SlideShare a Scribd company logo

英文【Xu hao chen xiaobo】find your_own_ios_kernel_bug

Wang Hao Lee, profile picture
Wang Hao Lee

The document provides guidance on finding kernel bugs in iOS through fuzzing techniques. It begins with background on the iOS kernel architecture and known bugs. It then discusses passive fuzzing by hooking IOKit interfaces and active fuzzing by programmatically testing IOKit driver methods. The document demonstrates analyzing two example crashes to understand the bugs through static analysis and reverse engineering techniques when debug is difficult. The conclusion encourages fuzzing to find new bugs and improving kernel code quality.

Technology
1 of 74
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
1 Find Your Own iOS Kernel Bug Chen Xiaobo & Xu Hao
2 Content iOS Kernel Basics Summary of Known Bugs Passive Fuzz Active Fuzz Analyze Real Bug Conclusion
3 iOS Kernel Basics OSX is older that iOS Guess iOS kernel is developed based on OSX kernel Learn from OSX kernel OSX kernel concepts Early derived from FreeBSD kernel Named as XNU Open source
4 XNU Open Source http://www.opensource.apple.com/source/xnu/xnu- 2050.7.9/ Important components Mach - Low level abstraction of kernel BSD - High level abstraction of kernel IOKit - Apple kernel extension framework
5 BSD Implement File System, Socket and ... Export POSIX API Basic interface between kernel and user space sysent[] - store kernel function address typedef int32_t sy_call_t(struct proc *, void *, int *); function call number - /usr/include/sys/syscall.h
6 IOKit Framework for kernel extension Subset of C++ - Object-Oriented driver programming
7 IOKit Objects OSObject Root object of all IOKit objects Overwrite new operator to alloc memory Declare “init” method to initialize object self OSMetaClass Run-time object type check According to object name OSDynamicCast
8 IOKit Objects IOService Define an interface for most kernel extension Basic methods - init / start / stop / attach / detach / probe ioreg - list all attached IOService Available in Cydia
9 Write IOKit Service - Inherit from IOService Overwrite basic methods - init / start / stop / probe Control - Inherit from IOUserClient Allow user space control Modify plist file At least one IOKitPersonalities CFBundleIdentifier/IOClass/IOProviderClass/IOMatchCategory/IOUserClient Class/IOResourceMatch
10 Kernelcache Store all kernel modules (XNU / extensions) into one cache file iBoot will load the whole kernelcache and jump to entry An encrypted and packed IMG3 file /System/Library/Caches/com.apple.kernelcaches/kernelcache For old devices (A4 devices) Use xpwntool to decrypt original cache with IV + KEY A5 devices No IV + KEY available
11 Kernelcache How to get kernelcache for A5 devices Dump from kernel memory task_for_pid(0) & vm_read to dump kernel memory Read size must less then 0x1000 for once Find all Mach-O header - test magic 0xFEEDFACE Determine the whole cache size Open with IDA - fail Lack of prelink info
12 Kernelcache Dump each kernel extension Write a kextstat for iOS Just call CFDictionaryRef OSKextCopyLoadedKextInfo(CFArrayRef, CFArrayRef) from IOKit framework
13 Reverse Kernel Kernelcache is combined with lots of Mach-O files IDA Pro 6.2 could identify each Mach-O file Reverse the whole kernel together Open “Segmentation” view
14 Reverse IOKit Extension IOKit constructor example First call OSObject::new to allocate memory Then init IOService At last init OSMetaClass
15 Debug iOS Kernel KDP code is included in kernel KDP via UART SerialKDPProxy to perform proxy between serial and UDP Need serial communicate between USB and Dock connector Make a cable by your own Using redsn0w to set boot-args -a “-v debug=0x09”
16 Debug iOS Kernel A5 CPU Devices No limera1n vulnerability - no way to set boot-arg Need a kernel exploit to cheat kernel with boot-arg & debug enable See “iOS5 An Exploitation Nightmare” from Stefan Esser for details
17 Content iOS Kernel Basics Summary of Known Bugs Passive Fuzz Active Fuzz Analyze Real Bug Conclusion
18 Summary of Known Bugs iOS kernel attack surface Socket/Syscalls ioctl FileSystem drivers HFS iOKit Device drivers (USB/Baseband etc)
19 CVE-2010-2973 CVE-2010-2973 - IOSurfaceRoot integer overflow Used in the jailbreakme 2 as PE exploit Can be triggered by mobile user apps (MobileSafari) Malformed IOSurfaceAllocSize/IOSurfaceBytesPerRow/IOSurfaceHeight/IOSur faceWidth values in the plist Create a Surface object using above plist and return a userland ptr Calling memcpy to overflow the important kernel structure to disable the security protection
20 CVE-2010-2973 CVE-2010-2973 - IOSurfaceRoot integer overflow The plist Exploit: https://github.com/comex/star/blob/master/goo/zero.py
21 CVE-2011-0227 CVE-2011-0227 - IOMobileFrameBuffer Type Conversion Issue RootCause happens in the IOMobileFrameBuffer are not properly to check the object when doing conversion Suppose to call OSDynamicCast() while doing type casting/conversion The user able to control the vtable function pointer to get code execution
22 CVE-2011-0227 CVE-2011-0227 - IOMobileFrameBuffer Type Conversion Issue PoC: Fully exploit: https://github.com/comex/star_/blob/master/catalog/catalog.py
23 Summary of Known Bugs Conclusion They are both PE vulns because it is happens in the IOKit drivers framework Closed source and less people pay attention Good target for bug hunting!
24 Content iOS Kernel Basics Summary of Known Bugs Passive Fuzz Active Fuzz Analyze Real Bug Conclusion
25 Passive Fuzz Passive Fuzz First idea coming out is fuzzing Less work with good results Write a IOKit client to understand how the IOKit works Fuzzing parameters for IOConnectCallStructMethod/IOConnectCallScalarMethod In the low-level both above APIs are calling to the IOConnectCallMethod
26 Passive Fuzz Why we need passive fuzzing? They key point is pay less works because we are lazy to audit code :P Just like hook DeviceIoControl on the win32 to hunting kernel bugs We are going to hook IOConnectCallMethod to do the passive fuzzing
27 Passive Fuzz The Preparation Finding a good hook framework for iOS MobileSubstrate http://iphonedevwiki.net/index.php/MobileSubstrate MSHookFunction/MSHookMessage for C/Object Method hook Not much documents but enough to make it work
28 Passive Fuzz TheOS/Tweak Base the mobilesubstrate but more user-friendly https://github.com/DHowett/theos
29 Passive Fuzz You can also using interpose (dyld function) Redirect the functions in the import table No libmobilesubstrate required. Inject your dylib via DYLD_INSERT_LIBRARIES to make your fuzzer running!
30 Passive Fuzz Tips Struct object could be Data/Plist(XML), So pay some work here. Scalar object are integer values only, random enough to find some interesting stuffs. Results: NULL pointer deference/Kernel Use-after-free/handled panic exception
31 Content iOS Kernel Basics Summary of Known Bugs Passive Fuzz Active Fuzz Analyze Real Bug Conclusion
32 Active Fuzz Weakness of passive fuzz Only cover small amount of IOKit interfaces Needs interaction - keep using your iPhone Not so efficient - waste time Advantage of active fuzz Cover most of IOKit interfaces Automatically and efficient
33 Rough Idea Find all IOKit drivers with IOUserClient Identify all external methods of the driver Test all those methods
34 External Methods External methods are used by IOKit to provide function to user- space application Application call IOConnectCallMethod to control driver selector - which method should be called input / output - Array of uint64_t or struct data
35 Kernel Dispatch IOConnectCallMethod -> IOUserClient:: externalMethod if dispatch != NULL Check input and output size & call dispatch->function else call getTargetAndMethodForIndex Check type and size & call method->func
36 IOKit Implement Overwrite externalMethod Example
37 IOKit Implement
38 IOKit Implement Overwrite getTargetAndMethodForIndex Example
39 Key Point Know what to fuzz Get IOExternalMethodDispatch sMethods[] Get IOExternalMethod methodTemplate[]
40 How For the IOKit drivers without source code Reverse the KernelCache with symbol problem resolved IOKit structure you should know IOExternalMethodDispatch & IOExternalMethod Filter the IOKit keywords in the IDA name window sMethods etc. Will list all the IOKit drivers interface
41 sMethods We have the interface names & address
42 sMethods But there are just bytes in the method dispatch table IDA pro currently not handle it properly
43 sMethods After some manually work (Mark to the DCD) We can see some function pointers, but still ugly
44 Work Todo Need some IDA Python works here Add IOKit struct information in the idb file (IOExternalMethodDispatch & IOExternalMethod) Find the dispatch table range and mark it to the correct struct.
45 Result Looks better now We have dispatch function, flag, input/output count.
46 Correct Input Flags defines I = input O = output For example, type 3 means: Struct input & output We must pass the correct input/output type and count, otherwise the request will be rejected Start coding your own actively fuzzer!
47 Extra You can also add the vtable information if you like to audit code Before After
48 Content iOS Kernel Basics Summary of Known Bugs Passive Fuzz Active Fuzz Analyze Real Bug Conclusion
49 Are There Bugs? Definitely YES Crashes could be easily generated by our fuzzer Actually kernel code of iOS is not as good as you imagine However analyzing crash is a hard job No code or symbols for most IOKit drivers Kernel debug is kinda of crap Any exploitable bug? This is a QUESTION
50 IOKit Bug Analysis Simplify crash code Code is generated by fuzzer - there are many IOConnectCallMethod calls Simplify the code could help you a lot when doing static analysis Look at panic log fault_type & register values Static analysis Understand the bug and trigger path Debug Write exploit
51 Bug Sample I Let’s look at the code first
52 Bug Sample I Then the panic log PC = 0x80455c3c fault_addr = 0x0
53 Bug Sample I Where did it crash Try to read data at R1(=0) cause the panic R1 is the second parameter of this function It is mostly like a NULL ptr reference bug :( We shall dig deeper anyway
54 Bug Sample I Locate sMethod array First to find AppleVXD375UserClient::externalMethod, which should overwrite IOUserClient’s method IOUserClient has symbols, see vtable for it externalMethod pointer offset in vtable
55 Bug Sample I Locate sMethod array Search IOUserClient::registerNotificationPort address in “const” segment Find externalMethod pointer in vtable for AppleVXD375UserClient AppleVXD375UserClient::externalMethod Get IOExternalMethodDispatch struct from sMethod array Call IOUserClient::externalMethod to dispatch it
56 Bug Sample I sMethod = 0x80469700
57 Bug Sample I selector = 1 dispatch struct in sMethod function address = 0x80457534 checkStructureInputSize = 0x4 checkStructureOutputSize = 0x108 Remember the trigger code?
58 Bug Sample I The whole call path externalMethod -> sub_ 80457534 -> sub_ 804577EC -> sub_8045779C -> sub_80456768 -> sub_80455C34 -> panic sub_ 804577EC call OSObject::release first This method should be used to destroy AppleVXD375UserClient itself sub_8045779C should be responsible for freeing memory R1(=0) maybe some class or struct address stored in AppleVXD375UserClient object
59 Bug Sample I Understand this bug We manually try to destroy AppleVXD375UserClient When in procedure, it will manipulate some object without checking if it is already created Lacks of basic check code like if (obj->ptr != NULL) We are not able to control PC register
60 Bug Sample II Code first
61 Bug Sample II Panic log PC = 0x00000000 Looks better than last one
62 Bug Sample II Where did it crash We got useless PC and no call stack But luckily we had LR - store return address Looks like calling method of certain object R4 - object pointer R0 - vtable
63 Bug Sample II Crash code snapshot
64 Bug Sample II Crash code analysis Input R0 - IOAccelUserClient *self R1 - int index IOAccel *service = self + 0x78 OSObject *array[] = service + 0x10 Call array[index]->method = NULL
65 Bug Sample II Weird Why the object’s method pointer is NULL Guess Mistake it as a different object without checking Todo Figure out what’s at 0x10 offset
66 Bug Sample II Locate external methods This time it overwrite getTargetAndMethodForIndex
67 Bug Sample II IOExternalMethod methodTemplate[5]
68 Bug Sample II Where is selector 6 function ? Check reference to IOAccelUserClient::vtable It has a child object - IOIMGSGXUserClient Easy to find getTargetAndMethodForIndex again
69 Bug Sample II When selector > 5, use its own methodTemplate[3]
70 Bug Sample II What’s at offset 0x10 ? Look inside into selector 6 function
71 Bug Sample II Object is created, check vtable 0x8090E5B8 0x8090E5B8+0x3C = 0x8090E5F4
72 Bug Sample II Here is the story selector 6 function call sub_80907A4C to create an object and put it in object array at 0x10 offset selector 3 function get object pointer from the array and call its method without checking its class type Actually the child has its own create/destroy method. If the child create an object and make father to destroy it, PANIC ! Apple should call more OSMetaClassBase::safeMetaCast :P
73 Content iOS Kernel Basics Summary of Known Bugs Passive Fuzz Active Fuzz Analyze Real Bug Conclusion
74 Conclusion Apple should audit iOS kernel code, especially code of IOKit extensions Since debug is quite hard, static analysis according to panic log is very helpful Fuzz your own iOS kernel bug !

More Related Content

PDF
OS X Drivers Reverse Engineering
Positive Hack Days
 
PDF
Find your own iOS kernel bug
Gustavo Martinez
 
PDF
The Python bites your apple
Qidan He
 
PDF
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Liang Chen
 
PPTX
Code Injection in Windows
n|u - The Open Security Community
 
PDF
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
enSilo
 
PDF
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Liang Chen
 
PDF
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
OS X Drivers Reverse Engineering
Positive Hack Days
 
Find your own iOS kernel bug
Gustavo Martinez
 
The Python bites your apple
Qidan He
 
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Liang Chen
 
Code Injection in Windows
n|u - The Open Security Community
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
enSilo
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Liang Chen
 
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 

What's hot (20)

PPTX
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
PDF
Attack your Trusted Core
Di Shen
 
PDF
Process injection - Malware style
Sander Demeester
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
PDF
Anti Debugging
n|u - The Open Security Community
 
PDF
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
PDF
Anti-Debugging - A Developers View
Tyler Shields
 
PDF
JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]
David Buck
 
PDF
Using the Android Native Development Kit (NDK)
Xavier Hallade
 
PDF
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇA
CODE BLUE
 
PDF
Dynamic Binary Instrumentation
Cysinfo Cyber Security Community
 
PPTX
Android ndk
Khiem-Kim Ho Xuan
 
DOCX
C# tutorial
sarangowtham_gunnam
 
PPTX
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
PDF
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
Stefan Esser
 
PDF
Targeting the iOS kernel
Seguridad Apple
 
PPTX
Return oriented programming (ROP)
Pipat Methavanitpong
 
PDF
The why and how of moving to php 7
Wim Godden
 
PDF
Using the Android Native Development Kit (NDK)
DroidConTLV
 
PDF
FusionInventory at LSM/RMLL 2012
Nouh Walid
 
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
Attack your Trusted Core
Di Shen
 
Process injection - Malware style
Sander Demeester
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Anti Debugging
n|u - The Open Security Community
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
Anti-Debugging - A Developers View
Tyler Shields
 
JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]
David Buck
 
Using the Android Native Development Kit (NDK)
Xavier Hallade
 
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇA
CODE BLUE
 
Dynamic Binary Instrumentation
Cysinfo Cyber Security Community
 
Android ndk
Khiem-Kim Ho Xuan
 
C# tutorial
sarangowtham_gunnam
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
Stefan Esser
 
Targeting the iOS kernel
Seguridad Apple
 
Return oriented programming (ROP)
Pipat Methavanitpong
 
The why and how of moving to php 7
Wim Godden
 
Using the Android Native Development Kit (NDK)
DroidConTLV
 
FusionInventory at LSM/RMLL 2012
Nouh Walid
 
Ad

Similar to 英文【Xu hao chen xiaobo】find your_own_ios_kernel_bug (20)

PDF
Sniffing Mach Messages
Mikhail Sosonkin
 
PDF
Exploring Your Apple M1 devices with Open Source Tools
Koan-Sin Tan
 
PDF
Readactor-Practical Code Randomization Resilient to Memory Disclosure
ch0psticks
 
PDF
NYU Hacknight: iOS and OSX ABI
Mikhail Sosonkin
 
PDF
Beachhead implements new opcode on CLR JIT
Kouji Matsui
 
PDF
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
Priyanka Aash
 
PDF
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Takahiro Haruyama
 
PDF
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
MindShare_kk
 
PDF
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
PPTX
Pyjion - a JIT extension system for CPython
Anthony Shaw
 
PDF
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
Code Engn
 
PDF
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
PROIDEA
 
PDF
MattsonTutorialSC14.pdf
George Papaioannou
 
PDF
Code quality par Simone Civetta
CocoaHeads France
 
PPTX
How to drive a malware analyst crazy
Michael Boman
 
PPTX
44CON London 2015 - How to drive a malware analyst crazy
44CON
 
PDF
Browser exploitation SEC-T 2019 stockholm
Jameel Nabbo
 
PDF
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Liang Chen
 
PDF
ebpf and IO Visor: The What, how, and what next!
Affan Syed
 
PDF
How to write clean & testable code without losing your mind
Andreas Czakaj
 
Sniffing Mach Messages
Mikhail Sosonkin
 
Exploring Your Apple M1 devices with Open Source Tools
Koan-Sin Tan
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
ch0psticks
 
NYU Hacknight: iOS and OSX ABI
Mikhail Sosonkin
 
Beachhead implements new opcode on CLR JIT
Kouji Matsui
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
Priyanka Aash
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Takahiro Haruyama
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
MindShare_kk
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
Pyjion - a JIT extension system for CPython
Anthony Shaw
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
Code Engn
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
PROIDEA
 
MattsonTutorialSC14.pdf
George Papaioannou
 
Code quality par Simone Civetta
CocoaHeads France
 
How to drive a malware analyst crazy
Michael Boman
 
44CON London 2015 - How to drive a malware analyst crazy
44CON
 
Browser exploitation SEC-T 2019 stockholm
Jameel Nabbo
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Liang Chen
 
ebpf and IO Visor: The What, how, and what next!
Affan Syed
 
How to write clean & testable code without losing your mind
Andreas Czakaj
 
Ad

Recently uploaded (20)

PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
Doc9.....................................
SofiaCollazos
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PDF
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
Doc9.....................................
SofiaCollazos
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 

英文【Xu hao chen xiaobo】find your_own_ios_kernel_bug

  • 1. 1 Find Your Own iOS Kernel Bug Chen Xiaobo & Xu Hao
  • 2. 2 Content iOS Kernel Basics Summary of Known Bugs Passive Fuzz Active Fuzz Analyze Real Bug Conclusion
  • 3. 3 iOS Kernel Basics OSX is older that iOS Guess iOS kernel is developed based on OSX kernel Learn from OSX kernel OSX kernel concepts Early derived from FreeBSD kernel Named as XNU Open source
  • 4. 4 XNU Open Source http://www.opensource.apple.com/source/xnu/xnu- 2050.7.9/ Important components Mach - Low level abstraction of kernel BSD - High level abstraction of kernel IOKit - Apple kernel extension framework
  • 5. 5 BSD Implement File System, Socket and ... Export POSIX API Basic interface between kernel and user space sysent[] - store kernel function address typedef int32_t sy_call_t(struct proc *, void *, int *); function call number - /usr/include/sys/syscall.h
  • 6. 6 IOKit Framework for kernel extension Subset of C++ - Object-Oriented driver programming
  • 7. 7 IOKit Objects OSObject Root object of all IOKit objects Overwrite new operator to alloc memory Declare “init” method to initialize object self OSMetaClass Run-time object type check According to object name OSDynamicCast
  • 8. 8 IOKit Objects IOService Define an interface for most kernel extension Basic methods - init / start / stop / attach / detach / probe ioreg - list all attached IOService Available in Cydia
  • 9. 9 Write IOKit Service - Inherit from IOService Overwrite basic methods - init / start / stop / probe Control - Inherit from IOUserClient Allow user space control Modify plist file At least one IOKitPersonalities CFBundleIdentifier/IOClass/IOProviderClass/IOMatchCategory/IOUserClient Class/IOResourceMatch
  • 10. 10 Kernelcache Store all kernel modules (XNU / extensions) into one cache file iBoot will load the whole kernelcache and jump to entry An encrypted and packed IMG3 file /System/Library/Caches/com.apple.kernelcaches/kernelcache For old devices (A4 devices) Use xpwntool to decrypt original cache with IV + KEY A5 devices No IV + KEY available
  • 11. 11 Kernelcache How to get kernelcache for A5 devices Dump from kernel memory task_for_pid(0) & vm_read to dump kernel memory Read size must less then 0x1000 for once Find all Mach-O header - test magic 0xFEEDFACE Determine the whole cache size Open with IDA - fail Lack of prelink info
  • 12. 12 Kernelcache Dump each kernel extension Write a kextstat for iOS Just call CFDictionaryRef OSKextCopyLoadedKextInfo(CFArrayRef, CFArrayRef) from IOKit framework
  • 13. 13 Reverse Kernel Kernelcache is combined with lots of Mach-O files IDA Pro 6.2 could identify each Mach-O file Reverse the whole kernel together Open “Segmentation” view
  • 14. 14 Reverse IOKit Extension IOKit constructor example First call OSObject::new to allocate memory Then init IOService At last init OSMetaClass
  • 15. 15 Debug iOS Kernel KDP code is included in kernel KDP via UART SerialKDPProxy to perform proxy between serial and UDP Need serial communicate between USB and Dock connector Make a cable by your own Using redsn0w to set boot-args -a “-v debug=0x09”
  • 16. 16 Debug iOS Kernel A5 CPU Devices No limera1n vulnerability - no way to set boot-arg Need a kernel exploit to cheat kernel with boot-arg & debug enable See “iOS5 An Exploitation Nightmare” from Stefan Esser for details
  • 17. 17 Content iOS Kernel Basics Summary of Known Bugs Passive Fuzz Active Fuzz Analyze Real Bug Conclusion
  • 18. 18 Summary of Known Bugs iOS kernel attack surface Socket/Syscalls ioctl FileSystem drivers HFS iOKit Device drivers (USB/Baseband etc)
  • 19. 19 CVE-2010-2973 CVE-2010-2973 - IOSurfaceRoot integer overflow Used in the jailbreakme 2 as PE exploit Can be triggered by mobile user apps (MobileSafari) Malformed IOSurfaceAllocSize/IOSurfaceBytesPerRow/IOSurfaceHeight/IOSur faceWidth values in the plist Create a Surface object using above plist and return a userland ptr Calling memcpy to overflow the important kernel structure to disable the security protection
  • 20. 20 CVE-2010-2973 CVE-2010-2973 - IOSurfaceRoot integer overflow The plist Exploit: https://github.com/comex/star/blob/master/goo/zero.py
  • 21. 21 CVE-2011-0227 CVE-2011-0227 - IOMobileFrameBuffer Type Conversion Issue RootCause happens in the IOMobileFrameBuffer are not properly to check the object when doing conversion Suppose to call OSDynamicCast() while doing type casting/conversion The user able to control the vtable function pointer to get code execution
  • 22. 22 CVE-2011-0227 CVE-2011-0227 - IOMobileFrameBuffer Type Conversion Issue PoC: Fully exploit: https://github.com/comex/star_/blob/master/catalog/catalog.py
  • 23. 23 Summary of Known Bugs Conclusion They are both PE vulns because it is happens in the IOKit drivers framework Closed source and less people pay attention Good target for bug hunting!
  • 24. 24 Content iOS Kernel Basics Summary of Known Bugs Passive Fuzz Active Fuzz Analyze Real Bug Conclusion
  • 25. 25 Passive Fuzz Passive Fuzz First idea coming out is fuzzing Less work with good results Write a IOKit client to understand how the IOKit works Fuzzing parameters for IOConnectCallStructMethod/IOConnectCallScalarMethod In the low-level both above APIs are calling to the IOConnectCallMethod
  • 26. 26 Passive Fuzz Why we need passive fuzzing? They key point is pay less works because we are lazy to audit code :P Just like hook DeviceIoControl on the win32 to hunting kernel bugs We are going to hook IOConnectCallMethod to do the passive fuzzing
  • 27. 27 Passive Fuzz The Preparation Finding a good hook framework for iOS MobileSubstrate http://iphonedevwiki.net/index.php/MobileSubstrate MSHookFunction/MSHookMessage for C/Object Method hook Not much documents but enough to make it work
  • 28. 28 Passive Fuzz TheOS/Tweak Base the mobilesubstrate but more user-friendly https://github.com/DHowett/theos
  • 29. 29 Passive Fuzz You can also using interpose (dyld function) Redirect the functions in the import table No libmobilesubstrate required. Inject your dylib via DYLD_INSERT_LIBRARIES to make your fuzzer running!
  • 30. 30 Passive Fuzz Tips Struct object could be Data/Plist(XML), So pay some work here. Scalar object are integer values only, random enough to find some interesting stuffs. Results: NULL pointer deference/Kernel Use-after-free/handled panic exception
  • 31. 31 Content iOS Kernel Basics Summary of Known Bugs Passive Fuzz Active Fuzz Analyze Real Bug Conclusion
  • 32. 32 Active Fuzz Weakness of passive fuzz Only cover small amount of IOKit interfaces Needs interaction - keep using your iPhone Not so efficient - waste time Advantage of active fuzz Cover most of IOKit interfaces Automatically and efficient
  • 33. 33 Rough Idea Find all IOKit drivers with IOUserClient Identify all external methods of the driver Test all those methods
  • 34. 34 External Methods External methods are used by IOKit to provide function to user- space application Application call IOConnectCallMethod to control driver selector - which method should be called input / output - Array of uint64_t or struct data
  • 35. 35 Kernel Dispatch IOConnectCallMethod -> IOUserClient:: externalMethod if dispatch != NULL Check input and output size & call dispatch->function else call getTargetAndMethodForIndex Check type and size & call method->func
  • 39. 39 Key Point Know what to fuzz Get IOExternalMethodDispatch sMethods[] Get IOExternalMethod methodTemplate[]
  • 40. 40 How For the IOKit drivers without source code Reverse the KernelCache with symbol problem resolved IOKit structure you should know IOExternalMethodDispatch & IOExternalMethod Filter the IOKit keywords in the IDA name window sMethods etc. Will list all the IOKit drivers interface
  • 41. 41 sMethods We have the interface names & address
  • 42. 42 sMethods But there are just bytes in the method dispatch table IDA pro currently not handle it properly
  • 43. 43 sMethods After some manually work (Mark to the DCD) We can see some function pointers, but still ugly
  • 44. 44 Work Todo Need some IDA Python works here Add IOKit struct information in the idb file (IOExternalMethodDispatch & IOExternalMethod) Find the dispatch table range and mark it to the correct struct.
  • 45. 45 Result Looks better now We have dispatch function, flag, input/output count.
  • 46. 46 Correct Input Flags defines I = input O = output For example, type 3 means: Struct input & output We must pass the correct input/output type and count, otherwise the request will be rejected Start coding your own actively fuzzer!
  • 47. 47 Extra You can also add the vtable information if you like to audit code Before After
  • 48. 48 Content iOS Kernel Basics Summary of Known Bugs Passive Fuzz Active Fuzz Analyze Real Bug Conclusion
  • 49. 49 Are There Bugs? Definitely YES Crashes could be easily generated by our fuzzer Actually kernel code of iOS is not as good as you imagine However analyzing crash is a hard job No code or symbols for most IOKit drivers Kernel debug is kinda of crap Any exploitable bug? This is a QUESTION
  • 50. 50 IOKit Bug Analysis Simplify crash code Code is generated by fuzzer - there are many IOConnectCallMethod calls Simplify the code could help you a lot when doing static analysis Look at panic log fault_type & register values Static analysis Understand the bug and trigger path Debug Write exploit
  • 51. 51 Bug Sample I Let’s look at the code first
  • 52. 52 Bug Sample I Then the panic log PC = 0x80455c3c fault_addr = 0x0
  • 53. 53 Bug Sample I Where did it crash Try to read data at R1(=0) cause the panic R1 is the second parameter of this function It is mostly like a NULL ptr reference bug :( We shall dig deeper anyway
  • 54. 54 Bug Sample I Locate sMethod array First to find AppleVXD375UserClient::externalMethod, which should overwrite IOUserClient’s method IOUserClient has symbols, see vtable for it externalMethod pointer offset in vtable
  • 55. 55 Bug Sample I Locate sMethod array Search IOUserClient::registerNotificationPort address in “const” segment Find externalMethod pointer in vtable for AppleVXD375UserClient AppleVXD375UserClient::externalMethod Get IOExternalMethodDispatch struct from sMethod array Call IOUserClient::externalMethod to dispatch it
  • 56. 56 Bug Sample I sMethod = 0x80469700
  • 57. 57 Bug Sample I selector = 1 dispatch struct in sMethod function address = 0x80457534 checkStructureInputSize = 0x4 checkStructureOutputSize = 0x108 Remember the trigger code?
  • 58. 58 Bug Sample I The whole call path externalMethod -> sub_ 80457534 -> sub_ 804577EC -> sub_8045779C -> sub_80456768 -> sub_80455C34 -> panic sub_ 804577EC call OSObject::release first This method should be used to destroy AppleVXD375UserClient itself sub_8045779C should be responsible for freeing memory R1(=0) maybe some class or struct address stored in AppleVXD375UserClient object
  • 59. 59 Bug Sample I Understand this bug We manually try to destroy AppleVXD375UserClient When in procedure, it will manipulate some object without checking if it is already created Lacks of basic check code like if (obj->ptr != NULL) We are not able to control PC register
  • 61. 61 Bug Sample II Panic log PC = 0x00000000 Looks better than last one
  • 62. 62 Bug Sample II Where did it crash We got useless PC and no call stack But luckily we had LR - store return address Looks like calling method of certain object R4 - object pointer R0 - vtable
  • 63. 63 Bug Sample II Crash code snapshot
  • 64. 64 Bug Sample II Crash code analysis Input R0 - IOAccelUserClient *self R1 - int index IOAccel *service = self + 0x78 OSObject *array[] = service + 0x10 Call array[index]->method = NULL
  • 65. 65 Bug Sample II Weird Why the object’s method pointer is NULL Guess Mistake it as a different object without checking Todo Figure out what’s at 0x10 offset
  • 66. 66 Bug Sample II Locate external methods This time it overwrite getTargetAndMethodForIndex
  • 68. 68 Bug Sample II Where is selector 6 function ? Check reference to IOAccelUserClient::vtable It has a child object - IOIMGSGXUserClient Easy to find getTargetAndMethodForIndex again
  • 69. 69 Bug Sample II When selector > 5, use its own methodTemplate[3]
  • 70. 70 Bug Sample II What’s at offset 0x10 ? Look inside into selector 6 function
  • 71. 71 Bug Sample II Object is created, check vtable 0x8090E5B8 0x8090E5B8+0x3C = 0x8090E5F4
  • 72. 72 Bug Sample II Here is the story selector 6 function call sub_80907A4C to create an object and put it in object array at 0x10 offset selector 3 function get object pointer from the array and call its method without checking its class type Actually the child has its own create/destroy method. If the child create an object and make father to destroy it, PANIC ! Apple should call more OSMetaClassBase::safeMetaCast :P
  • 73. 73 Content iOS Kernel Basics Summary of Known Bugs Passive Fuzz Active Fuzz Analyze Real Bug Conclusion
  • 74. 74 Conclusion Apple should audit iOS kernel code, especially code of IOKit extensions Since debug is quite hard, static analysis according to panic log is very helpful Fuzz your own iOS kernel bug !