch 32GB (64 bit) 6th generation that had a retail value of 229,- EUR (these iPods are running iOS 12.x for some of the hands-on during the training).</li> <li>The whole training material (multiple hundred slides) will be handed to the students in digital form.</li> <li>Trainees will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software. This software is currently going through a complete cleanup and modernization to ensure compatibility with all new devices</li> </ul> </div> <div class="section" id="training-requirements"> <h2>Training Requirements</h2> <ul class="simple"> <li><strong>Student Requirements</strong><ul> <li>This course will not give an introduction to ARM assembly basics. The trainee is required to understand basic ARM64 assembly. It is not required to have previous lowe level experience with ARM64 cpus, because the necessary information is discussed within the training. Low level ARM64 CPU knowledge will be helpful, but is not required for this course - all necessary parts will be explained within the course.</li> <li>This course will not give basic introduction to exploitation or ROP. Trainees are required to know concepts like ROP or buffer overflows, integer overflows, etc...</li> <li>About 3 weeks before the training trainees will receive a booklet that covers introductory information. Trainees are required to read and work through this document in order to ensure that all software is correctly installed and some basics are understood. NOTE: In order to fit more topics and hands on excercises into the training this booklet now contains 4h worth of material that previously was worked through on day 1 of the training.</li> </ul> </li> <li><strong>Hardware Requirements</strong><ul> <li>An Apple Mac Notebook is required in order to run MacOS and XCode.</li> <li>Training hands-on exercises will be performed on devices provided by Antid0te. It is not required for students to bring their own iOS devices.</li> <li>Every student will be handed an iPod Touch 32GB at the beginning of the training that they will work on and can take home after the training.</li> <li>Further more modern iOS devices will be provided throughout the course for gaining experience with hardware mitigations like PAN or PAC.</li> <li>Students can optionally bring their own iOS device for experiments. But these devices need to be jailbroken on iOS 12.</li> </ul> </li> <li><strong>Software Requirements</strong><ul> <li>IDA Pro 6.x/7.x license (ARM64 support required)</li> <li>alternatively Ghidra/Hopper/Binary Ninja can be used but script support varies by tool</li> <li>Hexrays for ARM64 helpful, but not required</li> <li>BinDiff for IDA helpful, but not required</li> <li>Mac OS X 10.14/15, with latest XCode and iOS 12.x SDK (or newer)</li> <li>Additional Software will be made available during the training</li> </ul> </li> </ul> </div> <div class="section" id="venue"> <h2>Venue</h2> <p>The training will be held at Novotel Clarke Quay (Singapore). The Novotel is located near Clarke Quay MRT (purple line) and near Fort Canning (downtown line) in Singapore.</p> <div class="line-block"> <div class="line"><strong>Address:</strong></div> <div class="line">Novotel Singapore Clarke Quay</div> <div class="line">177A River Valley Rd</div> <div class="line">Singapore 179031</div> <div class="line"><br></div> </div> <a href="https://goo.gl/maps/6VUPrv2Wwvx" style="border:0"><img src="https://www.antid0te.com/images/map_singapore_novotel.png" width="600px" style="border:0"></a><br><br><p>No special deal has been made with the hotel concerning rooms for the attendees. Attendees are free to choose whatever hotel is nearby.</p> </div> <div class="section" id="pricing"> <h2>Pricing</h2> <div class="line-block"> <div class="line">We offer the following rates for this training. Please understand that Antid0te SG is not yet required to register for GST in Singapore and therefore attendees do not have to pay GST on top of the base price.</div> <div class="line"><br></div> </div> <table border="1" class="docutils"> <colgroup> <col width="52%"> <col width="48%"> </colgroup> <tbody valign="top"> <tr><td> </td> <td>Price</td> </tr> <tr><td>Early Bird (before 5th August)</td> <td>S$ 5500</td> </tr> <tr><td>Regular (After 5th August)</td> <td>S$ 6000</td> </tr> </tbody> </table> <p>The training ticket price includes daily lunch, morning and afternoon coffee breaks.</p> </div> <div class="section" id="register"> <h2>Register</h2> <p>If you have further questions about this training or want to register please contact us by e-mail <a class="reference external" href="mailto:training@antid0te-sg.com">training@antid0te-sg.com</a>.</p> </div> <div class="section" id="in-house-training-conferences-additional-trainings"> <h2>In-House Training / Conferences / Additional Trainings</h2> <p>If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail <a class="reference external" href="mailto:training@antid0te-sg.com">training@antid0te-sg.com</a>.</p> </div></div></description>
  44. <category>Blog</category>
  45. <category>Training</category>
  46. <category>iOS</category>
  47. <category>Kernel</category>
  48. <category>Exploitation</category>
  49. <guid>https://www.antid0te.com/blog/19-10-21-ios-kernel-exploitation-singapore.html</guid>
  50. <pubDate>Sun, 19 May 2019 09:00:00 GMT</pubDate>
  51. </item>
  52. <item>
  53. <title>Is CVE-2019-7287 hidden in ProvInfoIOKitUserClient?</title>
  54. <link>https://www.antid0te.com/blog/19-02-23-ios-kernel-cve-2019-7287-memory-corruption-vulnerability.html</link>
  55. <dc:creator>Stefan Esser</dc:creator>
  56. <description><div><p>A dive into the iOS kernel to track down CVE-2019-7287 that is said to be exploited in the wild...</p> <!-- teaser_end: read more ... --> <style> blockquote p, blockquote {font-family: monospace; font-size: 14px;} #imglogo { float: right; margin-left: 20px; width: 150px; border-radius: 24%; } #imgtweet { float:none; clear: both; margin: 30px; width: 400px; padding:1px; border:1px solid #000000;} #imgscreen1 { float:none; clear: both; margin: 30px; width: 800px; padding:1px; border:1px solid #000000;} #imgscreen2 { float:none; clear: both; margin: 30px; width: 800px; padding:1px; border:1px solid #000000;} #imgscreen3 { float:none; clear: both; margin: 30px; width: 800px; padding:1px; border:1px solid #000000;} #imgscreen4 { float:none; clear: both; margin: 30px; width: 800px; padding:1px; border:1px solid #000000;} #imgtc { float:none; clear: both; margin: 30px; width: 100px; padding:1px; border:1px solid #000000;} #imgjb {float: right; margin-left: 30px; width: 150px; padding:1px; border:1px solid #000000;} #imgpl {float: right; margin-left: 30px; width: 150px; padding:1px; border:1px solid #000000;} </style><div class="section" id="intro"> <h2>Intro</h2> <p>On February 8th 2019 Apple released the iOS 12.1.4 update that fixed a previously disclosed security vulnerability in Facetime group conferences that was heavily discussed in media the week before. However with the same update Apple fixed a number of other vulnerabilities as documented in the usual <a class="reference external" href="https://support.apple.com/en-jo/HT209520">place</a>. While it is not uncommon for Apple to fix multiple security problems with the same update a tweet from Google's project zero made the public aware that two of these vulnerabilitis were apparently found being exploited in the wild.</p> <img alt="/images/benhawkes.png" id="imgtweet" src="https://www.antid0te.com/images/benhawkes.png"> <p>Since then more than two weeks have passed and neither Google nor Apple have given out any details about this incident, which leaves the rest of the world in the dark about what exactly happened, how Google was able to catch a chain of iOS 0-day vulnerabilities in the wild and where exactly the vulnerabilities are located. As usual Apple security notes contain only very brief descriptions of what was fixed. So it is no surprise that all they disclose about these vulnerabilities is the following.</p> <blockquote> <p>Foundation</p> <blockquote> <p>Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation</p> <p>Impact: An application may be able to gain elevated privileges</p> <p>Description: A memory corruption issue was addressed with improved input validation.</p> <p>CVE-2019-7286: an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero</p> </blockquote> <p>IOKit</p> <blockquote> <p>Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation</p> <p>Impact: An application may be able to execute arbitrary code with kernel privileges</p> <p>Description: A memory corruption issue was addressed with improved input validation.</p> <p>CVE-2019-7287: an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero</p> </blockquote> </blockquote> <p>This information is very unsatisfying and therefore we decided to have a look into what was actually fixed. Because we usually concentrate on the iOS kernel we tried to figure out what vulnerability is hiding behind CVE-2019-7287 by binary diffing the iOS 12.1.3 and the iOS 12.1.4 kernels.</p> </div> <div class="section" id="patch-analysis"> <h2>Patch Analysis</h2> <p>Analysing iOS security patches has become a lot easier since <a class="reference external" href="https://www.sektioneins.de/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html">the last time an iOS malware has been caught in the wild</a>. With the release of iOS 10 Apple started to ship the iOS kernel in the firmware in decrypted form to be more open. But then they recently decided with iOS 12 to back paddle on this openness by stripping all symbols from the shipped kernels. However due to a mistake they shipped a fully symbolized iOS 12 kernel during the development stages that was immediately uploaded to <a class="reference external" href="https://www.hex-rays.com/products/ida/7.2/the_mac_rundown/the_mac_rundown.shtml">Hexray's Lumina service</a>. Without symbols analysing patches becomes a bit more difficult however in this case the functions in question even have strings in them that point to the problem directly.</p> <p>Once you have extracted the two kernels from the firmware they can analysed for differences. We have used the open source binary diffing plugin <a class="reference external" href="https://github.com/joxeankoret/diaphora">Diaphora</a> for IDA to perform this task. For our comparison we loaded the iOS 12.1.3 kernel into IDA, then waited for the autoanalysis to finish and then used Diaphora to dump the current IDA database into the SQLITE database format Diaphora uses. We repeated this process with the iOS 12.1.4 kernel and then told Diaphora to diff the two databases using its slow heuristics overnight. The result of this comparison showed only a very small amount of partially changed functions. When looking at these functions we believe the vulnerability is likely in the function <strong>ProvInfoIOKitUserClient::ucGetEncryptedSeedSegment</strong>. The reason why we believe this is because Apple introduced a new size check in this function. Have a look at the previous version of the function.</p> <img alt="/images/ProvInfo_Unfixed.png" id="imgscreen1" src="https://www.antid0te.com/images/ProvInfo_Unfixed.png"> <p>And now have a look at the fixed version in iOS 12.1.4. You can clearly see the newly introduced size check in the area marked as red with a clear error message attached to it.</p> <img alt="/images/ProvInfo_Fixed.png" id="imgscreen2" src="https://www.antid0te.com/images/ProvInfo_Fixed.png"> </div> <div class="section" id="provinfoiokituserclient"> <h2>ProvInfoIOKitUserClient</h2> <p>The IOKit objects <strong>ProvInfoIOKit</strong> and <strong>ProvInfoIOKitUserClient</strong> are implemented in a driver called <strong>com.apple.driver.ProvInfoIOKit</strong>. Connections to driver cannot be created from the normal <strong>container</strong> sandbox that iOS applications run in. This means there is likely a sandbox escape involved in the full iOS exploitation chain that Google found. Alternatively the exploit chain could exploit one of the daemons that have legitimate access to this driver. A check of the sandbox profiles as shipped with iOS 12 reveals that there are three daemon sandboxes that are allowed to access this driver. These daemon sandboxes are:</p> <blockquote> <ol class="arabic simple"> <li>findmydeviced</li> <li>mobileactivationd</li> <li>identityserviced</li> </ol> </blockquote> <p>Which route to this driver was taken by the original attackers we can only guess until Apple or Google finally decide to reveal this information to the public. All this assuming that our guess is right and the newly introduced size check is actually the fix for CVE-2019-7287.</p> <p>Having pinpointed the newly introduced size check in <strong>ProvInfoIOKitUserClient::ucGetEncryptedSeedSegment</strong> the next step is to find out how this function can actually be called from the outside. As it turns out this function is directly exposed to userland via the <strong>externalMethod</strong> interface of the driver. A check of <strong>ProvInfoIOKitUserClient::getTargetAndMethodForIndex</strong> reveals that the driver offers 6 different external methods to userland. These methods are:</p> <blockquote> <ol class="arabic simple"> <li>ucGenerateSeed (obfuscated name: fpXqy2dxjQo7)</li> <li>ucGenerateInFieldSeed (obfuscated name: afpHseTGo8s)</li> <li>ucExchangeWithHoover (obfuscated name: AEWpRs)</li> <li>ucGetEntcryptedSeedSegment</li> <li>ucEncryptSUInfo</li> <li>ucEncryptWithWrapperKey</li> </ol> </blockquote> <p>The interesting thing here is that three first external methods have obfuscated names in the leaked symbols. However all six routines have very explicit strings in them that reveal their name. Checking into the other external methods we were in for a surprise.</p> </div> <div class="section" id="the-surprise"> <h2>The Surprise</h2> <p>When looking into <strong>ucEncryptSUInfo</strong> and <strong>ucEncryptWithWrapperKey</strong> we were surprised to see that both these functions have also been changed. Both have also gotten new size checks. And both these functions did not show up in our Diaphora output. At some point we may want to go back and try to figure out why Diaphora did not see these functions as changed (or maybe they changed too much so that the different functions were not matched). When you look at these functions and the introduced size checks you will also see that directly after the size check there are calls do <strong>memmove</strong>.</p> <img alt="/images/ProvInfo_ucencryptsuinfo.png" id="imgscreen3" src="https://www.antid0te.com/images/ProvInfo_ucencryptsuinfo.png"> <img alt="/images/ProvInfo_ucencryptwithwrapperkey.png" id="imgscreen4" src="https://www.antid0te.com/images/ProvInfo_ucencryptwithwrapperkey.png"> <p>When you look at the calls to <strong>memmove</strong> it seems that before the size checks were introduced the code fully trusted user supplied size fields in the incoming parameter structure. This likely lead to arbitrary sized heap memory corruptions. We will take a look into this in the next days to verify this educated guess.</p> </div> <div class="section" id="to-be-continued"> <h2>To be continued</h2> <p>Our research and therefore this blog post is far from finished. We only wanted to get this information out as soon as possible in order to first verify that we have pinpointed the right location before we invest further resources into maybe chasing down the wrong bug. Please check back in a few days to see if we have updated this post.</p> </div> <div class="section" id="trainings"> <h2>Trainings</h2> <p>If you are interested in this kind of content please consider signing up for one of our upcoming <a class="reference external" href="https://www.antid0te.com/stories/training.html">trainings</a>.</p> <p><em>Stefan Esser</em></p> </div></div></description>
  57. <category>Blog</category>
  58. <category>iOS</category>
  59. <category>Kernel</category>
  60. <category>CVE-2019-7287</category>
  61. <category>ProvInfoIOKitUserClient</category>
  62. <category>ProvInfoIOKit</category>
  63. <category>Vulnerability</category>
  64. <guid>https://www.antid0te.com/blog/19-02-23-ios-kernel-cve-2019-7287-memory-corruption-vulnerability.html</guid>
  65. <pubDate>Sun, 24 Feb 2019 00:00:00 GMT</pubDate>
  66. </item>
  67. <item>
  68. <title>iOS kernel.backtrace Information Leak Vulnerability</title>
  69. <link>https://www.antid0te.com/blog/19-02-22-ios-kernel-backtrace-information-leak-vulnerability.html</link>
  70. <dc:creator>Stefan Esser</dc:creator>
  71. <description><div><p>A kernel heap information leak vulnerability hides in Apple's code to determine user level backtraces...</p> <!-- teaser_end: read more ... --> <style> blockquote p, blockquote {font-family: monospace; font-size: 14px;} #imglogo { float: right; margin-left: 20px; width: 150px; border-radius: 24%; } #imgtc { float:none; clear: both; margin: 30px; width: 1000px; padding:1px; border:1px solid #000000;} #imgjb {float: right; margin-left: 30px; width: 150px; padding:1px; border:1px solid #000000;} #imgpl {float: right; margin-left: 30px; width: 150px; padding:1px; border:1px solid #000000;} </style><div class="section" id="intro"> <h2>Intro</h2> <p>In our iOS Kernel Internals for Security Researchers training at offensive_con we let our trainees look at some code that Apple introduced to the kernel in iOS 10. This code implements a new sysctl handler for the kernel.backtrace sysctl. This sysctl is meant to retrieve the current thread's user level backtrace. The idea behind this exercise is to see if the trainees can spot a 0-day information leak vulnerability in the iOS kernel if they are already pointed into the right direction.</p> </div> <div class="section" id="kernel-backtrace"> <h2>kernel.backtrace</h2> <p>The <strong>kernel.backtrace</strong> is a relatively new addition to the iOS kernel that let's the current process retrieve its own user level backtrace. While the logic of determining the user level's backtrace is somewhere buried in the Mach part of the kernel source code the sysctl handler itself is implemented in the file <strong>/bsd/kern/kern_backtrace.c</strong>. The code for the handler is shown below.</p> <pre class="code c literal-block"> <span class="ln">48 </span><span class="k">static</span> <span class="kt">int</span> <span class="ln">49 </span><span class="n">backtrace_sysctl</span> <span class="n">SYSCTL_HANDLER_ARGS</span> <span class="ln">50 </span><span class="p">{</span> <span class="ln">51 </span><span class="cp">#pragma unused(oidp, arg2) </span><span class="ln">52 </span><span class="cp"></span> <span class="kt">uintptr_t</span> <span class="o">*</span><span class="n">bt</span><span class="p">;</span> <span class="ln">53 </span> <span class="kt">uint32_t</span> <span class="n">bt_len</span><span class="p">,</span> <span class="n">bt_filled</span><span class="p">;</span> <span class="ln">54 </span> <span class="kt">uintptr_t</span> <span class="n">type</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uintptr_t</span><span class="p">)</span><span class="n">arg1</span><span class="p">;</span> <span class="ln">55 </span> <span class="kt">bool</span> <span class="n">user_64</span><span class="p">;</span> <span class="ln">56 </span> <span class="kt">int</span> <span class="n">err</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="ln">57 </span> <span class="ln">58 </span> <span class="k">if</span> <span class="p">(</span><span class="n">type</span> <span class="o">!=</span> <span class="n">BACKTRACE_USER</span><span class="p">)</span> <span class="p">{</span> <span class="ln">59 </span> <span class="k">return</span> <span class="n">EINVAL</span><span class="p">;</span> <span class="ln">60 </span> <span class="p">}</span> <span class="ln">61 </span> <span class="ln">62 </span> <span class="k">if</span> <span class="p">(</span><span class="n">req</span><span class="o">-&gt;</span><span class="n">oldptr</span> <span class="o">==</span> <span class="n">USER_ADDR_NULL</span> <span class="o">||</span> <span class="n">req</span><span class="o">-&gt;</span><span class="n">oldlen</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="ln">63 </span> <span class="k">return</span> <span class="n">EFAULT</span><span class="p">;</span> <span class="ln">64 </span> <span class="p">}</span> <span class="ln">65 </span> <span class="ln">66 </span> <span class="n">bt_len</span> <span class="o">=</span> <span class="n">req</span><span class="o">-&gt;</span><span class="n">oldlen</span> <span class="o">&gt;</span> <span class="n">MAX_BACKTRACE</span> <span class="o">?</span> <span class="nl">MAX_BACKTRACE</span> <span class="p">:</span> <span class="n">req</span><span class="o">-&gt;</span><span class="n">oldlen</span><span class="p">;</span> <span class="ln">67 </span> <span class="n">bt</span> <span class="o">=</span> <span class="n">kalloc</span><span class="p">(</span><span class="k">sizeof</span><span class="p">(</span><span class="kt">uintptr_t</span><span class="p">)</span> <span class="o">*</span> <span class="n">bt_len</span><span class="p">);</span> <span class="ln">68 </span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">bt</span><span class="p">)</span> <span class="p">{</span> <span class="ln">69 </span> <span class="k">return</span> <span class="n">ENOBUFS</span><span class="p">;</span> <span class="ln">70 </span> <span class="p">}</span> <span class="ln">71 </span> <span class="ln">72 </span> <span class="n">err</span> <span class="o">=</span> <span class="n">backtrace_user</span><span class="p">(</span><span class="n">bt</span><span class="p">,</span> <span class="n">bt_len</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">bt_filled</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">user_64</span><span class="p">);</span> <span class="ln">73 </span> <span class="k">if</span> <span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">{</span> <span class="ln">74 </span> <span class="k">goto</span> <span class="n">out</span><span class="p">;</span> <span class="ln">75 </span> <span class="p">}</span> <span class="ln">76 </span> <span class="ln">77 </span> <span class="n">err</span> <span class="o">=</span> <span class="n">copyout</span><span class="p">(</span><span class="n">bt</span><span class="p">,</span> <span class="n">req</span><span class="o">-&gt;</span><span class="n">oldptr</span><span class="p">,</span> <span class="n">bt_filled</span> <span class="o">*</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">uint64_t</span><span class="p">));</span> <span class="ln">78 </span> <span class="k">if</span> <span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">{</span> <span class="ln">79 </span> <span class="k">goto</span> <span class="n">out</span><span class="p">;</span> <span class="ln">80 </span> <span class="p">}</span> <span class="ln">81 </span> <span class="n">req</span><span class="o">-&gt;</span><span class="n">oldidx</span> <span class="o">=</span> <span class="n">bt_filled</span><span class="p">;</span> <span class="ln">82 </span> <span class="ln">83 </span><span class="nl">out</span><span class="p">:</span> <span class="ln">84 </span> <span class="n">kfree</span><span class="p">(</span><span class="n">bt</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">uintptr_t</span><span class="p">)</span> <span class="o">*</span> <span class="n">bt_len</span><span class="p">);</span> <span class="ln">85 </span> <span class="k">return</span> <span class="n">err</span><span class="p">;</span> <span class="ln">86 </span><span class="p">}</span> </pre> <p>The code above will first validated the incoming arguments and limit the depth of the backtrace that can be retrieved (lines 58-66). It will then allocated a heap buffer to store a backtrace of the user selected depth in line 67 and use an external helper function to fill the buffer with the user level backtrace (line 72). The actually retrieved backtrace is then copied to user land (line 77) and the heap buffer is released (line 84).</p> </div> <div class="section" id="the-vulnerability"> <h2>The Vulnerability</h2> <p>Before reading on further I suggest that you take a look at the code above again and try to spot the vulnerability yourself without help. Only one hint should be given: the vulnerability can only be exploited in older iOS/watchOS/tvOS devices.</p> <p>Please do not read further before you have given yourself a chance to spot the vulnerability.</p> <p>I am serious! Please try to first spot the vulnerability yourself.</p> <p>The fact that you are reading this means you either ignored the three warnings above or you have already looked at the code yourself and either spotted the vulnerability or you have given up after a reasonable amount of time looking at the code. So let us figure out the problem together. Let us have a look at the line that copies the backtrace to user land.</p> <pre class="code c literal-block"> <span class="ln">77 </span> <span class="n">err</span> <span class="o">=</span> <span class="n">copyout</span><span class="p">(</span><span class="n">bt</span><span class="p">,</span> <span class="n">req</span><span class="o">-&gt;</span><span class="n">oldptr</span><span class="p">,</span> <span class="n">bt_filled</span> <span class="o">*</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">uint64_t</span><span class="p">));</span> <span class="ln">78 </span> <span class="k">if</span> <span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">{</span> <span class="ln">79 </span> <span class="k">goto</span> <span class="n">out</span><span class="p">;</span> <span class="ln">80 </span> <span class="p">}</span> </pre> <p>As you can see the amount of bytes copied to user land is <strong>bt_filled * sizeof(uint64_t)</strong>. This is the number of filled out backtrace entries times 8 bytes. And now let us have a look at how big the heap buffer is that we are dealing with.</p> <pre class="code c literal-block"> <span class="ln">67 </span> <span class="n">bt</span> <span class="o">=</span> <span class="n">kalloc</span><span class="p">(</span><span class="k">sizeof</span><span class="p">(</span><span class="kt">uintptr_t</span><span class="p">)</span> <span class="o">*</span> <span class="n">bt_len</span><span class="p">);</span> <span class="ln">68 </span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">bt</span><span class="p">)</span> <span class="p">{</span> <span class="ln">69 </span> <span class="k">return</span> <span class="n">ENOBUFS</span><span class="p">;</span> <span class="ln">70 </span> <span class="p">}</span> </pre> <p>We kann see here that the size of the heap buffer is determined by the formula <strong>sizeof(uintptr_t) \* bt_len</strong>. This is the number of maximally retrieved backtrace entries times the size of a pointer. And this is were our previous hint kicks in: The size of a pointer is only 8 on recent devices. Older iOS devices (iPhone 5c and below) and older Apple Watches (Series 3) are internally 32 bit devices and therefore have only 4 byte pointers. This means on these older devices the call to <strong>copyout()</strong> will allow to copy twice the size of bytes from the heap than the buffer size is. This is a classic heap buffer overread vulneability.</p> </div> <div class="section" id="the-impact"> <h2>The Impact</h2> <p>As pointed out this is a 0-day kernel information leak vulnerability that has not been shared with Apple before now and therefore it is still unfixed in the kernel. However there are a number of mitigating factors:</p> <blockquote> <ol class="arabic simple"> <li>the vulnerability affects only 32 bit iOS devices - the only devices Apple still supports in current releases that are 32 bit are Apple Watch Series 3 and below</li> <li>the vulnerability can only be triggered outside of the app sandbox - so it can only be used as part as a vulnerability chain and not exploited directly from an app</li> </ol> </blockquote> </div> <div class="section" id="ios-12-copyin-copyout-mitigation"> <h2>iOS 12 copyin/copyout Mitigation</h2> <p>Starting with iOS 12 Apple has added a mitigation to the kernel that checks whenever <strong>copyin()</strong> or <strong>copyout()</strong> are executed if the kernel's heap buffer has the necessary size for the operation to continue. The kernel will panic if an attacker tries to read or write accross the boundary of a kernel zone heap element.</p> <p>However this mitigation does not stop an attacker from exploiting this vulnerability because Apple did not add this protection to 32 bit kernels. It is unknown if they simply forgot to protect their remaining 32 bit devices or if they simply do not care about them at all anymore.</p> </div> <div class="section" id="the-apple-security-bounty"> <h2>The Apple Security Bounty</h2> <p>The value of this security vulnerability in the eyes of Apple's security bounty program is exactly 0 USD. There are three reasons for this:</p> <blockquote> <ol class="arabic simple"> <li>Apple only pays for vulnerabilities affecting the latest of their devices. It doesn't matter if they officially still support older devices by providing them updates. They will only pay if the bugs affect the recent devices.</li> <li>Apple does not pay for vulnerabilities that affect MacOS / tvOS / WatchOS. Only if iOS devices are affected they might pay.</li> <li>Apple does not pay for information leak vulnerabilities although many of their mitigations rely on kernel memory being kept confidential.</li> </ol> </blockquote> </div> <div class="section" id="conclusion"> <h2>Conclusion</h2> <p>This vulnerability is one of those things that are hard to explain. It is in relatively new code, so we would assume that kernel developers these days should be careful when writing new code. So it is rather a mystery why for the allocation and for copying the data two different data types are used. It is furthermore hard to explain why a security review of the new kernel code that should happen everytime new code is added did not spot this. The use of two different data types for allocation and copying is pretty obvious and trainees at offensive_con that were just learning about the kernel were pretty fast in seeing the problem.</p> </div> <div class="section" id="trainings"> <h2>Trainings</h2> <p>If you are interested in this kind of content please consider signing up for one of our upcoming <a class="reference external" href="https://www.antid0te.com/stories/training.html">trainings</a>.</p> <p><em>Stefan Esser</em></p> </div></div></description>
  72. <category>Blog</category>
  73. <category>iOS</category>
  74. <category>Kernel</category>
  75. <category>Informationleak</category>
  76. <category>Vulnerability</category>
  77. <guid>https://www.antid0te.com/blog/19-02-22-ios-kernel-backtrace-information-leak-vulnerability.html</guid>
  78. <pubDate>Fri, 22 Feb 2019 09:00:00 GMT</pubDate>
  79. </item>
  80. <item>
  81. <title>iOS 12 Kernel Exploitation Training (May 2019)</title>
  82. <link>https://www.antid0te.com/blog/19-05-20-ios-kernel-exploitation-berlin.html</link>
  83. <dc:creator>Stefan Esser</dc:creator>
  84. <description><div><p>Antid0te organises an iOS Kernel Exploitation Training in Berlin in May 2019.</p> <!-- teaser_end: read more ... --> <img alt="/images/exploit_training.jpg" class="thumbnail" id="imgtc" src="https://www.antid0te.com/images/exploit_training.jpg"> <!-- --> <div class="line-block"> <div class="line"><strong>Instructor:</strong> Stefan Esser (Antid0te UG)</div> <div class="line"><strong>Dates:</strong> 20th May - 24th May 2019 (5 days)</div> <div class="line"><strong>Venue:</strong> Berlin Marriott Hotel, Germany</div> <div class="line"><strong>Availability:</strong> 15 Seats</div> <div class="line"><strong>Language:</strong> English</div> <div class="line"><br></div> </div> <p>The SektionEins and Antid0te iOS Kernel Exploitation Trainings in 2014-2018 have been so successful that former trainees, tricks, techniques and vulnerabilities from the training have been directly involved in the making of some of the public iOS jailbreaks up to iOS 10.2. Even the public iOS 11/12 jailbreaks use some techniques that have been part of our training material for a while. Furthermore several of our former attendees can now be seen credited by Apple for security bug fixes in recent iOS and OS X releases or even joined Apple as employees. However Apple's internal development of the iOS kernel never stands still and they keep adding new security mitigations to defeat previously used attacks.</p> <p>With the release of iOS 12 Apple has once again raised the bars in the world of iOS exploitation by introducing new software and hardware based mitigation. Because of this the May edition of our training will shift its focus to these newly introduced mitigations so that trainees learn to deal with these up to date protections.</p> <p>The next training is in May 2019. It will be happening in the Berlin Marriott Hotel near Potsdamer Platz between May 20th and May 24th 2019. It is a full 5-day course and is targeted at exploit developers that want to switch over to iOS.</p> <p>All training excercises will be performed on 64bit iPod touch 32GB devices that will be running on iOS 12.x. Trainees will take these devices home after the training.</p> <p>The goal of this training is to enable you to exploit new vulnerabilities in the iOS kernel that you discover on your own.</p> <div class="section" id="topics"> <h2>Topics</h2> <p>The following list of topics shows what is usually covered by the course.</p> <ul class="simple"> <li><strong>Introduction</strong><ul> <li>How to set up your Mac and Device for Vuln Research/Exploit Development</li> <li>How to load own kernel modules into the iOS kernel</li> <li>How to write Code for your iDevice</li> <li>Damn Vulnerable iOS Kernel Extension</li> </ul> </li> <li><strong>Low Level ARM / ARM64</strong><ul> <li>Differences between ARM and ARM64</li> <li>Exception Handling</li> <li>Hardware Page Tables</li> <li>Special Registers used by iOS</li> <li>PAN and PAC (Pointer Authentication)</li> <li>...</li> </ul> </li> <li><strong>iOS Kernel Source Code</strong><ul> <li>Structure of the Kernel Source Code</li> <li>Where to look for Vulnerabilities</li> <li>Implementation of Mitigations</li> <li>MAC Policy Hooks, Sandbox, Entitlements, Code Signing</li> <li>...</li> </ul> </li> <li><strong>iOS Kernel Reversing</strong><ul> <li>Structure of the Kernel Binary</li> <li>Finding Important Structures</li> <li>Porting Symbols</li> <li>Closed Source Kernel Parts and How to analyze them</li> <li>...</li> </ul> </li> <li><strong>iOS Kernel Debugging</strong><ul> <li>Panic Dumps</li> <li>Using the KDP Kernel Debugger (hands on tasks limited to 30 pin devices)</li> <li>Extending the Kernel Debugger (KDP++)</li> <li>Debugging with own Patches</li> <li>Kernel Heap Debugging/Visualization (new software package)</li> </ul> </li> <li><strong>iOS Kernel Heap</strong><ul> <li>In-Depth Explanation of How the Kernel Heap works (including all the changes in iOS 12)</li> <li>Different techniques to control the kernel heap layout (including non-public ones)</li> <li>Discuss weaknesses in current heap implementation</li> </ul> </li> <li><strong>iOS Kernel Exploit Mitigations</strong><ul> <li>Discussion of all the iOS Kernel Exploit Mitigations introduced</li> <li>Discussion of various weaknesses in these protections</li> </ul> </li> <li><strong>iOS Kernel Vulnerabilities and their Exploitation</strong><ul> <li>Full walkthrough through exploitation of multiple prior known iOS memory corruption vulnerabilities</li> <li>Analysis of public exploits and discussion how to improve them</li> <li>Overview over different vulnerability types commonly found in iOS kernel and exploit strategies</li> <li>Part of the training will be to reimplement bits and pieces of an iOS 12 kernel exploit</li> </ul> </li> <li><strong>iOS Kernel Jailbreaking</strong><ul> <li>Discussion of kernel patch protection KTRR / KPP</li> <li>Discussion of how recent iOS jailbreaks deal with kernel patch protection</li> </ul> </li> <li><strong>Handling of New Devices</strong><ul> <li>Discussion of necessary steps to port exploits from old to new devices</li> </ul> </li> </ul> </div> <div class="section" id="training-takeaways"> <h2>Training Takeaways</h2> <ul class="simple"> <li>All students will take home an iPod Touch 32GB (64 bit) with a retail value of now 229,- EUR (these iPods are running iOS 12.x for the hands-on during the training).</li> <li>The whole training material (multiple hundred slides) will be handed to the students in digital form.</li> <li>Trainees will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software.</li> </ul> </div> <div class="section" id="training-requirements"> <h2>Training Requirements</h2> <ul class="simple"> <li><strong>Student Requirements</strong><ul> <li>This course will not give an introduction to ARM assembly basics. The trainee is required to understand basic ARM assembly. It is not required to have previous experience with ARM64 cpus, because their differences are discussed within the training. There is a short refresher inside the training. Low level ARM CPU knowledge will be helpful, but is not required for this course - part of it will be explained within the course.</li> <li>This course will not give basic introduction to exploitation or ROP. Trainees are required to know concepts like ROP or buffer overflows, integer overflows, etc...</li> <li>About 3 weeks before the training trainees will receive a booklet that covers introductory information. Trainees are required to read and work through this document in order to ensure that all software is correctly installed and some basics are understood. NOTE: In order to fit more topics and hands on excercises into the training this booklet now contains 4h worth of material that previously was worked through on day 1 of the training.</li> </ul> </li> <li><strong>Hardware Requirements</strong><ul> <li>An Apple Mac Notebook is required in order to run MacOS and XCode.</li> <li>Training hands-on exercises will be performed on devices provided by Antid0te. It is not required for students to bring their own iOS devices.</li> <li>Every student will be handed an iPod Touch 32GB at the beginning of the training that they will work on and can take home after the training.</li> <li>Students can optionally bring their own iOS device for experiments. But for best results these devices should run an iOS version which has a public jailbreak for it.</li> <li>Students are not required to bring iOS serial cables for older devices to the training, because these will be provided by Antid0te if required.</li> </ul> </li> <li><strong>Software Requirements</strong><ul> <li>IDA Pro 6.x/7.x license (ARM64 support required)</li> <li>alternatively Hopper/Binary Ninja can be used but script support varies by tool</li> <li>Hexrays for ARM64 helpful, but not required</li> <li>BinDiff for IDA helpful, but not required</li> <li>Mac OS X 10.14, with latest XCode and iOS 12.x SDK (or newer)</li> <li>Additional Software will be made available during the training</li> </ul> </li> </ul> </div> <div class="section" id="venue"> <h2>Venue</h2> <p>The training will be held at the Berlin Marriott Hotel (Germany). The hotel is located near the Potsdamer Platz in Berlin, which is easily reachable with public transportation from many parts of Berlin.</p> <div class="line-block"> <div class="line"><strong>Address:</strong></div> <div class="line">Berlin Marriott Hotel</div> <div class="line">Inge-Beisheim-Platz 1</div> <div class="line">10785 Berlin</div> <div class="line"><br></div> </div> <a href="https://goo.gl/maps/g2ThQo8E6Jq" style="border:0"><img src="https://www.antid0te.com/images/map_berlin_marriott.png" width="600px" style="border:0"></a><br><br><p>No special deal has been made with the hotel concerning rooms for the attendees. Attendees are free to choose whatever hotel is nearby.</p> </div> <div class="section" id="pricing"> <h2>Pricing</h2> <div class="line-block"> <div class="line">We offer the following rates for this training. Attention: Trainees paying for the training themselves or companies within the European Union have to pay VAT on top of the base price.</div> <div class="line"><br></div> </div> <table border="1" class="docutils"> <colgroup> <col width="58%"> <col width="22%"> <col width="21%"> </colgroup> <tbody valign="top"> <tr><td> </td> <td>Price</td> <td>VAT</td> </tr> <tr><td>Early Bird (before 14th March)</td> <td>4000,- EUR</td> <td>760,- EUR</td> </tr> <tr><td>Regular (before 25h April)</td> <td>4500,- EUR</td> <td>855,- EUR</td> </tr> <tr><td>Late (after 25th April)</td> <td>5000,- EUR</td> <td>950,- EUR</td> </tr> </tbody> </table> <p>The training ticket price include daily lunch, morning and afternoon coffee breaks, free soft drinks in the training room.</p> </div> <div class="section" id="register"> <h2>Register</h2> <p>If you have further questions or want to register for this training please contact us by e-mail <a class="reference external" href="mailto:training@antid0te.com">training@antid0te.com</a>. Please notice that signup, billing and execution of the training is performed by Antid0te UG (haftungsbeschränkt).</p> </div> <div class="section" id="in-house-training-conferences-additional-trainings"> <h2>In-House Training / Conferences / Additional Trainings</h2> <p>If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail <a class="reference external" href="mailto:training@antid0te.com">training@antid0te.com</a>.</p> </div></div></description>
  85. <category>Blog</category>
  86. <category>Training</category>
  87. <category>iOS</category>
  88. <category>Kernel</category>
  89. <category>Exploitation</category>
  90. <category>Hide</category>
  91. <guid>https://www.antid0te.com/blog/19-05-20-ios-kernel-exploitation-berlin.html</guid>
  92. <pubDate>Thu, 21 Feb 2019 09:00:00 GMT</pubDate>
  93. </item>
  94. <item>
  95. <title>iOS Kernel Exploitation Training Singapore EDITION (January 2019)</title>
  96. <link>https://www.antid0te.com/blog/19-01-21-ios-kernel-exploitation-singapore.html</link>
  97. <dc:creator>Stefan Esser</dc:creator>
  98. <description><div><p>Antid0te (Singapore) in cooperation with COSEINC organises a new iOS Kernel Exploitation Singapore Edition Training in January 2019</p> <!-- teaser_end: read more ... --> <img alt="/images/exploit_training.jpg" class="thumbnail" id="imgtc" src="https://www.antid0te.com/images/exploit_training.jpg"> <!-- --> <div class="line-block"> <div class="line"><strong>Instructor:</strong> Stefan Esser (Antid0te SG Pte. Ltd.)</div> <div class="line"><strong>Dates:</strong> 21st January - 25th January 2019 (5 days)</div> <div class="line"><strong>Venue:</strong> Novotel Clarke Quay, Singapore</div> <div class="line"><strong>Availability:</strong> 20 Seats</div> <div class="line"><strong>Language:</strong> English</div> <div class="line"><br></div> </div> <p>For years the SektionEins and Antid0te iOS Kernel Exploitation Trainings have been so successful that former trainees, tricks, techniques and vulnerabilities from the training have been directly involved in the making of some of the public iOS jailbreaks up to iOS 10.2. Even the public iOS 11 jailbreaks use techniques that are also taught in our trainings. Furthermore several of our former attendees can now be seen credited by Apple for security bug fixes in recent iOS and OS X releases or even joined Apple as employees. However Apple's internal development of the iOS kernel never stands still and they keep adding new security mitigations to defeat previously used attacks.</p> <p>With the upcoming release of iOS 12 Apple introduces a huge number of security relevant changes to the iOS kernel, from the binary layout to the implementation of the the kernel heap, the sandbox and code signing. iOS researchers have e.g. called it the biggest modification to the iOS kernel heap in a long time. Our training will discuss all these changes in iOS 12.</p> <p>This training is at the end of September 2018. It will be happening in Singapore and was redesigned by our Singaporean partner company Antid0te SG Pte. Ltd. to contain new material that builds on top of more public vulnerabilities that were made public in recent years and the correspondign public exploit source code. It is a full 5-day course and is targeted at exploit developers that want to switch over to iOS and could not come to our training course in Germany.</p> <p>The goal of this training is to enable you to exploit new vulnerabilities in the iOS kernel that you discover on your own.</p> <div class="section" id="topics"> <h2>Topics</h2> <p>The following list of topics shows what is usually covered by the course.</p> <ul class="simple"> <li><strong>Introduction</strong><ul> <li>How to set up your Mac and Device for Vuln Research/Exploit Development</li> <li>How to load own kernel modules into the iOS kernel</li> <li>How to write Code for your iDevice</li> <li>Damn Vulnerable iOS Kernel Extension</li> </ul> </li> <li><strong>Low Level ARM / ARM64</strong><ul> <li>Differences between ARM and ARM64</li> <li>Exception Handling</li> <li>Hardware Page Tables</li> <li>Special Registers used by iOS</li> <li>PAN and Pointer Authentication</li> <li>...</li> </ul> </li> <li><strong>iOS Kernel Source Code</strong><ul> <li>Structure of the Kernel Source Code</li> <li>Where to look for Vulnerabilities</li> <li>Implementation of Mitigations</li> <li>MAC Policy Hooks, Sandbox, Entitlements, Code Signing</li> <li>...</li> </ul> </li> <li><strong>iOS Kernel Reversing</strong><ul> <li>Structure of the Kernel Binary</li> <li>Finding Important Structures</li> <li>Porting Symbols</li> <li>Closed Source Kernel Parts and How to analyze them</li> <li>...</li> </ul> </li> <li><strong>iOS Kernel Debugging</strong><ul> <li>Panic Dumps</li> <li>Using the KDP Kernel Debugger (hands on tasks limited to 30 pin devices)</li> <li>Extending the Kernel Debugger (KDP++)</li> <li>Debugging with own Patches</li> <li>Kernel Heap Debugging/Visualization (new software package)</li> </ul> </li> <li><strong>iOS Kernel Heap</strong><ul> <li>In-Depth Explanation of How the Kernel Heap works (including all the changes in iOS 12)</li> <li>Different techniques to control the kernel heap layout (including non-public ones)</li> <li>Discuss weaknesses in current heap implementation</li> </ul> </li> <li><strong>iOS Kernel Exploit Mitigations</strong><ul> <li>Discussion of all the iOS Kernel Exploit Mitigations introduced</li> <li>Discussion of various weaknesses in these protections</li> </ul> </li> <li><strong>iOS Kernel Vulnerabilities and their Exploitation</strong><ul> <li>Full walkthrough through exploitation of multiple prior known iOS memory corruption vulnerabilities</li> <li>Analysis of public exploits and discussion how to improve them</li> <li>Overview over different vulnerability types commonly found in iOS kernel and exploit strategies</li> <li>Part of the training will be to reimplement bits and pieces of an iOS 11 kernel exploit</li> </ul> </li> <li><strong>iOS Kernel Jailbreaking</strong><ul> <li>Discussion of kernel patch protection KTRR / KPP</li> <li>Discussion of how recent iOS jailbreaks deal with kernel patch protection</li> </ul> </li> <li><strong>Handling of New Devices</strong><ul> <li>Discussion of necessary steps to port exploits from old to new devices</li> </ul> </li> </ul> </div> <div class="section" id="training-takeaways"> <h2>Training Takeaways</h2> <ul class="simple"> <li>The whole training material (multiple hundred slides) will be handed to the students in digital form.</li> <li>Trainees will get a license for our software and scripts that are used during the training that allows usage but not redistribution of said software.</li> </ul> </div> <div class="section" id="training-requirements"> <h2>Training Requirements</h2> <ul class="simple"> <li><strong>Student Requirements</strong><ul> <li>This course will not give an introduction to ARM basics. The trainee is required to understand basic ARM assembly. It is not required to have previous experience with ARM64 cpus, because their differences are discussed within the training. There is a short refresher inside the training. Low level ARM CPU knowledge will be helpful, but is not required for this course - part of it will be explained within the course.</li> <li>This course will not give basic introduction to exploitation or ROP. Trainees are required to know concepts like ROP or buffer overflows, integer overflows, etc...</li> <li>This is a new version of the training that incorporates more public examples of vulnerabilites and exploits - export restrictions do not apply for this special version of the training</li> </ul> </li> <li><strong>Hardware Requirements</strong><ul> <li>An Apple Mac Notebook is required in order to run OS X Yosemite and XCode.</li> <li>Training hands-on exercises will be performed on devices provided by Antid0te. It is not required for students to bring their own iOS devices.</li> <li>Every student will be handed an iPod Touch 16GB at the beginning of the training that they will work on - these devices remain the property of Antid0te SG Pte. Ltd.</li> <li>Students can optionally bring their own iOS device for experiments. But for best results these devices should run an iOS version which has a public jailbreak for it.</li> </ul> </li> <li><strong>Software Requirements</strong><ul> <li>Legal IDA Pro 6.x license (ARM64 support required)</li> <li>alternatively Hopper/Binary Ninja can be used but script support varies by tool</li> <li>Hexrays for ARM helpful, but not required</li> <li>BinDiff for IDA helpful, but not required</li> <li>Mac OS X 10.13, with latest XCode and iOS 11.x SDK (or newer)</li> <li>Additional Software will be made available during the training</li> </ul> </li> </ul> </div> <div class="section" id="venue"> <h2>Venue</h2> <p>The training will be held at Novotel Clarke Quay (Singapore). The Novotel is located near Clarke Quay MRT (purple line) and near Fort Canning (downtown line) in Singapore.</p> <div class="line-block"> <div class="line"><strong>Address:</strong></div> <div class="line">Novotel Singapore Clarke Quay</div> <div class="line">177A River Valley Rd</div> <div class="line">Singapore 179031</div> <div class="line"><br></div> </div> <a href="https://goo.gl/maps/6VUPrv2Wwvx" style="border:0"><img src="https://www.antid0te.com/images/map_singapore_novotel.png" width="600px" style="border:0"></a><br><br><p>No special deal has been made with the hotel concerning rooms for the attendees. Attendees are free to choose whatever hotel is nearby.</p> </div> <div class="section" id="pricing"> <h2>Pricing</h2> <div class="line-block"> <div class="line">We offer the following rates for this training. The prices are in Singapore Dollars and include 7% GST.</div> <div class="line"><br></div> </div> <table border="1" class="docutils"> <colgroup> <col width="72%"> <col width="28%"> </colgroup> <tbody valign="top"> <tr><td> </td> <td>Price</td> </tr> <tr><td>Regular (before 7th January)</td> <td>S$ 6420</td> </tr> <tr><td>Registration closes 7th January</td> <td> </td> </tr> </tbody> </table> <p>The training ticket price include daily lunch, morning and afternoon coffee breaks.</p> </div> <div class="section" id="register"> <h2>Register</h2> <p>If you have further questions about this training please contact us by e-mail <a class="reference external" href="mailto:training@antid0te-sg.com">training@antid0te-sg.com</a>. If you want to sign up for this training please do this via <a class="reference external" href="http://coseinc.com/en/index.php?rt=courses&amp;code=COSEINC-IKE">COSEINC, here</a>. Please notice that signup and billing of the training is performed by <a class="reference external" href="http://coseinc.com/en/index.php?rt=courses&amp;code=COSEINC-IKE">COSEINC</a>. Execution of the training however is done by Antid0te SG Pte. Ltd.</p> </div> <div class="section" id="in-house-training-conferences-additional-trainings"> <h2>In-House Training / Conferences / Additional Trainings</h2> <p>If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail <a class="reference external" href="mailto:training@antid0te-sg.com">training@antid0te-sg.com</a>.</p> </div></div></description>
  99. <category>Blog</category>
  100. <category>Training</category>
  101. <category>iOS</category>
  102. <category>Kernel</category>
  103. <category>Exploitation</category>
  104. <category>Hide</category>
  105. <guid>https://www.antid0te.com/blog/19-01-21-ios-kernel-exploitation-singapore.html</guid>
  106. <pubDate>Sat, 29 Sep 2018 09:00:00 GMT</pubDate>
  107. </item>
  108. <item>
  109. <title>iOS 11/12 Kernel Exploitation Training (November 2018)</title>
  110. <link>https://www.antid0te.com/blog/18-11-26-ios-kernel-exploitation-berlin.html</link>
  111. <dc:creator>Stefan Esser</dc:creator>
  112. <description><div><p>Antid0te organises an iOS Kernel Exploitation Training in Berlin in November 2018.</p> <!-- teaser_end: read more ... --> <img alt="/images/exploit_training.jpg" class="thumbnail" id="imgtc" src="https://www.antid0te.com/images/exploit_training.jpg"> <!-- --> <div class="line-block"> <div class="line"><strong>Instructor:</strong> Stefan Esser (Antid0te UG)</div> <div class="line"><strong>Dates:</strong> 26th November - 30th November 2018 (5 days)</div> <div class="line"><strong>Venue:</strong> Berlin Marriott Hotel, Germany</div> <div class="line"><strong>Availability:</strong> 15 Seats</div> <div class="line"><strong>Language:</strong> English</div> <div class="line"><br></div> </div> <p>The SektionEins and Antid0te iOS Kernel Exploitation Trainings in 2014-2018 have been so successful that former trainees, tricks, techniques and vulnerabilities from the training have been directly involved in the making of some of the public iOS jailbreaks up to iOS 10.2. Even the public iOS 11 jailbreaks use techniques that are also taught in this training. Furthermore several of our former attendees can now be seen credited by Apple for security bug fixes in recent iOS and OS X releases or even joined Apple as employees. However Apple's internal development of the iOS kernel never stands still and they keep adding new security mitigations to defeat previously used attacks.</p> <p>With the upcoming release of iOS 12 Apple introduces a huge number of security relevant changes to the iOS kernel, from the binary layout to the implementation of the the kernel heap, the sandbox and code signing. iOS researchers have e.g. called it the biggest modification to the iOS kernel heap in a long time. Our training will discuss all these changes in iOS 12.</p> <p>The next training is at the end of November 2018. It will be happening in the Berlin Marriott Hotel near Potsdamer Platz between November 26th and 30th November 2018. It is a full 5-day course and is targeted at exploit developers that want to switch over to iOS. For our end of year edition we will have redesigned 30% of the course from previous material.</p> <p>With the release of iOS 11 Apple has discontinued support for 32 bit iOS devices (except for the AppleWatch) and therefore all 32 bit specific topics will be removed from the syllabus. However trainees will get access to the 32 bit specific training material from earlier trainings. All training excercises will be performed on 64bit iPod touch 32GB devices that will be running on iOS 11.x. Trainees will take these devices home after the training.</p> <p>The goal of this training is to enable you to exploit new vulnerabilities in the iOS kernel that you discover on your own.</p> <div class="section" id="topics"> <h2>Topics</h2> <p>The following list of topics shows what is usually covered by the course.</p> <ul class="simple"> <li><strong>Introduction</strong><ul> <li>How to set up your Mac and Device for Vuln Research/Exploit Development</li> <li>How to load own kernel modules into the iOS kernel</li> <li>How to write Code for your iDevice</li> <li>Damn Vulnerable iOS Kernel Extension</li> </ul> </li> <li><strong>Low Level ARM / ARM64</strong><ul> <li>Differences between ARM and ARM64</li> <li>Exception Handling</li> <li>Hardware Page Tables</li> <li>Special Registers used by iOS</li> <li>PAN and Pointer Authentication</li> <li>...</li> </ul> </li> <li><strong>iOS Kernel Source Code</strong><ul> <li>Structure of the Kernel Source Code</li> <li>Where to look for Vulnerabilities</li> <li>Implementation of Mitigations</li> <li>MAC Policy Hooks, Sandbox, Entitlements, Code Signing</li> <li>...</li> </ul> </li> <li><strong>iOS Kernel Reversing</strong><ul> <li>Structure of the Kernel Binary</li> <li>Finding Important Structures</li> <li>Porting Symbols</li> <li>Closed Source Kernel Parts and How to analyze them</li> <li>...</li> </ul> </li> <li><strong>iOS Kernel Debugging</strong><ul> <li>Panic Dumps</li> <li>Using the KDP Kernel Debugger (hands on tasks limited to 30 pin devices)</li> <li>Extending the Kernel Debugger (KDP++)</li> <li>Debugging with own Patches</li> <li>Kernel Heap Debugging/Visualization (new software package)</li> </ul> </li> <li><strong>iOS Kernel Heap</strong><ul> <li>In-Depth Explanation of How the Kernel Heap works (including all the changes in iOS 12)</li> <li>Different techniques to control the kernel heap layout (including non-public ones)</li> <li>Discuss weaknesses in current heap implementation</li> </ul> </li> <li><strong>iOS Kernel Exploit Mitigations</strong><ul> <li>Discussion of all the iOS Kernel Exploit Mitigations introduced</li> <li>Discussion of various weaknesses in these protections</li> </ul> </li> <li><strong>iOS Kernel Vulnerabilities and their Exploitation</strong><ul> <li>Full walkthrough through exploitation of multiple prior known iOS memory corruption vulnerabilities</li> <li>Analysis of public exploits and discussion how to improve them</li> <li>Overview over different vulnerability types commonly found in iOS kernel and exploit strategies</li> <li>Part of the training will be to reimplement bits and pieces of an iOS 11 kernel exploit</li> </ul> </li> <li><strong>iOS Kernel Jailbreaking</strong><ul> <li>Discussion of kernel patch protection KTRR / KPP</li> <li>Discussion of how recent iOS jailbreaks deal with kernel patch protection</li> </ul> </li> <li><strong>Handling of New Devices</strong><ul> <li>Discussion of necessary steps to port exploits from old to new devices</li> </ul> </li> </ul> </div> <div class="section" id="training-takeaways"> <h2>Training Takeaways</h2> <ul class="simple"> <li>All students will take home an iPod Touch 32GB (64 bit) with a retail value of now 229,- EUR (these iPods are jailbroken on iOS 11.x for the hands-on during the training).</li> <li>The whole training material (multiple hundred slides) will be handed to the students in digital form.</li> <li>In addition the training material of our previous course will be handed in digital form.</li> <li>Trainees will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software.</li> </ul> </div> <div class="section" id="training-requirements"> <h2>Training Requirements</h2> <ul class="simple"> <li><strong>Student Requirements</strong><ul> <li>This course will not give an introduction to ARM basics. The trainee is required to understand basic ARM assembly. It is not required to have previous experience with ARM64 cpus, because their differences are discussed within the training. There is a short refresher inside the training. Low level ARM CPU knowledge will be helpful, but is not required for this course - part of it will be explained within the course.</li> <li>This course will not give basic introduction to exploitation or ROP. Trainees are required to know concepts like ROP or buffer overflows, integer overflows, etc...</li> <li>About 3 weeks before the training trainees will receive a paper that covers introductory information. Trainees are required to read and work through this document in order to ensure that all software is correctly installed and some basics are understood.</li> <li>Due to new EU export regulations on so called "Intrusion Software Technology" all exploitation trainings are subject to export control. This means we can currently only accept students from EU, Switzerland, USA, Canada, Japan, Norway, Lichtenstein, New Zealand, Australia.</li> </ul> </li> <li><strong>Hardware Requirements</strong><ul> <li>An Apple Mac Notebook is required in order to run OS X Yosemite and XCode.</li> <li>Training hands-on exercises will be performed on devices provided by Antid0te. It is not required for students to bring their own iOS devices.</li> <li>Every student will be handed an iPod Touch 32GB at the beginning of the training that they will work on and can take home after the training.</li> <li>Students can optionally bring their own iOS device for experiments. But for best results these devices should run an iOS version which has a public jailbreak for it.</li> <li>Students are not required to bring iOS serial cables for older devices to the training, because these will be provided by Antid0te if required.</li> </ul> </li> <li><strong>Software Requirements</strong><ul> <li>Legal IDA Pro 6.x license (ARM64 support required)</li> <li>alternatively Hopper/Binary Ninja can be used but script support varies by tool</li> <li>Hexrays for ARM helpful, but not required</li> <li>BinDiff for IDA helpful, but not required</li> <li>Mac OS X 10.13, with latest XCode and iOS 11.x SDK (or newer)</li> <li>Additional Software will be made available during the training</li> </ul> </li> </ul> </div> <div class="section" id="venue"> <h2>Venue</h2> <p>The training will be held at the Berlin Marriott Hotel (Germany). The hotel is located near the Potsdamer Platz in Berlin, which is easily reachable with public transportation from many parts of Berlin.</p> <div class="line-block"> <div class="line"><strong>Address:</strong></div> <div class="line">Berlin Marriott Hotel</div> <div class="line">Inge-Beisheim-Platz 1</div> <div class="line">10785 Berlin</div> <div class="line"><br></div> </div> <a href="https://goo.gl/maps/g2ThQo8E6Jq" style="border:0"><img src="https://www.antid0te.com/images/map_berlin_marriott.png" width="600px" style="border:0"></a><br><br><p>No special deal has been made with the hotel concerning rooms for the attendees. Attendees are free to choose whatever hotel is nearby.</p> </div> <div class="section" id="pricing"> <h2>Pricing</h2> <div class="line-block"> <div class="line">We offer the following rates for this training. Attention: Trainees paying for the training themselves or companies within the European Union have to pay VAT on top of the base price.</div> <div class="line"><br></div> </div> <table border="1" class="docutils"> <colgroup> <col width="58%"> <col width="22%"> <col width="21%"> </colgroup> <tbody valign="top"> <tr><td> </td> <td>Price</td> <td>VAT</td> </tr> <tr><td>Early Bird (before 15th August)</td> <td>4000,- EUR</td> <td>760,- EUR</td> </tr> <tr><td>Regular (before 29th October)</td> <td>4500,- EUR</td> <td>855,- EUR</td> </tr> <tr><td>Late (after 29th October)</td> <td>5000,- EUR</td> <td>950,- EUR</td> </tr> </tbody> </table> <p>The training ticket price include daily lunch, morning and afternoon coffee breaks, free soft drinks in the training room.</p> </div> <div class="section" id="register"> <h2>Register</h2> <p>If you have further questions or want to register for this training please contact us by e-mail <a class="reference external" href="mailto:training@antid0te.com">training@antid0te.com</a>. Please notice that signup, billing and execution of the training is performed by Antid0te UG (haftungsbeschränkt).</p> </div> <div class="section" id="in-house-training-conferences-additional-trainings"> <h2>In-House Training / Conferences / Additional Trainings</h2> <p>If you are interested in this training, but want us to perform the training for your people at your office, want to feature our training at your conference or would just like to know if we provide the training again at a later time please contact us by e-mail <a class="reference external" href="mailto:training@antid0te.com">training@antid0te.com</a>.</p> </div></div></description>
  113. <category>Blog</category>
  114. <category>Training</category>
  115. <category>iOS</category>
  116. <category>Kernel</category>
  117. <category>Exploitation</category>
  118. <category>Hide</category>
  119. <guid>https://www.antid0te.com/blog/18-11-26-ios-kernel-exploitation-berlin.html</guid>
  120. <pubDate>Mon, 25 Jun 2018 09:00:00 GMT</pubDate>
  121. </item>
  122. <item>
  123. <title>setattrlist() iOS Kernel Vulnerability Explained</title>
  124. <link>https://www.antid0te.com/blog/17-04-08-setattrlist-ios-kernel-vulnerability-explained.html</link>
  125. <dc:creator>Stefan Esser</dc:creator>
  126. <description><div><p>Analysis of an iOS kernel vulnerability that Apple attempted to fix repeatedly for years.</p> <!-- teaser_end: read more ... --> <style> blockquote p, blockquote {font-family: monospace; font-size: 14px;} #imglogo { float: right; margin-left: 20px; width: 150px; border-radius: 24%; } #imgtc { float:none; clear: both; margin: 30px; width: 1000px; padding:1px; border:1px solid #000000;} #imgjb {float: right; margin-left: 30px; width: 150px; padding:1px; border:1px solid #000000;} #imgpl {float: right; margin-left: 30px; width: 150px; padding:1px; border:1px solid #000000;} </style><div class="section" id="intro"> <h2>Intro</h2> <p>In 2011 around the time of the release of the iOS 5 beta versions we discovered a memory corruption vulnerability in the <strong>setattrlist()</strong> system call in the iOS kernel. This system call was (or still is) reachable from within (most of) the iOS sandboxes and this vulnerability therefore belongs to the class of the most critical vulnerabilities that you can find in iOS. This blog post and a number of follow up blog posts will describe the history of this vulnerability, how Apple failed to patch this critical vulnerability multiple times over the course of <strong>3 years</strong> and how it can be exploited to allow arbitrary code execution in kernel land.</p> </div> <div class="section" id="setattrlist"> <h2>setattrlist()</h2> <p>The system call <strong>setattrlist()</strong> provides an interface to programatically change the attributes of files on the filesystem. It is called with a so called <strong>attrlist</strong> that defines what attibutes should be changed and a user supplied <strong>attributeBuffer</strong> that contains the definition of each of the attributes to be set. This system call and its variations are defined in the file <em>/bsd/vfs/vfs_attrlist.c</em> of the XNU source code.</p> <pre class="code c literal-block"> <span class="kt">int</span> <span class="n">setattrlist</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">path</span><span class="p">,</span> <span class="k">struct</span> <span class="n">attrlist</span> <span class="o">*</span><span class="n">alist</span><span class="p">,</span> <span class="kt">void</span> <span class="o">*</span><span class="n">attributeBuffer</span><span class="p">,</span> <span class="kt">size_t</span> <span class="n">bufferSize</span><span class="p">,</span> <span class="n">u_long</span> <span class="n">options</span><span class="p">)</span> </pre> <p>Parsing of the user supplied <strong>attributeBuffer</strong> works by first copying the data into a kernel allocated buffer and then parsing the contained attributes in a fixed order.</p> <pre class="code c literal-block"> <span class="k">if</span> <span class="p">(</span><span class="n">uap</span><span class="o">-&gt;</span><span class="n">bufferSize</span> <span class="o">&gt;</span> <span class="n">ATTR_MAX_BUFFER</span><span class="p">)</span> <span class="p">{</span> <span class="n">VFS_DEBUG</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">vp</span><span class="p">,</span> <span class="s">"ATTRLIST - ERROR: buffer size %d too large"</span><span class="p">,</span> <span class="n">uap</span><span class="o">-&gt;</span><span class="n">bufferSize</span><span class="p">);</span> <span class="n">error</span> <span class="o">=</span> <span class="n">ENOMEM</span><span class="p">;</span> <span class="k">goto</span> <span class="n">out</span><span class="p">;</span> <span class="p">}</span> <span class="n">MALLOC</span><span class="p">(</span><span class="n">user_buf</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="p">,</span> <span class="n">uap</span><span class="o">-&gt;</span><span class="n">bufferSize</span><span class="p">,</span> <span class="n">M_TEMP</span><span class="p">,</span> <span class="n">M_WAITOK</span><span class="p">);</span> <span class="c1">// &lt;----- allocation of buffer </span><span class="k">if</span> <span class="p">(</span><span class="n">user_buf</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> <span class="p">{</span> <span class="n">VFS_DEBUG</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">vp</span><span class="p">,</span> <span class="s">"ATTRLIST - ERROR: could not allocate %d bytes for buffer"</span><span class="p">,</span> <span class="n">uap</span><span class="o">-&gt;</span><span class="n">bufferSize</span><span class="p">);</span> <span class="n">error</span> <span class="o">=</span> <span class="n">ENOMEM</span><span class="p">;</span> <span class="k">goto</span> <span class="n">out</span><span class="p">;</span> <span class="p">}</span> <span class="k">if</span> <span class="p">((</span><span class="n">error</span> <span class="o">=</span> <span class="n">copyin</span><span class="p">(</span><span class="n">uap</span><span class="o">-&gt;</span><span class="n">attributeBuffer</span><span class="p">,</span> <span class="n">user_buf</span><span class="p">,</span> <span class="n">uap</span><span class="o">-&gt;</span><span class="n">bufferSize</span><span class="p">))</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// &lt;---- copying of data </span> <span class="n">VFS_DEBUG</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">vp</span><span class="p">,</span> <span class="s">"ATTRLIST - ERROR: buffer copyin failed"</span><span class="p">);</span> <span class="k">goto</span> <span class="n">out</span><span class="p">;</span> <span class="p">}</span> </pre> <p>The code continues then to parse the user supplied buffer in a fixed order for all the submitted attributes. While the code is parsed <strong>cursor</strong> always contains the current buffer position and <strong>bufend</strong> is used as a marker for the end of the buffer.</p> <pre class="code c literal-block"> <span class="cm">/* * Unpack the argument buffer. */</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">user_buf</span><span class="p">;</span> <span class="n">bufend</span> <span class="o">=</span> <span class="n">cursor</span> <span class="o">+</span> <span class="n">uap</span><span class="o">-&gt;</span><span class="n">bufferSize</span><span class="p">;</span> <span class="cm">/* common */</span> <span class="k">if</span> <span class="p">(</span><span class="n">al</span><span class="p">.</span><span class="n">commonattr</span> <span class="o">&amp;</span> <span class="n">ATTR_CMN_SCRIPT</span><span class="p">)</span> <span class="p">{</span> <span class="n">ATTR_UNPACK</span><span class="p">(</span><span class="n">va</span><span class="p">.</span><span class="n">va_encoding</span><span class="p">);</span> <span class="n">VATTR_SET_ACTIVE</span><span class="p">(</span><span class="o">&amp;</span><span class="n">va</span><span class="p">,</span> <span class="n">va_encoding</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="n">al</span><span class="p">.</span><span class="n">commonattr</span> <span class="o">&amp;</span> <span class="n">ATTR_CMN_CRTIME</span><span class="p">)</span> <span class="p">{</span> <span class="n">ATTR_UNPACK_TIME</span><span class="p">(</span><span class="n">va</span><span class="p">.</span><span class="n">va_create_time</span><span class="p">,</span> <span class="n">proc_is64</span><span class="p">);</span> <span class="n">VATTR_SET_ACTIVE</span><span class="p">(</span><span class="o">&amp;</span><span class="n">va</span><span class="p">,</span> <span class="n">va_create_time</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="n">al</span><span class="p">.</span><span class="n">commonattr</span> <span class="o">&amp;</span> <span class="n">ATTR_CMN_MODTIME</span><span class="p">)</span> <span class="p">{</span> <span class="n">ATTR_UNPACK_TIME</span><span class="p">(</span><span class="n">va</span><span class="p">.</span><span class="n">va_modify_time</span><span class="p">,</span> <span class="n">proc_is64</span><span class="p">);</span> <span class="n">VATTR_SET_ACTIVE</span><span class="p">(</span><span class="o">&amp;</span><span class="n">va</span><span class="p">,</span> <span class="n">va_modify_time</span><span class="p">);</span> <span class="p">}</span> </pre> <p>The <strong>ATTR_UNPACK</strong> macro above or similar macros are used to copy data out of the attribute buffer and doing that in a way that <strong>cursor</strong> is automatically adjusted and it is made sure that the end of the buffer is not exceeded.</p> </div> <div class="section" id="original-code-in-ios-5-and-below"> <h2>Original Code in iOS 5 and below</h2> <p>In some cases instead of reading the data directly by using the <strong>ATTR_UNPACK</strong> macro an <strong>attrreference</strong> structure is read from buffer that is defined as below and specifies where in the buffer the actual attribute data is stored and how long it is.</p> <pre class="code c literal-block"> <span class="k">typedef</span> <span class="k">struct</span> <span class="n">attrreference</span> <span class="p">{</span> <span class="kt">int32_t</span> <span class="n">attr_dataoffset</span><span class="p">;</span> <span class="n">u_int32_t</span> <span class="n">attr_length</span><span class="p">;</span> <span class="p">}</span> <span class="n">attrreference_t</span><span class="p">;</span> </pre> <p>With the defintion of this structure in mind we can now take a look at the vulnerable code inside the <strong>setattrlist_internal()</strong> function.</p> <pre class="code c literal-block"> <span class="ln">2277 </span><span class="cm">/* volume */</span> <span class="ln">2278 </span><span class="k">if</span> <span class="p">(</span><span class="n">al</span><span class="p">.</span><span class="n">volattr</span> <span class="o">&amp;</span> <span class="n">ATTR_VOL_INFO</span><span class="p">)</span> <span class="p">{</span> <span class="ln">2279 </span> <span class="k">if</span> <span class="p">(</span><span class="n">al</span><span class="p">.</span><span class="n">volattr</span> <span class="o">&amp;</span> <span class="n">ATTR_VOL_NAME</span><span class="p">)</span> <span class="p">{</span> <span class="ln">2280 </span> <span class="n">volname</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">;</span> <span class="ln">2281 </span> <span class="n">ATTR_UNPACK</span><span class="p">(</span><span class="n">ar</span><span class="p">);</span> <span class="ln">2282 </span> <span class="n">volname</span> <span class="o">+=</span> <span class="n">ar</span><span class="p">.</span><span class="n">attr_dataoffset</span><span class="p">;</span> <span class="ln">2283 </span> <span class="k">if</span> <span class="p">((</span><span class="n">volname</span> <span class="o">+</span> <span class="n">ar</span><span class="p">.</span><span class="n">attr_length</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">bufend</span><span class="p">)</span> <span class="p">{</span> <span class="ln">2284 </span> <span class="n">error</span> <span class="o">=</span> <span class="n">EINVAL</span><span class="p">;</span> <span class="ln">2285 </span> <span class="n">VFS_DEBUG</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">vp</span><span class="p">,</span> <span class="s">"ATTRLIST - ERROR: volume name too big for caller buffer"</span><span class="p">);</span> <span class="ln">2286 </span> <span class="k">goto</span> <span class="n">out</span><span class="p">;</span> <span class="ln">2287 </span> <span class="p">}</span> <span class="ln">2288 </span> <span class="cm">/* guarantee NUL termination */</span> <span class="ln">2289 </span> <span class="n">volname</span><span class="p">[</span><span class="n">ar</span><span class="p">.</span><span class="n">attr_length</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="ln">2290 </span> <span class="p">}</span> <span class="ln">2291 </span><span class="p">}</span> </pre> <p>When you look at the code above you can see that <strong>volname</strong> is set to the current buffer position in line 2280. In the next line an <strong>attrreference</strong> structure is then extracted from the user supplied buffer. Its content is used to determine where the actual <strong>volname</strong> is inside the buffer. First <strong>volname</strong> is adjusted by adding the offset to the data <strong>ar.attr_dataoffset</strong> to it in line 2282. And finally in line 2289 a single zero byte is written to the volname at offset <strong>ar.attr_length-1</strong>. This is done to ensure the volume name is zero terminated inside the buffer. To ensure the write doesn't happen outside the buffer it is verified in line 2283 that <strong>volname + ar.attr_length</strong> does not exceed the end of the buffer. Keep in mind that both <strong>attr_dataoffset</strong> and <strong>attr_length</strong> are user input.</p> <p>There are however a number of problems with this little piece of code that we will go into step by step. The first problem is that <strong>ar.attr_dataoffset</strong> is defined as a signed integer. This means a negative data offset can move <strong>volname</strong> in front the allocated kernel heap buffer in line 2282. If <strong>volname</strong> is moved in front of the buffer the check in line 2283 is useless. This means line 2289 will write a single zero byte to an attacker controlled position in front of the allocated buffer. This leads to an exploitable memory corruption.</p> </div> <div class="section" id="fix-1"> <h2>Fix 1</h2> <p>With the release of iOS 6 Apple applied a security fix to the code above that fixes the problem of a possible negative <strong>ar.attr_dataoffset</strong> by adding a new check. Back then this change could easily be spotted by anyone who was binary diffing he iOS kernel for changes.</p> <pre class="code c literal-block"> <span class="ln">2290 </span><span class="cm">/* volume */</span> <span class="ln">2291 </span><span class="k">if</span> <span class="p">(</span><span class="n">al</span><span class="p">.</span><span class="n">volattr</span> <span class="o">&amp;</span> <span class="n">ATTR_VOL_INFO</span><span class="p">)</span> <span class="p">{</span> <span class="ln">2292 </span> <span class="k">if</span> <span class="p">(</span><span class="n">al</span><span class="p">.</span><span class="n">volattr</span> <span class="o">&amp;</span> <span class="n">ATTR_VOL_NAME</span><span class="p">)</span> <span class="p">{</span> <span class="ln">2293 </span> <span class="n">volname</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">;</span> <span class="ln">2294 </span> <span class="n">ATTR_UNPACK</span><span class="p">(</span><span class="n">ar</span><span class="p">);</span> <span class="ln">2295 </span> <span class="cm">/* attr_dataoffset cannot be negative! */</span> <span class="ln">2296 </span> <span class="k">if</span> <span class="p">(</span><span class="n">ar</span><span class="p">.</span><span class="n">attr_dataoffset</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="ln">2297 </span> <span class="n">VFS_DEBUG</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">vp</span><span class="p">,</span> <span class="s">"ATTRLIST - ERROR: bad offset supplied (2) "</span><span class="p">,</span> <span class="n">ar</span><span class="p">.</span><span class="n">attr_dataoffset</span><span class="p">);</span> <span class="ln">2298 </span> <span class="n">error</span> <span class="o">=</span> <span class="n">EINVAL</span><span class="p">;</span> <span class="ln">2299 </span> <span class="k">goto</span> <span class="n">out</span><span class="p">;</span> <span class="ln">2300 </span> <span class="p">}</span> <span class="ln">2301 </span> <span class="ln">2302 </span> <span class="n">volname</span> <span class="o">+=</span> <span class="n">ar</span><span class="p">.</span><span class="n">attr_dataoffset</span><span class="p">;</span> <span class="ln">2303 </span> <span class="k">if</span> <span class="p">((</span><span class="n">volname</span> <span class="o">+</span> <span class="n">ar</span><span class="p">.</span><span class="n">attr_length</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">bufend</span><span class="p">)</span> <span class="p">{</span> <span class="ln">2304 </span> <span class="n">error</span> <span class="o">=</span> <span class="n">EINVAL</span><span class="p">;</span> <span class="ln">2305 </span> <span class="n">VFS_DEBUG</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">vp</span><span class="p">,</span> <span class="s">"ATTRLIST - ERROR: volume name too big for caller buffer"</span><span class="p">);</span> <span class="ln">2306 </span> <span class="k">goto</span> <span class="n">out</span><span class="p">;</span> <span class="ln">2307 </span> <span class="p">}</span> <span class="ln">2308 </span> <span class="cm">/* guarantee NUL termination */</span> <span class="ln">2309 </span> <span class="n">volname</span><span class="p">[</span><span class="n">ar</span><span class="p">.</span><span class="n">attr_length</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="ln">2310 </span> <span class="p">}</span> <span class="ln">2311 </span><span class="p">}</span> </pre> <p>There are however a few problems with Apple's security patch. First and most importantly a negative <strong>ar.attr_dataoffset</strong> was only one of multiple exploitable scenarios in these few lines of code. The second problem however is that failing to patch this small piece of code correctly made it worse. Security fixes like this can be found by automatic binary diffing tools that search for inserted checks. Code highlighted by those are then evaluated by exploit developers trying to understand the problem and creating an exploit for it. Any exploit developer worth his money should immediately realize that there are other exploitable problems in this code.</p> <p>So what other exploitable conditions do exist in these few lines of code? The next one that was spotted by Apple is that writing to <strong>volname[ar.attr_length - 1]</strong> potentially writes outside of the buffer in case the length is specified as 0.</p> </div> <div class="section" id="fix-2"> <h2>Fix 2</h2> <p>One year later with the release of iOS 7 Apple had become aware of the second exploitable condition in those few lines of code and applied a fix. The fix is bascially just one additional check to ensure that <strong>ar.attr_length</strong> is not 0.</p> <pre class="code c literal-block"> <span class="ln">2290 </span><span class="cm">/* volume */</span> <span class="ln">2291 </span><span class="k">if</span> <span class="p">(</span><span class="n">al</span><span class="p">.</span><span class="n">volattr</span> <span class="o">&amp;</span> <span class="n">ATTR_VOL_INFO</span><span class="p">)</span> <span class="p">{</span> <span class="ln">2292 </span> <span class="k">if</span> <span class="p">(</span><span class="n">al</span><span class="p">.</span><span class="n">volattr</span> <span class="o">&amp;</span> <span class="n">ATTR_VOL_NAME</span><span class="p">)</span> <span class="p">{</span> <span class="ln">2293 </span> <span class="n">volname</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">;</span> <span class="ln">2294 </span> <span class="n">ATTR_UNPACK</span><span class="p">(</span><span class="n">ar</span><span class="p">);</span> <span class="ln">2295 </span> <span class="cm">/* attr_length cannot be 0! */</span> <span class="ln">2296 </span> <span class="k">if</span> <span class="p">((</span><span class="n">ar</span><span class="p">.</span><span class="n">attr_dataoffset</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="o">||</span> <span class="p">(</span><span class="n">ar</span><span class="p">.</span><span class="n">attr_length</span> <span class="o">==</span> <span class="mi">0</span><span class="p">))</span> <span class="p">{</span> <span class="ln">2297 </span> <span class="n">VFS_DEBUG</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">vp</span><span class="p">,</span> <span class="s">"ATTRLIST - ERROR: bad offset supplied (2) "</span><span class="p">,</span> <span class="n">ar</span><span class="p">.</span><span class="n">attr_dataoffset</span><span class="p">);</span> <span class="ln">2298 </span> <span class="n">error</span> <span class="o">=</span> <span class="n">EINVAL</span><span class="p">;</span> <span class="ln">2299 </span> <span class="k">goto</span> <span class="n">out</span><span class="p">;</span> <span class="ln">2300 </span> <span class="p">}</span> <span class="ln">2301 </span> <span class="ln">2302 </span> <span class="n">volname</span> <span class="o">+=</span> <span class="n">ar</span><span class="p">.</span><span class="n">attr_dataoffset</span><span class="p">;</span> <span class="ln">2303 </span> <span class="k">if</span> <span class="p">((</span><span class="n">volname</span> <span class="o">+</span> <span class="n">ar</span><span class="p">.</span><span class="n">attr_length</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">bufend</span><span class="p">)</span> <span class="p">{</span> <span class="ln">2304 </span> <span class="n">error</span> <span class="o">=</span> <span class="n">EINVAL</span><span class="p">;</span> <span class="ln">2305 </span> <span class="n">VFS_DEBUG</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">vp</span><span class="p">,</span> <span class="s">"ATTRLIST - ERROR: volume name too big for caller buffer"</span><span class="p">);</span> <span class="ln">2306 </span> <span class="k">goto</span> <span class="n">out</span><span class="p">;</span> <span class="ln">2307 </span> <span class="p">}</span> <span class="ln">2308 </span> <span class="cm">/* guarantee NUL termination */</span> <span class="ln">2309 </span> <span class="n">volname</span><span class="p">[</span><span class="n">ar</span><span class="p">.</span><span class="n">attr_length</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="ln">2310 </span> <span class="p">}</span> <span class="ln">2311 </span><span class="p">}</span> </pre> <p>Unfortunately this patch had the same problems as the previous patch. It is incomplete and it highlights this position for anyone who was binary diffing iOS kernels. The problem that Apple missed both times was that <strong>volname + ar.attr_length</strong> in line 2303 might overflow on 32 bit systems and therefore the pointer might wrap around and suddenly point in front of the buffer. It will therefore pass the check against <strong>bufend</strong> in the same line and the write of the zero byte will happen outside the buffer. Until iOS 7 this bascially affected all iOS devices, because all of them were 32 bit. With iOS 7 Apple introduced their first 64 bit device the iPhone 5s that would not have this problem. Nevertheless the bug continued to be exploitable for all the other devices.</p> </div> <div class="section" id="fix-3"> <h2>Fix 3</h2> <p>Two years later with the release of iOS 9 Apple became aware of this problem and reconstructed the conditions inside the function to take pointer wraps into consideration.</p> <pre class="code c literal-block"> <span class="ln">3826 </span><span class="cm">/* volume */</span> <span class="ln">3827 </span><span class="k">if</span> <span class="p">(</span><span class="n">al</span><span class="p">.</span><span class="n">volattr</span> <span class="o">&amp;</span> <span class="n">ATTR_VOL_INFO</span><span class="p">)</span> <span class="p">{</span> <span class="ln">3828 </span> <span class="k">if</span> <span class="p">(</span><span class="n">al</span><span class="p">.</span><span class="n">volattr</span> <span class="o">&amp;</span> <span class="n">ATTR_VOL_NAME</span><span class="p">)</span> <span class="p">{</span> <span class="ln">3829 </span> <span class="n">volname</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">;</span> <span class="ln">3830 </span> <span class="n">ATTR_UNPACK</span><span class="p">(</span><span class="n">ar</span><span class="p">);</span> <span class="ln">3831 </span> <span class="cm">/* attr_length cannot be 0! */</span> <span class="ln">3832 </span> <span class="k">if</span> <span class="p">((</span><span class="n">ar</span><span class="p">.</span><span class="n">attr_dataoffset</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="o">||</span> <span class="p">(</span><span class="n">ar</span><span class="p">.</span><span class="n">attr_length</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="o">||</span> <span class="ln">3833 </span> <span class="p">(</span><span class="n">ar</span><span class="p">.</span><span class="n">attr_length</span> <span class="o">&gt;</span> <span class="n">uap</span><span class="o">-&gt;</span><span class="n">bufferSize</span><span class="p">)</span> <span class="o">||</span> <span class="ln">3834 </span> <span class="p">(</span><span class="n">uap</span><span class="o">-&gt;</span><span class="n">bufferSize</span> <span class="o">-</span> <span class="n">ar</span><span class="p">.</span><span class="n">attr_length</span> <span class="o">&lt;</span> <span class="p">(</span><span class="kt">unsigned</span><span class="p">)</span><span class="n">ar</span><span class="p">.</span><span class="n">attr_dataoffset</span><span class="p">))</span> <span class="p">{</span> <span class="ln">3835 </span> <span class="n">VFS_DEBUG</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">vp</span><span class="p">,</span> <span class="s">"ATTRLIST - ERROR: bad offset supplied (2) "</span><span class="p">,</span> <span class="n">ar</span><span class="p">.</span><span class="n">attr_dataoffset</span><span class="p">);</span> <span class="ln">3836 </span> <span class="n">error</span> <span class="o">=</span> <span class="n">EINVAL</span><span class="p">;</span> <span class="ln">3837 </span> <span class="k">goto</span> <span class="n">out</span><span class="p">;</span> <span class="ln">3838 </span> <span class="p">}</span> <span class="ln">3839 </span> <span class="ln">3840 </span> <span class="k">if</span> <span class="p">(</span><span class="n">volname</span> <span class="o">&gt;=</span> <span class="n">bufend</span> <span class="o">-</span> <span class="n">ar</span><span class="p">.</span><span class="n">attr_dataoffset</span> <span class="o">-</span> <span class="n">ar</span><span class="p">.</span><span class="n">attr_length</span><span class="p">)</span> <span class="p">{</span> <span class="ln">3841 </span> <span class="n">error</span> <span class="o">=</span> <span class="n">EINVAL</span><span class="p">;</span> <span class="ln">3842 </span> <span class="n">VFS_DEBUG</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">vp</span><span class="p">,</span> <span class="s">"ATTRLIST - ERROR: volume name too big for caller buffer"</span><span class="p">);</span> <span class="ln">3843 </span> <span class="k">goto</span> <span class="n">out</span><span class="p">;</span> <span class="ln">3844 </span> <span class="p">}</span> <span class="ln">3845 </span> <span class="n">volname</span> <span class="o">+=</span> <span class="n">ar</span><span class="p">.</span><span class="n">attr_dataoffset</span><span class="p">;</span> <span class="ln">3846 </span> <span class="cm">/* guarantee NUL termination */</span> <span class="ln">3847 </span> <span class="n">volname</span><span class="p">[</span><span class="n">ar</span><span class="p">.</span><span class="n">attr_length</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="ln">3848 </span> <span class="p">}</span> <span class="ln">3849 </span><span class="p">}</span> </pre> <p>With these additional checks it seems Apple finally fixed all the exploitable conditions in these few lines of code. However they still write directly into the user supplied buffer for performance reasons instead of creating a copy of the volume name and using that instead.</p> </div> <div class="section" id="conclusion"> <h2>Conclusion</h2> <p>This vulnerability demonstrates how even simple security problems can survive in the iOS kernel for years even though Apple was aware of the exact position of trouble. From the initial patch in iOS 6 it took them <strong>3 years</strong> to finally fix the code correctly. And in this instance we are not talking about complicated code paths that one would have to understand to find all the possible exploitable conditions. No in this case we are talking about a single write to a pointer that is influenced by two user supplied variables. It is really hard to understand why the Apple security team did not see the other exploitable conditions in 2012 when this bug was fixed the first time.</p> <p>Unfortunately this instance of Apple incorrectly fixing critical vulnerabilities in their code is only one of many similar instances that were exposed by us and other security researchers over the last years. However we believe this instance here is unique in the way that it the simplest of all the bugs that we know of that Apple fixed incorrectly. Also it might be the one instance that survived the longest time.</p> <p>We are concerned for a while now that the fastest and cheapest way for attackers to break into iOS is to analyse patches applied by Apple and collect those bugs until they form a full exploitation chain. We would have to dig into this a bit deeper, but we have the feeling that since we first looked into iOS around 2010 there has never been a single iOS version that did not have an incomplete fix for a previously detected security problem in it. This bug here for example covers already all iOS versions from iOS 5 until iOS 8.x-</p> </div> <div class="section" id="exploitation"> <h2>Exploitation</h2> <p>You might have come to this blog post in the hope to learn something about the exploitation of this vulnerability but for now we ask you to wait a bit. We have planned a few more blog posts about the exploitation of this vulnerability for the simple reason that over all these years and because of changes in iOS we created 4 different exploits for this vulnerability. And here are the reasons why:</p> <blockquote> <ul class="simple"> <li>iOS 5 - the initial version of the exploit at a time with no mitigations at all in the kernel</li> <li>iOS 6 - the first incarnation of iOS with KASLR and other kernel level mitigations</li> <li>iOS 7 - the time when Apple changed the kernel heap to make heap memory corruptions trivial to exploit</li> <li>iOS 8 - the time when Apple protected the heap again from their previous mistake</li> </ul> </blockquote> <p>The exploitation of this bug is discussed in a presentation about the same topic at the <a class="reference external" href="https://gsec.hitb.org/sg2017/commsec-track/">COMMSEC track of HITBGSEC 2017 in Singapore in 2 weeks</a>. Anyone can attend this talk, no ticket to the HITBGSEC conference is required.</p> <p><em>Stefan Esser</em></p> </div></div></description>
  127. <category>Blog</category>
  128. <category>iOS</category>
  129. <category>Jailbreak</category>
  130. <category>Vulnerabilities</category>
  131. <guid>https://www.antid0te.com/blog/17-04-08-setattrlist-ios-kernel-vulnerability-explained.html</guid>
  132. <pubDate>Sat, 08 Apr 2017 10:00:00 GMT</pubDate>
  133. </item>
  134. </channel>
  135. </rss>
Parsed in 1.191 seconds