Talk about cve-2017-7047 Triple_fetch and iOS 10.3.2 sandbox escape

Steamed rice

-----------------

0x00 Sequence

Ian [email protected] released Cve-2017-7047triple_fetch's exp and Writeup[1],[email protected] also published an analysis of Triple_fetch [2], However, due to this loophole and exp has a lot of bright spots, so there is still much to dig into the details. Therefore, we simply analyze the cause of the vulnerability, and specifically describe the exploits of the details, and how to use this vulnerability to the iOS 10.3.2 on the sandbox escape.

reasons for the formation of cve-2017-7047 Triple_fetch in 0x01

Because Chenliang analysis of the cause of the vulnerability is very detailed, here I would like to briefly describe, because the use of XPC services to transmit large chunks of memory is very inefficient, apple to reduce transmission time, the Os_xpc_data data greater than 0x4000 will be mach_vm_ Map to map this memory and send the send right of this piece of data to the other side in port. But this memory sharing is based on the way of sharing physical pages, that is, the sender and the receiver will share the same block of memory, so we send the data later on the sending side to modify the data, the receiver's data will also change.

Therefore, by race condition, the receiver can get different data (the receiving side is considered the same data), if the receiver does not take this into account, there may be a vulnerability. For example, the string we just started to get from the receiver is @ "ABCD" (including @ and "), then the receiver allocates 7 bytes of space for the string. Then, when the string is copied, we change the string to @ "Abcdoverflow_overflow_overflow", and the receiving end is copied to the "symbol" until it encounters the "sign", causing an overflow.

The function chosen by the Triple_fetch attack is the ___NSMS1 () function in Corefoundation, which takes multiple reads of the malicious string we construct, and allows the function to read a different string if it is quickly modified three times in the Read gap , let the function produce a judgment error, causing overflow and let us control the PC, which is why the vulnerability is called Triple_fetch. Is the three different sets of strings used by the attack:

The NSXPC service selected by the attack is "Com.apple.CoreAuthentication.daemon". The corresponding binary file is/SYSTEM/LIBRARY/FRAMEWORKS/LOCALAUTHENTICATION.FRAMEWORK/SUPPORT/COREAUTHD. The reason is that this process is root and can call the Processor_set_tasks () API to get the send right[3 of other processes in the system. Is the crash report after controlling the PC:

0x02 triple_fetchjop &ROP& arbitrary code Execution

Exploit Triple_fetch Although can control the PC, but do not control the stack, so we need to do stack_pivot, the good news is x0 register to point to the Xpc_uuid object is we can control:

So we can use Jop to jump to the _LONGJMP function as a stack pivot to control the stack:

The Xpc_uuid object that was eventually sent to make the JOP format is as follows:

Controlling the stack makes it easy to write ROP. But the beer goal is not just to perform ROP, it also wants to get the task port of the target process and execute any binary files, so in addition to exp, the attacker sends a 0x1000 with the send right port into the target process with the other exception:

The location and contents of these port Mach msg in memory are as follows (msgh_id are 0x12344321):

Subsequently, Exp uses the method of ROP to traverse these ports and send them back to the sending side:

Subsequently, the attacker receives the Mach msg, and if it gets a message that msgh_id is 0x12344321, the result is that we get the task port of the target process:

After getting the Task_port, the Sploit () function ends and begins to enter Do_post_exploit (). Do_post_exploit () also did a lot of things, first using COREAUTHD's task port and Processor_set_tasks () to get the task port for all processes. How did this happen?

Using COREAUTHD's task port we can use the Mach_vm_* API to arbitrarily modify COREAUTHD memory and registers, so we need to open up a bit of memory as a stack, then point the SP to this memory, Then point the PC to the function address we want to execute and let the target process execute arbitrary functions, implemented in Call_remote ():

We then controlled COREAUTHD to execute Task_get_special_port (), Processor_set_default (), Host_processor_set_priv (), processor_set_ Tasks () and other functions to get the task port for all processes and return to the attack side (specifically implemented in Get_task_ports ()). The attacker then iterates through the list and filters out the task port of the four Amfid,launchd,installd,springboard processes. Then use the previous patch Amfid technique to patch the AMFID. Finally, start debugserver again.

In fact, this exp can not only execute debugserver, but also can be used to execute arbitrary binary files outside the sandbox. Just replace the Hello_world binary file under the POCs folder with your own binary file you want to execute, and after compiling the installation, click Exec Bundle binary in the UI:

How exactly do you do that? Secret in the Spawn_bundle_binary () function, call chmod in the target process to change the bin to 0777, and then execute the bin file in the target process through a series of Posix_spawn APIs (like Fork ()).

Code execution outside the sandbox provides more interfaces that can attack the kernel. and can read or even modify files on other applications or on the system. For example, a vulnerability could read some personal data (such as text messages, chat logs, photos, etc.) and send them to a hacker's server:

So it is recommended that you update your iOS system to the latest version early.

0x03 Summary

This article describes the common nsxpc vulnerability discovered by beer. In addition, it also analyzes the iOS user configuration, using Jop to do stack pivot and the use of ROP to do arbitrary code execution attack technology. Of course, these holes just do the code execution outside the sandbox, want to control the kernel also need one or two xnu or Iokit vulnerability, and Apple has fixed yalu102 jailbreak with kpp bypass method, so even with triple_fetch vulnerability, There is a great distance from the completion of all the jailbreak.

0x04 Reference Documents

1, https://bugs.chromium.org/p/project-zero/issues/detail?id=1247

2, http://keenlab.tencent.com/zh/2017/08/02/CVE-2017-7047-Triple-Fetch-bug-and-vulnerability-analysis/

3, http://newosxbook.com/articles/PST2.html

English Version link:https://jaq.alibaba.com/community/art/show?articleid=1020

------------------

* Steamed rice, more safety knowledge sharing and hot information, please pay attention to the official Ali gather security blog

Talk about cve-2017-7047 Triple_fetch and iOS 10.3.2 sandbox escape