Exploiting Unpatched iOS Vulnerabilities for Fun and Profit

Presented at Black Hat USA 2014, Aug. 7, 2014, 11:45 a.m. (60 minutes)

Patching all vulnerabilities for a modern, complex software system (i.e., Windows, iOS) is often difficult due to the volume of bugs and response time requirements. Instead, software vendors usually devise quick workarounds to mitigate the exploitation of a given vulnerability. However, those patches are sometimes incomplete, and attackers can utilize different attack vectors to re-exploit a patched vulnerability. iOS is no exception. In this presentation, we will disclose our process for jailbreaking the latest version of iOS (version 7.1.1), running on any iOS device including the iPhone 5s as well as older iPads and iPods. We start by finding new ways to exploit vulnerabilities with incomplete patches. We then use these vulnerabilities to discover new avenues of attack. Finally, we chain together these vulnerabilities and new attacks to run unsigned code out of the sandbox with root permissions and to defeat mandatory code signing. We include a detailed disclosure of several new vulnerabilities and the exploit techniques that we developed.

Presenters:

• Billy Lau - Georgia Institute of Technology
  Billy Lau is a Research Scientist at Georgia Institute of Technology. He is primarily interested in information security, with emphasis on hypervisors, operating systems and user applications. Recently, he has been examining the security designs and impacts of the emerging mobile devices in the marketplace. In particular, he loves to challenge the status quo on conventional security assumptions which are often broken when put to test. He graduated from University of Michigan at Ann Arbor with a Master's of Engineering in Computer Science and University of Illinois at Urbana-Champaign with a Bachelor's of Science in Computer Engineering. He hopes to make a difference by making usable computer systems more secure and secure systems more usable.
• Byoungyoung Lee - Georgia Institute of Technology
  Byoungyoung Lee is a PhD student at Georgia Tech. He has interests in both practical and academic software security research. He is one of the contributors of the DarunGrim project, a popular binary diffing tool. With this project, he runs the ExploitShop blog, which uncovers many different Microsoft patched vulnerabilities. He has spoken at Black Hat and Infosec Southwest before, and he also has actively participated in wargames and advanced to DEF CON CTF finals several times. He also loves to write fuzzers targeting various software products for bug bounties.
• Tielei Wang - Georgia Institute of Technology
  Tielei Wang is Research Scientist at Georgia Institute of Technology. His research interests include system security, software security, and mobile security, with an emphasis on advanced attack and defense techniques. He discovered a number of zero-day vulnerabilities and won the Secunia Most Valued Contributor Award in 2011.
• Yeongjin Jang - Georgia Institute of Technology
  Yeongjin is a PhD student at the Georgia Institute of Technology. His research interests are focused on operating system and mobile security. Prior to joining Georgia Tech, he participated in various capture-the-flags (CTF), including DEF CON CTF, CODEGATE, etc. He received his BS degree in Computer Science from KAIST in 2010.

Links:

• https://www.blackhat.com/us-14/archives.html#exploiting-unpatched-ios-vulnerabilities-for-fun-and-profit
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/Exploiting Unpatched iOS Vulnerabilities for Fun and Profit.mp4
• https://www.youtube.com/watch?v=uh8neEmxC5Q

Tags:

• iOS

Similar Presentations:

• Black Hat USA 2022 / TruEMU: An Extensible, Open-Source, Whole-System iOS Emulator
• REcon 2018 / Exploiting User-land vulnerabilities to Get Rogue App Installed Remotely on iOS 11
• DEF CON 24 (2016) / A Journey Through Exploit Mitigation Techniques in iOS