The city of the black cloud is ready for destruction, and the city of the black cloud is under pressure

The city of the black cloud is ready for destruction, and the city of the black cloud is under pressure

Yundun is ready for destruction-Summary of available iOS vulnerabilities published in 2016

Author: steamed rice, Yao Thorn, black snow @ Team OverSky

 

 

0x00

The security of iOS is far more vulnerable than you think. In addition to no public vulnerabilities, there are also many vulnerabilities that have been made public and can be exploited, this report summarizes the serious iOS vulnerabilities (which can be used for remote code execution or jailbreak) in 2016, hoping to help you with your work and research on mobile security.

 

0x01 iOS 10.1.1 public Vulnerabilities

1. mach_portal attack chain: This attack chain was published by Ian Beer of Google Project Zero. The entire attack chain consists of three vulnerabilities: the corrupted kernel port's uref can cause any process's port to be replaced by excessive authority (CVE-2016-7637), powerd any port replacement can lead to DoS (CVE-2016-7661 ), XNU kernel UaF (CVE-2016-7644) Because set_dp_control_port is not locked ).

The attacker first uses the CVE-2016-7637 to replace the port with the sending permission of the System Service of launchd and "com. apple. iohideventsystem" with the port of the process controlled by the attacker, and the attacker also has the receiving permission of the port. Then, attackers use CVE-2016-7661 to DoS the powerd process, making it reboot. During the startup process, the "com. apple. iohideventsystem" system service is required for powerd startup. Therefore, the task port is sent to this system service. However, attackers exploit the previous CVE-2016-7637 vulnerability to obtain "com. apple. iohideventsystem "System Service port receiving permission. Therefore, attackers obtain the task port of powerd, thus controlling the powerd process that has the root permission and is out of the sandbox. The attacker subsequently obtained the host_priv port using the task port of the powerd process, and then used the host_priv port to trigger the XNU kernel UaF (CVE-2016-7644) vulnerability because the set_dp_control_port is not locked, thus controlling the kernel task port. After obtaining the kernel task, attackers can use the mach_vm_read () and mach_vm_write () provided by the system to read and write arbitrary kernels.

Qwertyoruiop added KPP bypass, kernel patch, and cydia installation Based on the mach_portal attack chain published by Ian Beer in December 22, 2016, and released iOS 10 on its own twitter. 1..

 

0x02 vulnerabilities exposed by iOS 9.3.4

1. PEGASUS trigger attack chain: This attack chain was found during apt attacks against a human rights activist in the UAE. The entire attack chain consists of three vulnerabilities: JSC Remote Code Execution (CVE-2016-4657), kernel information leakage (CVE-2016-4655), kernel UAF Code Execution (CVE-2016-4656 ).

In terms of browser vulnerabilities, because the MarkedArgumentBuffer class of the JavaScriptCore library in iOS system may cause memory heap damage during garbage collection, hackers can use this vulnerability to leak the object address and execute arbitrary commands. In terms of kernel vulnerabilities, because the OSUnserializeBinary () function of the XNU kernel does not verify the OSNumber length when deserializing the data transmitted by the user State, Kernel stack information may be leaked. Using a crafted OSString object can also trigger the UAF vulnerability and cause kernel code execution (For details, refer to our previous article: PEGASUS-based OS X 10.11.6 Local Elevation of Privilege: https://jaq.alibaba.com/community/art/show? Articleid = 531 ). Using this attack chain, you can achieve the perfect remote jailbreak on iOS, which is one of the most influential iOS vulnerabilities in recent years. In the future, it is very likely that there will be a large-scale iOS Trojan attack exploiting this vulnerability.

 

0x03 iOS 9.3.3 public Vulnerabilities

1. IOMobileFramebuffer Heapoverflow Kernel Vulnerability: This vulnerability exists in the IOMobileFramebuffer kernel service. In the IOMobileFramebuffer: swap_submit (IOMFBSwap *) function, because the IOMFBSwap data passed in the user State is not verified, the kernel heap overflows. This vulnerability can be exploited to directly attack the kernel in the sandbox (no escape from the sandbox is required) and completely escape the kernel. This vulnerability is used in iOS 9.3.3 pangu jailbreak (nvwa shi.

 

0x04 iOS 9.3.2 public Vulnerabilities

1. WebKit RCE heapPopMin Remote Code Execution Vulnerability: The WebCore: TimerBase: heapPopMin () vulnerability in the Webkit module can be exploited to launch remote attacks on iOS devices. When mobile safari is used to browse webpages with malicious attack code, safari will be controlled by hackers. However, the only thing to note is that safari is under control. To obtain user data, Sandbox escape is required, and to control mobile phones, kernel attacks are required. In addition, because webkit not only exists in iOS, this vulnerability is also used for jailbreak of devices such as PS4 and Kindle.

2. gasGauge condition competing Kernel Vulnerability: This vulnerability exists in the kernel service of GasGauge. Because no lock operation is performed during free memory, hackers can open multiple threads to perform free operations, when the competition succeeds, it can cause the double free vulnerability, then it can be converted to the UAF of any zone, control the kernel, and complete the unperfect jailbreak. Note that the kernel service cannot be directly accessed in the sandbox. To exploit this vulnerability, you must first escape the sandbox.

 

0x05 iOS 9.3.1 public Vulnerabilities

 

1. inpuTbag Heapoverflow Kernel Vulnerability: This vulnerability was discovered and announced by the Alibaba mobile security OverSky team. This vulnerability exists in the IOHIDDevice kernel service, the Kernel Heap Overflow is caused by no szie check on the Input report. Attackers can exploit this vulnerability to attack the kernel and break out of prison. Note that the kernel service must be out of the sandbox and have "com. apple. hid. manager. the user-access-device "entilement can be accessed. To exploit this vulnerability, you must first escape the sandbox and then bypass the entilement detection.

 

0x06 iOS 9.1 vulnerabilities exposed

1. CVE-2015-7037 Photos sandbox Escape Vulnerability: the vulnerability exists in com. apple. persistentURLTranslator. the keeper system service is used in pangu jailbreak. by exploiting the vulnerability, an app in the sandbox can read and write any files outside the sandbox with the mobile permission, with the dyld vulnerability, attackers can execute arbitrary code outside the sandbox.

2. CVE-2015-7084 IORegistryIterator Kernel Vulnerability: the kernel vulnerability exists in IOKit, because the IORegistryIterator object does not have thread mutex protection, causing errors when operating on members. This vulnerability can be directly triggered by race condition in the sandbox, which is then converted into kernel information leakage and kernel code execution, and thus achieves an unperfect jailbreak.

 

0x07 available vulnerabilities exposed in iOS 9.0

1. CVE-2015-6974 IOHIDFamily Kernel Vulnerability: This vulnerability exists in the IOHIDResource kernel service. After terminateDevice, the system does not set device to NULL, resulting in UAF vulnerability. This vulnerability is used in the jailbreak of pangu iOS 9.0. With this vulnerability, you can perform any read/write operations on the kernel and perform an unperfect jailbreak. Note that the kernel service cannot be directly accessed in the sandbox. To exploit this vulnerability, you must first escape the sandbox.

 

0x08 Summary

We can see that the number of publicly available vulnerabilities in 2016 is very large, which is an exponential growth compared with 2015. Although Apple's update system is very fast and cannot be downgraded, as there are more and more old devices (iPhone 4s and iOS 10 cannot be upgraded below) and users have lower and lower expectations for new systems, the update rate of iOS devices has become very slow.

 

According to data from a professional mobile analytics platform in December 2016, only 3.28% of devices updated the latest version of iOS 10.2. This means that 96.72% of devices are at risk of being attacked by the recently released mach_portal vulnerability. We believe that the number of iOS vulnerabilities will continue to increase in the new year. With the exposure of the vulnerability exploitation technology, the black and gray industries are very likely to exploit the vulnerability to attack users, we hope that users must pay attention to the security of their iOS devices.

Finally, those interested in the vulnerability mentioned in this Article can learn the relevant information on our github: https://github.com/zhengmin1989/GreatiOSJailbreakMaterial

 

For more Alibaba security technical articles and reports, visit Alibaba Cloud universal security blog