Summary of Critical and Exploitable iOS Vulnerabilities in 2016

Author:Min (Spark) Zheng, Cererdlong, Eakerqiu @ Team OverSky

0x00 Introduction

iOS security is far more fragile than you believe. And there are lots of critical and exploitable iOS vulnerabilities in the wild. We summarized these critical iOS vulnerabilities which can be used for remote code execution or jailbreaking in this report. Hopefully, it can bring some help for your mobile security research.

0x01 iOS 10.1.1 Critical and Exploitable Vulnerabilities

1. Mach_portal exploit chain: The exploit chain was published by Ian Beer of Google Project Zero. The whole exploit chain consists of three vulnerabilities:

CVE-2016-7637: Broken kernel Mach port name uref handling on iOS/MacOS can lead to privileged port name replacement in other processes.

CVE-2016-7661: MacOS/iOS arbitrary port replacement in powerd.

CVE-2016-7644: XNU kernel UaF due to lack of locking in set_dp_control_port.

The attacker first uses CVE-2016-7637 to replace launchd's send right to “com.apple.iohideventsystem” with a send right to a port which belongs to the attacker. The attacker also holds the receive right of that port. Then the attacker uses CVE-2016-7661 to crash the “powerd” daemon which runs as root. Because of the daemon mechanism, the “powerd” will automatically restart but its startup process will look up the “com.apple.iohideventsystem” Mach service and send its own task port to that service. Because the attacker holds the receive right of that port which means the “powerd” actually sends its task port to the attacker. After that, the attacker uses “powerd”'s task port to get the host_priv port which is used to trigger the XNU kernel UaF bug (CVE-2016-7644). Because the kernel forgets to lock the set_dp_control_port when releasing a reference on a port, the attacker can get a send right to the kernel task port. After getting the kernel task port, the attacker can use mach_vm_read() and mach_vm_write() which provided by the XNU system to modify kernel memory.

In 2016.12.22, based on the Beer’s Mach_portal exploit chain, qwertyoruiop added KPP bypass, kernel patch, and Cydia installation on this project. Then he released iOS 10.0.*/10.1.* jailbreak for arm64 devices on yalu.qwertyoruiop.com.

0x02 iOS 9.3.4 Critical and Exploitable Vulnerabilities

1. PEGASUS/Trident exploit chain: The exploit chain was found from an apt issue for a human rights activist. There are three vulnerabilities in the Trident exploit:

CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution.

CVE-2016-4655: An application may be able to disclose kernel memory.

CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges.

For Safari browser, the vulnerability exists within the slowAppend() method of MarkedArgumentBuffer in JavaScriptCore library and can be exploited via the usage of a MarkedArgumentBuffer in the static defineProperties() method. The Pegasus exploit chain triggers this vulnerability by passing a specially crafted sequence of properties to the defineProperties() method and then gets read/write and code execution ability.

For the XNU kernel, the vulnerability exists in the OSUnserializeBinary() method which is used to unserialize the data from the user land input. Because OSUnserializeBinary() doesn’t check the length of serialized OSNumber, the attacker can get leaked kernel stack information using io_registry_entry_get_property_bytes(). On the other hand, by using a crafted serialized OSString Object, the attacker can trigger UaF vulnerability in the kernel and then get the read and write ability of the kernel memory.

In addition, by using JavaScriptCore vulnerability, PEGASUS exploit chain can persist after rebooting which means untethered jailbreak. Last but not least, more details about this exploit chain can be referred to our previous article: https://jaq.alibaba.com/community/art/show?articleid=532 and DEMOs:

Youtube: https://www.youtube.com/watch?v=EwRVvUKBSKQ

Youku: http://v.youku.com/v_show/id_XMTg4NzA5OTEwOA==.html

0x03 iOS 9.3.3 Critical and Exploitable Vulnerabilities

1. IOMobileFramebuffer Kernel Heap Overflow: This vulnerability exists in the IOMobileFramebuffer IOKit kernel service. Because IOMobileFramebuffer::swap_submit(IOMFBSwap *) doesn’t check the IOMFBSwap data from the user land, the attacker can use a crafted IOMFBSwap data to achieve a heap overflow in the kernel and then translate it into kernel read/write ability. This vulnerability can be triggered in the sandbox (do not need sandbox escapes) and it was used in the Pangu’s iOS 9.3.3 jailbreak.

0x04 iOS 9.3.2 Critical and Exploitable Vulnerabilities

1. WebKit heapPopMin Remote Code Execution: This vulnerability exists in the WebCore ::TimerBase::heapPopMin() and the attacker can use this vulnerability to achieve arability code execution in Safari through a crafted html webpage. Note that the Safari process is sandboxed. So, the attacker needs to do a sandbox escape if he wants to get more user data or attack the kernel.

2. GasGauge Race Condition: This vulnerability was disclosed by qwertyoruiop. Because GasGauge kernel service doesn’t lock the process when it frees the memory, the attacker can use multi-thread to do the race. If the race wins, the vulnerability will cause double free. In addition, the attack can translate it into UaF in any zone and achieve kernel read/write ability. Note that this kernel service cannot be reached in the sandbox. So the attacker needs a sandbox escape before using this vulnerability.

0x05 iOS 9.3.1 Critical and Exploitable Vulnerabilities

1. InpuTbag Heap Overflow: This vulnerability was disclosed by Team OverSky of Alibaba mobile security. The vulnerability exists in the postElementValues() method of IOHIDDevice kernel service. Because the postElementValues() method doesn’t check the size of input report, the attacker can use a crafted input report to overflow the kernel heap and then achieve kernel read/write ability. Note that this kernel service cannot be reached in the sandbox and it needs “com.apple.hid.manager.user-access-device” entitlement. So the attack needs a sandbox escape and an entitlement bypass before using this vulnerability.

0x06 iOS 9.1 Critical and Exploitable Vulnerabilities

1. CVE-2015-7037 Photos Sandbox Escape: The vulnerability exists in the com.apple.PersistentURLTranslator.Gatekeeper XPC service. By using a crafted XPC message, the attacker can achieve arbitrary file read/write ability of “mobile” user outside the sandbox. Combining with the vulnerability of dyld, the attacker can achieve arbitrary code execution outside the sandbox.

2. CVE-2015-7084 IORegistryIterator Race Condition: The vulnerability exists in the IOKit kernel service. Because the kernel does not lock the process when it frees the IORegistryIterator object, the attacker can use multi-thread to do the race. If the race wins, the vulnerability will cause a double free. Then the attacker can use the vulnerability to achieve kernel read/write ability and jailbreak the iOS devices.

0x07 iOS 9.0 Critical and Exploitable Vulnerabilities

1. CVE-2015-6974 IOHIDFamily UaF: The vulnerability exists in the IOHIDResource kernel service. The kernel service does not set the “device” pointer to NULL after releasing the device in the terminateDevice() method. The attacker can use this vulnerability to trigger UaF in the kernel and then translate into kernel read/write ability. This vulnerability was used in the Pangu’s iOS 9.0 jailbreak. Note that this kernel service cannot be reached in the sandbox. So the attacker needs a sandbox escape before using this vulnerability.

0x08 Summary

We can clearly observe that the number of critical and exploitable vulnerabilities in 2016 is very large. However, lots of iOS devices cannot upgrade to the latest iOS version. In addition, there are minor changes in recent iOS systems. So, more and more people lack interest in upgrading their devices.

According to one professional mobile statistics platform, only 3.28% devices are using the latest iOS 10.2 in December of 2016. It means 96.72% devices can be exploited by Mach_portal exploit chain at that time. Therefore, we kindly remind customers to upgrade their devices and be careful with the potential threats in the future.

Last but not least,you can find iOS jailbreak vulnerabilities and materials related to this article in our Github:https://github.com/zhengmin1989/GreatiOSJailbreakMaterial

Summary of Critical and Exploitable iOS Vulnerabilities in 2016的更多相关文章

  1. [转]iOS hacking resource collection

    Link:http://www.securitylearn.net/tag/apple-ios-hacking-slides/ A collection of iOS research present ...

  2. iOS开发 适配iOS10

    2016年9月7日,苹果发布iOS 10.2016年9月14日,全新的操作系统iOS 10将正式上线. 作为开发者,如何适配iOS10呢? 1.Notification(通知) 自从Notificat ...

  3. 【转】iOS学习之适配iOS10

    适配iOS10 2016年9月7日,苹果发布iOS 10.2016年9月14日,全新的操作系统iOS 10将正式上线. 作为开发者,如何适配iOS10呢? 1.Notification(通知) 自从N ...

  4. Xamarin Studio在Mac环境下的配置和Xamarin.iOS常用控件的示例

    看过好多帖子都是Win环境装XS,Mac只是个模拟器,讲解在Mac环境下如何配置Xamarin Studio很少,也是一点点找资料,东拼西凑才把Xamarin Studio装在Mac上跑起来,如下: ...

  5. iOS 如何适配iOS10

    转自: http://www.cnblogs.com/jukaiit/p/5881062.html 2016年9月7日,苹果发布iOS 10.2016年9月14日,全新的操作系统iOS 10将正式上线 ...

  6. React Native微信分享 朋友圈分享 Android/iOS 通用

    超详细React Native实现微信好友/朋友圈分享功能-Android/iOS双平台通用   2016/06/16 |  React Native技术文章 |  Sky丶清|  暂无评论 |  1 ...

  7. iOS系统中导航栏的转场解决方案与最佳实践

    背景 目前,开源社区和业界内已经存在一些 iOS 导航栏转场的解决方案,但对于历史包袱沉重的美团 App 而言,这些解决方案并不完美.有的方案不能满足复杂的页面跳转场景,有的方案迁移成本较大,为此我们 ...

  8. iOS - 如何适配iOS10(插曲)

    升级了系统10.12beta xcode8  出现一大推问题 ,连上架APP都成了问题.只能先解决这些问题,再研究3D引擎了. 2016年9月7日,苹果发布iOS 10.2016年9月14日,全新的操 ...

  9. 如何快速简单上传类库到CocoaPods - 图文攻略步骤

    当自己的库已经上传GitHub后,那么如何快速简单的开源自己的库呢? 这里就是介绍如何将自己的类库上传到pods管理库,以便开源所有人都能方便使用. 准备前提: - 项目已上传到GitHub (注意, ...

随机推荐

  1. 让 windows 下的命令行程序 cmd.exe 用起来更顺手

    在 Windows 下使用 Larave 框架做开发,从 Composer 到 artisan 总是避免不了和 cmd.exe 打交道,系统默认的命令行界面却是不怎么好看,且每行显示的字符数是做了限制 ...

  2. input[tyle="file"]样式修改及上传文件名显示

    默认的上传样式我们总觉得不太好看,根据需求总想改成和上下结构统一的风格…… 实现方法和思路: 1.在input元素外加a超链接标签 2.给a标签设置按钮样式 3.设置input[type='file' ...

  3. 现代3D图形编程学习-基础简介(3)-什么是opengl (译)

    本书系列 现代3D图形编程学习 OpenGL是什么 在我们编写openGL程序之前,我们首先需要知道什么是OpenGL. 将OpenGL作为一个API OpenGL 通常被认为是应用程序接口(API) ...

  4. C# 实时折线图,波形图

    此Demo是采用VS自带的Chart图表控件,制作实时动态显示的折线图,和波形图. 涉及到知识如下: Chart 控件,功能强大,可以绘制柱状图,折线图,波形图,饼状图,大大简化了对图的开发与定制. ...

  5. VS2015在创建项目时的一些注意事项

    一.下面是在创建一个新的项目是我最常用的,现在对他们一一做一个详细的介绍: 1.Win32控制台应用程序我平时编写小的C/C++程序都用它,它应该是用的最多的. 2.名称和解决方案名称的区别:名称是项 ...

  6. Android之SQLite数据存储

    一.SQLite保存数据介绍 将数据库保存在数据库对于重复或者结构化数据(比如契约信息)而言是理想之选.SQL数据库的主要原则之一是架构:数据库如何组织正式声明.架构体现于用于创建数据库的SQL语句. ...

  7. ubuntu下配置vimtab空格数

    vim ~/.vimrc  没有就创建 set tabstop=4 //4就是4个空格

  8. 在配有英特尔® Iris™ 显卡的系统上通过优化对 Just Cause 3 进行增强

    高端 PC 继续通过高性能显卡驱动桌面游戏. 一流的"梦想机器"基于第六代智能 英特尔® 酷睿™ 处理器i7-6700K等 CPU,通常与高端独立显卡配合使用以运行要求最严苛的游戏 ...

  9. 谈谈document.ready和window.onload的区别

    在Jquery里面,我们可以看到两种写法:$(function(){}) 和$(document).ready(function(){}) 这两个方法的效果都是一样的,都是在dom文档树加载完之后执行 ...

  10. 不该活着的SqlHelper和DBHelper

    前言: 还记得刚学ADO.NET的情景么? 还记得当年是怎么从ADO.NET被忽悠到用SqlHelper的么? 话说从入门到走上工作岗位那些年,我们就一直被纯纯地教导或引导,ADO.NET太原始,得封 ...