Subverting Apple Graphics: Practical Approaches to Remotely Gaining Root

Presented at Black Hat USA 2016, Aug. 3, 2016, 11:30 a.m. (50 minutes).

Apple graphics, both the userland and the kernel components, are reachable from most of the sandboxed applications, including browsers, where an attack can be launched first remotely and then escalated to obtain root privileges. On OS X, the userland graphics component is running under the WindowServer process, while the kernel component includes IOKit user clients created by IOAccelerator IOService. Similar components do exist on iOS system as well. It is the counterpart of "Win32k.sys" on Windows. In the past few years, lots of interfaces have been neglected by security researchers because some of them are not explicitly defined in the sandbox profile, yet our research reveals not only that they can be opened from a restrictive sandboxed context, but several of them are not designed to be called, exposing a large attack surface to an adversary. On the other hand, due to its complexity and various factors (such as being mainly closed source), Apple graphics internals are not well documented by neither Apple nor the security community. This leads to large pieces of code not well analyzed, including large pieces of functionality behind hidden interfaces with no necessary check in place even in fundamental components. Furthermore, there are specific exploitation techniques in Apple graphics that enable you complete the full exploit chain from inside the sandbox to gain unrestricted access. We named it "graphic-style" exploitation.

In the first part of the talk, we introduce the userland Apple graphics component WindowServer. We start from an overview of WindowServer internals, its MIG interfaces as well as "hello world" sample code. After that, we explain three bugs representing three typical security flaws: - Design related logic issue CVE-2014-1314, which we used at Pwn2Own 2014 - Logic vulnerability within hidden interfaces - The memory corruption issue we used at Pwn2Own 2016 Last but not least we talk about the "graphic-style" approach to exploit a single memory corruption bug and elevate from windowserver to root context.

The second part covers the kernel attack surface. We will show vulnerabilities residing in closed-source core graphics pipeline components of all Apple graphic drivers including the newest chipsets, analyze the root cause and explain how to use our "graphic-style" exploitation technique to obtain root on OS X El Capitan at Pwn2Own 2016. This part of code, mostly related to rendering algorithm, by its nature lies deeply in driver's core stack and requires much graphical programming background to understand and audit, and is overlooked by security researchers. As it's the fundamental of Apple's rendering engine, it hasn't been changed for years and similar issues do exist in this blue ocean. We'll also come up with a new way of kernel heap spraying, with less side-effect and more controllable content than any other previous known methods. The talk is concluded by showing two live demos of remote gaining root through a chain of exploits on OS X El Capitan. Our first demo is done by exploiting userland graphics and the second by exploiting kernel graphics.


Presenters:

  • Liang Chen - Tencent KeenLab
    Liang Chen is a senior security researcher at KeenLab of Tencent (former known as Keen Team). Liang has a strong research experience on software vulnerability exploitation and vulnerability discovery. During these years, Liang's major research area was browser exploitation including Safari, Chrome, Internet Explorer, etc on both PC and mobile platform. Also Liang researches sandbox escape technology on various platforms. Liang led Tencent Security Team Sniper to win "Master of Pwn" in Pwn2own 2016. Liang is also the winner of iPhone Safari category in Mobile Pwn2own 2013 and Mavericks Safari category in Pwn2Own 2014. Liang has spoken at several security conferences including XCON 2013, BlackHat Europe 2014, CanSecWest 2015/2016, POC 2015, etc.
  • Qidan He - Tencent KeenLab
    Qidan He (a.k.a Edward Flanker) is a security researcher focusing on mobile security at KeenLab of Tencent (former known as Keen Team). His major experience includes Android/iOS/OS X security and program analysis. He has reported several vulnerabilities in Android system core components and OSX Kernel, which were confirmed and credited in multiple advisories. He is the winner of Pwn2Own 2016 OS X Category and member of Master of Pwn Champion team. He has spoken at conferences like Recon, CanSecWest, HITCON and QCON.
  • Marco Grassi - Tencent KeenLab
    Marco Grassi is currently a Senior Security Researcher of the KEEN Lab of Tencent (previously known as KEEN Team). He was one of the main contributors at Pwn2Own 2016 for the Safari target with sandbox escape to root. He is a member of the team who won the title of "Master Of Pwn" at Pwn2Own 2016. Formerly he was a member of NowSecure R&D Team, where he researched solutions for mobile security products and performed reverse engineering, pentesting and vulnerability research in mobile OS applications and devices. When he's not poking around mobile devices, he enjoys developing embedded and electronic systems. He has spoken at several international security conferences such as ZeroNights, Black Hat, Codegate, HITB and cansecwest. You can find him on Twitter at @marcograss.
  • Yubin Fu - Tencent KeenLab
    After several years research in the field of iOS/OS X security and linux kernel, currently, Yubin Fu(Qoobee @fuyubin1993) is now an intern security researcher. As a member of Blue-lotus CTF team, he participated in DEF CON 23 Final in Las Vegas and Codegate 2015 Final in Seoul. In the same year, he partnered to develop PingPong Root, and co-authored a paper about Android Root which is now published at USENIX WOOT. In 2016, Yubin took part in Pwn2Own and clinched the victory of Pwn2Own 2016 Safari target. He is also a member of "Master of Pwn" team. Now he works in KeenLab of Tencent(previously known as Keen Team), lives in Shanghai, China.

Links:

Similar Presentations: