Summary of Critical and exploitable iOS vulnerabilities in 2016

Summary of Critical and exploitable iOS vulnerabilities in 2016

author:min (Spark) Zheng, Cererdlong, Eakerqiu @ Team Oversky

0x00 Introduction

IOS security is far more fragile than you believe. And there is lots of critical and exploitable iOS vulnerabilities in the wild. We summarized these critical iOS vulnerabilities which can be used for remote code execution or jailbreaking in this Repor T. Hopefully, it can bring some help for your mobile security.

0x01 IOS 10.1.1 Critical and exploitable vulnerabilities

1. Mach_portal exploit chain:the exploit chain was published by Ian Beer of Google Project Zero. The whole exploit chain consists of three vulnerabilities:

Cve-2016-7637:broken kernel Mach port name uref handling on Ios/macos can leads to privileged port name replacement in Oth ER processes.

Cve-2016-7661:macos/ios arbitrary port replacement in Powerd.

Cve-2016-7644:xnu kernel UaF Due to lack of locking in Set_dp_control_port.

The attacker first uses cve-2016-7637 to replace Launchd's send right to "Com.apple.iohideventsystem" with a send right to A port which belongs to the attacker. The attacker also holds the receive right of that port. Then the attacker uses cve-2016-7661 to crash the "Powerd" daemon which runs as root. Because of the daemon mechanism, the "Powerd" would automatically restart but its startup process would look up the "Com.app Le.iohideventsystem "Mach service and send its own task port to that service. Because The attacker holds the receive right of that port which means the "powerd" actually sends it task port to the ATT Acker. After that, the attacker uses "Powerd" 's task port to get the Host_priv port which are used to trigger the XNU kernel UaF b UG (cve-2016-7644). Because the kernel forgets to lock the set_dp_control_port when releasing a reference on a port, the attacker can get a SE nd right to the kernel task port. After getting the kernel task port, the attacker can use Mach_vm_read () and Mach_vm_write () which provided by the XNU system to modify kernel memory.

In 2016.12.22, based on the Beer ' s mach_portal exploit chain, Qwertyoruiop added KPP bypass, Kernel patch, and Cydia Insta Llation on the This project. Then he released IOS 10.0.*/10.1.* jailbreak for arm64 devices on yalu.qwertyoruiop.com.

0x02 IOS 9.3.4 Critical and exploitable vulnerabilities

1. Pegasus/trident exploit chain:the exploit chain is found from the APT issue for a human rights activist. There is three vulnerabilities in the Trident exploit:

Cve-2016-4657:visiting A maliciously crafted website may leads to arbitrary code execution.

Cve-2016-4655:an application May is able to disclose kernel memory.

Cve-2016-4656:an application is able to execute arbitrary code with kernel privileges.

for Safari Browser, the vulnerability exists within the Slowappend () method of Markedargumentbuffer in JavaScriptCore Library and can be exploited Via the usage of a markedargumentbuffer in the static Defineproperties () method. The Pegasus exploit chain triggers this vulnerability by passing a specially crafted sequence of properties to the DEFINEP Roperties () method and then gets read/write and code execution ability.

for the XNU kernel, the vulnerability exists in the Osunserializebinary () method which are used to unserialize the data from the user land input. Because osunserializebinary () doesn ' t check the length of the serialized osnumber, the attacker can get leaked kernel stack in Formation using io_registry_entry_get_property_bytes (). On the other hand, by using a crafted serialized osstring Object, the attacker can trigger UaF vulnerability in the kernel And then get the read and write ability of the kernel memory.

In addition, by using the JavaScriptCore vulnerability, PEGASUS exploit chain can persist after rebooting which means untether Ed Jailbreak. Last but not the least, more details on this exploit chain can is referred to our previous article:https://jaq.alibaba.com /community/art/show?articleid=532 and DEMOs:

Youtube:https://www.youtube.com/watch?v=ewrvvukbskq

Youku:http://v.youku.com/v_show/id_xmtg4nza5otewoa==.html

0x03 IOS 9.3.3 Critical and exploitable vulnerabilities

1. Iomobileframebuffer Kernel Heap overflow:this vulnerability exists in the Iomobileframebuffer IOKit Kernel service. Because iomobileframebuffer::swap_submit (Iomfbswap *) doesn ' t check the Iomfbswap data from the user land, the attacker CA n Use a crafted Iomfbswap data to achieve a heap overflow in the kernel and then translate it into kernel read/write abili Ty. This vulnerability can is triggered in the sandbox (does not need sandbox escapes) and it is used in the Pangu ' s IOS 9.3.3 Jailbreak.

0x04 IOS 9.3.2 Critical and exploitable vulnerabilities

1. WebKit heappopmin Remote Code Execution:this vulnerability exists in the WebCore:: Timerbase::heappopmin () and the attacker can use this VU Lnerability to achieve arability code execution in Safari through a crafted HTML webpage. Note that the Safari process is sandboxed. So, the attacker needs to does a sandbox escape if he wants to get more user data or attack the kernel.

2. Gasgauge Race Condition:this Vulnerability was disclosed by QWERTYORUIOP. Because gasgauge Kernel service doesn ' t lock the process when it frees the memory, the attacker can use Multi-thread to do The race. If The race wins, the vulnerability would cause double free. In addition, the attack can translate it to UaF in any zone and achieve kernel read/write. Note that this kernel service cannot is reached in the sandbox. So the attacker needs a sandbox escape before using this vulnerability.

0x05 IOS 9.3.1 Critical and exploitable vulnerabilities

1. Inputbag Heap Overflow:this Vulnerability is disclosed by Team Oversky of Alibaba Mobile security. The vulnerability exists in the Postelementvalues () method of the Iohiddevice kernel service. Because the Postelementvalues () method doesn ' t check the size of input report, the attacker can use a crafted input report To overflow the kernel heap and then achieve kernel read/write ability. Note that this kernel service cannot is reached in the sandbox and it needs "Com.apple.hid.manager.user-access-device" ent Itlement. So the attack needs a sandbox escape and an entitlement bypass before using this vulnerability.

0x06 IOS 9.1 Critical and exploitable vulnerabilities

1. cve-2015-7037 Photos Sandbox escape:the vulnerability exists in the Com.apple.PersistentURLTranslator.Gatekeeper XPC service. By using a crafted XPC message, the attacker can achieve arbitrary file read/write ability of "mobile" user outside the SA Ndbox. Combining with the vulnerability of DYLD, the attacker can achieve arbitrary code execution outside the sandbox.

2. cve-2015-7084 ioregistryiterator Race condition:the vulnerability exists in the IOKit kernel service. Because the kernel does not lock the process when it frees the Ioregistryiterator object and the attacker can use Multi-threa D to do the race. If The race wins, the vulnerability would cause a double free. Then the attacker can use the vulnerability to achieve kernel read/write ability and jailbreak the IOS devices.

0x07 IOS 9.0 Critical and exploitable vulnerabilities

1. cve-2015-6974 iohidfamily uaf:the vulnerability exists in the Iohidresource kernel service. The kernel service does not set the "device" pointer to NULL after releasing the device in the Terminatedevice () method. The attacker can use this vulnerability to trigger UaF in the kernel and then translate into kernel read/write ability. This vulnerability is used in the Pangu ' s IOS 9.0 jailbreak. Note that this kernel service cannot is reached in the sandbox. So the attacker needs a sandbox escape before using this vulnerability.

0x08 Summary

We can clearly observe that the number of critical and exploitable vulnerabilities in are very large. However, lots of iOS devices cannot upgrade to the latest iOS version. In addition, there is minor changes in recent IOS systems. So, more and more people lack interest in upgrading their devices.

According to one professional mobile statistics platform, only 3.28% devices is using the latest IOS 10.2 in December of It means 96.72% devices can be exploited by mach_portal exploit chain at that time. Therefore, we kindly remind customers to upgrade their devices and is careful with the potential threats in the future.

Last but not least,you can find IOS jailbreak vulnerabilities and materials related to this article in our github:https:// Github.com/zhengmin1989/greatiosjailbreakmaterial

Summary of Critical and exploitable iOS vulnerabilities in 2016