Hack Different: Pwning iOS 14 with Generation Z Bugz

Presented at Black Hat USA 2021, Aug. 4, 2021, 3:20 p.m. (40 minutes).

<div><span>The traditional Safari exploit is to gain code execution in the renderer first, then escape the sandbox with userland bugs or directly attack the kernel. However, since Safari has been under attention for a long time, it is not easy to find vulnerabilities in it. Furthermore, the sandbox protection mechanism is becoming more and more challenging, escaping the sandbox is even harder. <br><br></span></div><div><span>Instead of struggling with the state-of-the-art mitigations in WebKit, we used a brutally simple logic bug to bypass the renderer sandbox and get arbitrary JavaScript execution in another WebView without initial code execution. It was introduced by iOS 3. By using an Inter-App XSS, we can launch the Calculator from MobileSafari with literally zero memory corruption. It can even read the phone number and Apple ID directly. But the exploit chain doesn't end here.</span></div><div><span><br></span></div><div><span>Since other WebView applications usually use JS Bridge to provide other JSAPI interfaces, they generally expose more attack surfaces than Safari. In the XSS-ed WebView, a mis implemented access control of bridged Objective-C objects effectively leads to object life-cycle control, which makes a perfectly exploitable UAF. Together with another logic information leakage, they showed how logic bugs can threaten memory safety.</span></div><div><span><br></span></div><div><span>We built the arbitrary call primitive despite the PAC, and further bypass APRR to load arbitrary shellcode in a loosely sandboxed context that can access various critical personal information, such as Apple ID credentials, contacts, and camera.</span></div>

Presenters:

  • Zhi Zhou - Security Researcher,
    <p>Zhi Zhou (@CodeColorist) is a security researcher who mainly focuses on *OS security.</p>
  • JunDong Xie - Senior Security Engineer, Ant Group Light-Year Security Lab
    JunDong Xie, a senior security researcher of Ant Security Light-Year Lab, graduated from Zhejiang University and was a member of the AAA CTF team. His main research areas are binary fuzzing, browser security, and macOS security and he achieved 10+ CVEs from Apple in 2020. He has participated in three Tianfu Cup International Cybersecurity Contests with the team from 2018 to 2020 and has broken the Safari browser, PDF reader, and many mobile devices in the competition. You can follow him on Twitter at https://twitter.com/Jdddong

Links:

Similar Presentations: