Pangu 9 Internals

Presented at Black Hat USA 2016, Aug. 4, 2016, 2:30 p.m. (50 minutes)

Pangu 9, the first (and only) untethered jailbreak tool for iOS 9, exploited a sequence of vulnerabilities in the iOS userland to achieve final arbitrary code execution in the kernel and persistent code signing bypass. Although these vulnerabilities were fixed in iOS 9.2, there are no details disclosed. This talk will reveal the internals of Pangu 9. Specifically, this talk will first present a logical error in a system service that is exploitable by any container app through XPC communication to gain arbitrary file read/write as mobile. Next, this talk will explain how Pangu 9 gains arbitrary code execution outside the sandbox through the system debugging feature. This talk will then elaborate a vulnerability in the process of loading the dyld_shared_cache file that enables Pangu 9 to achieve persistent code signing bypass. Finally, this talk will present a vulnerability in the backup-restore process that allows apps signed by a revoked enterprise certificate to execute without the need of the user's explicit approval of the certificate.

Presenters:

• Xiaobo Chen - Team Pangu
  Xiaobo Chen is a member of Team Pangu. He used to work as a Sr. research scientist at FireEye and McAfee. He participated in network security field since 2000, and have over 15 years experience in network security industry, and now he mainly focuses innovative research on software vulnerability, exploitation for Microsoft and Apple system.
• Hao Xu - Team Pangu
  Hao Xu is a member of Team Pangu. He has been involved in information security for over 10 years. His research interests range from OSX/iOS/Windows kernel security, rootkit and malware analysis, hardware virtualization technology, and reverse engineering. He is a regular speaker at Syscan 360, POC, Xcon.
• Tielei Wang - Team Pangu
  Tielei Wang is a member of Team Pangu. He was a research scientist at the Georgia Institute of Technology from 2012 to 2014 and received his Ph.D. degree in 2011. His research interests include system security, software security, and mobile security. He discovered a number of zero-day vulnerabilities and won the Secunia Most Valued Contributor Award in 2011. He has published many papers in top research conferences including IEEE Security and Privacy, USENIX Security, ACM CCS, and NDSS, and gave several presentations at BlackHat USA, CanSecWest, POC, and RUXCON.

Links:

• https://www.blackhat.com/us-16/briefings.html#pangu-9-internals
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2016/Pangu 9 Internals.mp4
• https://www.youtube.com/watch?v=vCLf7tdjabY
• https://www.blackhat.com/docs/us-16/materials/us-16-Wang-Pangu-9-Internals.pdf

Similar Presentations:

• DEF CON 31 (2023) / Apple's Predicament: NSPredicate Exploitation on macOS and iOS
• REcon 2018 / Exploiting User-land vulnerabilities to Get Rogue App Installed Remotely on iOS 11
• DEF CON 24 (2016) / A Journey Through Exploit Mitigation Techniques in iOS