Fasten your seatbelts: We are escaping iOS 11 Sandbox!

Video thumbnail (Frame 0) Video thumbnail (Frame 736) Video thumbnail (Frame 1547) Video thumbnail (Frame 2612) Video thumbnail (Frame 4715) Video thumbnail (Frame 7810) Video thumbnail (Frame 9278) Video thumbnail (Frame 10969) Video thumbnail (Frame 11751) Video thumbnail (Frame 12177) Video thumbnail (Frame 12727) Video thumbnail (Frame 16249) Video thumbnail (Frame 17567) Video thumbnail (Frame 18200) Video thumbnail (Frame 18562) Video thumbnail (Frame 18972) Video thumbnail (Frame 19822) Video thumbnail (Frame 20557) Video thumbnail (Frame 21682) Video thumbnail (Frame 23005) Video thumbnail (Frame 23885) Video thumbnail (Frame 24463) Video thumbnail (Frame 24935) Video thumbnail (Frame 27260)
Video in TIB AV-Portal: Fasten your seatbelts: We are escaping iOS 11 Sandbox!

Formal Metadata

Fasten your seatbelts: We are escaping iOS 11 Sandbox!
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Apple's sandbox was introduced as "SeatBelt" in macOS 10.5 which provided the first full-fledged implementation of the MACF policy. After a successful trial on macOS, Apple applied sandbox mechanism to iOS 6. In its implementation, the policy hooked dozens of operations. The number of hooks has been growing steadily when new system calls or newly discovered threats appeared. In the beginning, Apple's sandbox used a black list approach which means Apple originally concentrated on the known dangerous APIs and blocked them, allowing all others by default. However, with the evolution of Apple's sandbox, it applies a white list approach that denies all APIs and only allows secure ones that Apple trusts. In this talk, we will first introduce Apple's sandbox mechanism and profiles in the latest iOS. Then, we discuss iOS IPC mechanism and review several old classic sandbox escape bugs. Most importantly, we show two new zero-day sandbox escape vulnerabilities we recently discovered in the latest iOS 11.4. Besides, we share our experience of exploiting vulnerabilities in system services through OOL msg heap spray and ROP (Return-oriented programming). In addition, we discuss a task port exploit technique which can be used to control the whole remote process through Mach messages. By using these techniques, security researchers could find and exploit sandbox escape bugs to control iOS user mode system services and further attack the kernel.
Greatest element Roundness (object) Maxima and minima output Information security Information security Spectrum (functional analysis)
Surface Service (economics) Surface Maxima and minima Expert system Control flow Cartesian coordinate system Twitter Kernel (computing) Read-only memory Kernel (computing) Web service System programming Software framework Energy level Information Information security Physical system Physical system
Demon Pulse (signal processing) Service (economics) Table (information) Computer file Mobile Web Public key certificate 10 (number) Mach's principle Profil (magazine) Operator (mathematics) Cuboid Configuration space Maize Series (mathematics) Implementation Library (computing) Area Operations research Service (economics) Mapping Computer file Binary code Electronic mailing list Directory service Binary file Cartesian coordinate system Traverse (surveying) Function (mathematics) Web service Order (biology) Revision control System programming Configuration space Table (information) Physical system Alpha (investment) Library (computing)
Email Group action Range (statistics) Set (mathematics) Parameter (computer programming) 8 (number) Mereology Traverse (surveying) Software bug Web service Mechanism design Semiconductor memory Hypermedia Query language Cuboid Circle Library (computing) Vulnerability (computing) Physical system Area Service (economics) Email Computer file Binary code Connected space Type theory Message passing System programming Software framework output Remote procedure call Physical system Resultant Geometry Mobile app Server (computing) Service (economics) Computer file Mobile Web Mach's principle Read-only memory Software testing Message passing Mobile Web Mobile app Addition Vulnerability (computing) Execution unit Database Software maintenance Cartesian coordinate system Inclusion map Query language Object (grammar) Abstraction Library (computing)
Satellite Mobile app Functional (mathematics) Service (economics) Link (knot theory) Code Maxima and minima Control flow Dreizehn Mereology Host Identity Protocol Software bug Leak Mach's principle Spring (hydrology) Web service Whiteboard Semiconductor memory Cuboid Information Process (computing) Address space Vulnerability (computing) Default (computer science) Addition Vulnerability (computing) Information Server (computing) Software developer Code Process (computing) Function (mathematics) Web service Geometry Address space
Spyware Token ring Spyware Control flow Interprozesskommunikation Interprozesskommunikation Mach's principle Spring (hydrology) Process (computing) Event horizon Whiteboard Web service Process (computing) Local ring Vulnerability (computing)
Complex (psychology) Functional (mathematics) Inheritance (object-oriented programming) Random number generation Multiplication sign Workstation <Musikinstrument> Spyware Mereology Event horizon Interprozesskommunikation Software bug Mach's principle Spring (hydrology) Chain Pointer (computer programming) Coefficient of determination Whiteboard Read-only memory Semiconductor memory Formal verification Computer worm Spacetime Process (computing) Message passing Address space Installable File System Task (computing) Host Identity Protocol Forcing (mathematics) Image registration Control flow Interprozesskommunikation Message passing Data management Explosion Process (computing) Event horizon Personal digital assistant Web service Function (mathematics) Chain output Simulation Spacetime Address space
Control flow Stack (abstract data type) Process (computing) Control flow Information security Thread (computing) Computing platform Pivot element Vulnerability (computing)
Plotter Computer file Polygon Client (computing) Control flow Mereology Interprozesskommunikation Mach's principle Inclusion map Message passing Process (computing) Pi Read-only memory Semiconductor memory Process (computing) Information security Message passing Task (computing) Task (computing) Row (database)
Vulnerability (computing) Game controller Thread (computing) Plotter Mach's principle Control flow Thread (computing) Arm Mach's principle Message passing Process (computing) Read-only memory Semiconductor memory Chain Right angle Process (computing) Statement (computer science) Remote procedure call Task (computing) Task (computing)
Point (geometry) Server (computing) Functional (mathematics) Walsh function Insertion loss Bit rate Number Mach's principle Read-only memory Semiconductor memory Rootkit Process (computing) Message passing Descriptive statistics Data type MUD Building Menu (computing) Binary file Annulus (mathematics) Message passing Digital photography Process (computing) Personal digital assistant Order (biology) output Convex hull Right angle Integer Task (computing) Reading (process)
Asynchronous Transfer Mode Functional (mathematics) System call Twin prime Uniform convergence Primitive (album) Parameter (computer programming) Limit (category theory) Parameter (computer programming) Computer programming Function (mathematics) Process (computing) Task (computing) Task (computing) Asynchronous Transfer Mode Condition number Flag
Slide rule Computer file Exploit (computer security) Client (computing) Coma Berenices Client (computing) Control flow Object-oriented programming Intrusion detection system Rootkit Kernel (computing) Rootkit Gastropod shell Kerr-Lösung output Convex hull Gastropod shell Writing Reading (process)
Classical physics Vulnerability (computing) Host Identity Protocol Control flow Flow separation Pivot element Vector potential Twitter Revision control Loop (music) Process (computing) Order (biology) Revision control output Process (computing) Task (computing) Vulnerability (computing) Task (computing)
fasten your seatbelts from Holly bottom a security lab for it looks like their talk is about escaping iOS 11 sandbox give him a round of applause hello I hear me okay hello everyone today we are going to talk about the security of iOS xi sandbox and this talk will be presented by my friend spectrum and me we are from Alibaba security
firstly let's have a look at health system there are three levels in our system the first level is sandbox applications there are quite a few attack surfaces to the kernel in applications and the second level is the user and the system services including some services called max services in this system services we can have more attack surfaces to the kernel and the third avoid secong
so in ours area application is the sandbox the center box was first introduced I had seat belt in Mac OS and in now there are over 100 operations that are hooked up a sandbox policies and this sand ball pulses were well first blacklist and now they are balancing now it's with this table this table is from the internals with this table we can know that there are over 100 salvos holes in our z11 and there is a concept
called the sandbox profiles set about profiles defend what max services can be accessed by purcell about so politicians in Mac OS these profiles are visible installed in system library salamis profile is found and in ours the profiles were hard : and difficult to be decoded but we can traverse all map services to get the list of services that can be accessed by sellable certifications also we can use some - for example the sp2 developed by Jonathan in order to phenomenal bid his genome x-rays we need to disassemble and analyze the binary that handles the Mac series there there is a directory called system library lot demons which contains a configuration playlist the files of most Mac services from these plist files we can know the past two Mac services its batteries and next spark will give more details about the one abilities we found in our stay in sandbox thank you thanks : ok so they are a rich
set of IPC mechanism in iOS and most of them are available to third-party applications in this talk we will focus on Mac service mark messages are most common used IPC mechanism in action you in addition mac messages contains type the data which can include the pot rice and reference to large range of memory piston mock message ever developed the X PC compared with remark message X PC is safer and easier to be used but as the cost of expensive service maintenance is very high ASX PC message is built on top of X PC message which allow abstraction of x pc connections and remote objects through master Oh Mac message sandbox F can communicate with Mac mark services explicit services and sspc services consequently if the server doesn't doesn't don't handle the messaging expected with they may be corrupted by malicious apps so in this talk I will share three old box today the first the first spark exists in the gatekeeper xpz service the related binary is reserved results the service receives two parameters one is test sub pyramid stop the dictionary and second way is sauce pass but it doesn't check the validate of the past drink therefore if the attacker can use a pass traversal one ability to achieve arbitrary file move outside the sandbox with with mobile privilege this bug was used in penguin 9 for geo brick so the
second of an ability is in media library d yes x pc it can be exploited to read write and query arbitrary sacralized files outside the sandbox since the remote object of the service have mobile privilege and it does not check the input part of the circle and file an attacker can achieve an arbitrary query in the of the files on the system the attacker can use between traditional database data path to connect the arbitrary files area so collide files on the system and as angels expiry to execute the circle commands on it for example a malicious app leverage this vulnerability to modify SMS messages or emails on the device in addition it has another
vulnerability because it a use satellites 3 the circulatory has a feature that called FG s3 to can either it is used of a beauty in full text search developer can use commands to get all set to can either however attackers can leverage this feature to link memory information and even execute arbitrary code for example the first commander commander had helped us link the address of the default when either which have helped us to bypass a SAR in addition attacker can register new to can either and a trigger the callbacks using the following commands the second clan commands because the Quebec address is set by us and the process done in a jacket so it's possible for us to hijack the PC register and control the ask SPC services as we want this vulnerability was used in our private geo break so
here is the third third part of this bug exists in the blue trusty Mac Mac service there are 132 functions in the comm Airport service blue toasty Mac service blue to still communicate with others and box apps and assign both the processes for example Rimbaud through come up for service blue toasty a
process can use PT session attached to create a session hooking for the blue toasty and then use Beach PT local device at kibbutz to register a callback for using the notification however it
had a vulnerability which are found by Rani he found that the blue toasty only used the session token to identify the process which means we can use a sandbox F the hijacker communication between Pluto ste and an sandboxed processes through the session talking the Kim
problem is the session focused Weezie to be prude first it only have a one zero zero zero zero possible values therefore there forever fix this problem by adding a user ID to each station which is a random number and the process and blue to still know the user ID and the Bluetooth t will check the map of as a as a yes talking with the EULA ID in the add callbacks so as we mentioned before a user ID is a very very large random number so if if we know the session talking we can still try to hijack the communication through user ID brute force but when I try it I found it will take a very very long time about 12 hours so I don't think this is a good bug so what if we can find some other functions without a user ID verification yes I found well this this function is called the PT accessory manager a dog ethic of X however after after sending messages to that function nothing happened or what's wrong finally I found the problem the callback event can be triggered only when the iOS device connects to a new device which means we need to trigger the Kovach by click the blue to steam manually this is not a cool part because we need to do something on the device manually so the first part takes a very very long time the second part is very hard to trigger can we find the third bag to to to to cater callbacks and the easy to trigger finally finally I found it this this one is called pity discovery agent create we can use it to create a callback for the discovery agent then we can use Pittock discovery Ariane's tasks to trigger the quebec without a manual click so we find a very
good bug but the goal for the goal is not only controlled a PC register but the process as well so the next step is to create a rope chain and do a hips hips brief for the target process in this case we use complex mark message with our descriptor memories the this is a very useful message because if we send the message through the process and don't receive it the message will stay in the truck eaters memory space persistently then we can use a magic address for example in this cases where all five four zero zero zero to set this callback address and the PC can come to this address it will pointed to a rope chain so after
we trigger the vulnerability we can control the following registers and the last PR is x4 so now we can do pupae or GOP but it's hard for us to control the whole program flow because we need a stack beaver to control stack and change the beauty to algae so a good instead
fever gadget can be found in the system platform develop this gadget is very useful if we can control x0 we can control s P after that we can to real
roof by Odin ruble has steel filed over a sandbox I okay the other client but Rove is not elegant we want the task port to control everything so what is task pot let me
briefly introduce what is thought a poly accidental provides an endpoint for IPC messages can be sent to a pod or received from it post can contains rice and pot rice can be passed the in message the most important part for the process is the task hot which can be get from Marcus self one can control the memory of all the registers for the process the row it stat plot this this
party is very useful for example we can use mach vm airlock - airlock memories in a remote process through the task port and a mach vm right to copy data into a remote remote process and thread creator running to create a new thread and control registers in your remote process so if we can get the past portal we can control everything of the process okay
so let's try to get the passport over a remote process here is a steps first we ask a lunch D to get the pot pot name of balut who's D then we send a lot of pots with perhaps in right to the polluters D and s in the ropes through history after that we triggers of an ability to control the PC of Pluto's D after that we use the rope chain to send the mark messages which contains the transport of Bluetooth D back to our power after that we can use the target process we can control the whole target protests through is task plot there are
some tricks to learn from mud photo which are developed by a beer we can use insert right we'll insert us in the right to the pot and the pot can be sent by all our messages with poor description in most cases the mark the March mark has self returns where all three so when so we can trust the old Wells three without roof to call the mark ask yourself in order to get the transport back to our point we need to know the port number of our F however we can't use launch D to help us so we so that's why we send a lot of thoughts because it can be brought brute forced so it's in a lot of post to the remote server and to in order to increase the successful read
after data we can try to remotely Malik Malik some memories in the target protests or trust the excuse and functions in the target process however iOS 11 add
a new mitigation that we we cannot easily use the task proteins yodel and so they are but we have a plan B that the ropes always work in the user mode so we can use a generic primitive for
the function calls with every parameters in the condition this gadget is very useful because we can have unlimited parameters and as Inc of xx8 and last returned to the program by using the
Bluetooth Steven O'Brady we successfully exploit is colonel through our sandbox I will kill you the client and brick nose light and thanking the cannot read and write ability and iOS 11 also we we
caught a root shell and a jobber account iOS 11 so here is a conclusion first we
introduce the basic concept of iOS sandbox and summarize several classic ways to escape the iOS sandbox p-star old blue to Steven ability we found two new zero the sandbox is keep vulnerabilities on the latest iOS version and we present a classical way to do hips wrist active return loop in OS userland then we show how to get and control the transport of the remote process during the exploit during the exploit there is a update after we submit our talk to DEFCON we we also report this to these two there are Odie barks too entre Lyon 7 ever fixed in the latest iOS and as well as iOS 12 Vita with CBS so please update your device to the latest version in order to defend against the potential task potential attacks so here is some reference for this talk ok that's all
for our talk you can follow us on Twitter thank you for listening [Applause]