Caught you - reveal and exploit IPC logic bugs inside Apple

Presented at DEF CON 29 (2021), Aug. 6, 2021, 11 a.m. (45 minutes)

Apple's iOS, macOS and other OS have existed for a long time. There are numerous interesting logic bugs hidden for many years. We demonstrated the world's first public 0day exploit running natively on Apple M1 on a MacBook Air (M1, 2020). Without any modification, we exploited an iPhone 12 Pro with the same bug. In this talk, we will show you the advantage and beauty of the IPC logic bugs, how we rule all Apple platforms, Intel and Apple Silicon alike, even with all the latest hardware mitigations enabled, without changing one line of code. We would talk about the security features introduced by Apple M1, like Pointer Authentication Code (PAC), System Integrity, and Data Protection. How did they make exploiting much harder to provide better security and protect user's privacy. We will talk about different IPC mechanisms like Mach Message, XPC, and NSXPC. They are widely used on Apple platforms which could be abused to break the well designed security boundaries. We will walk you through some incredibly fun logic bugs we have discovered, share the stories behind them and methods of finding them, and also talk about how to exploit these logic bugs to achieve privilege escalation. REFERENCES: https://www.youtube.com/watch?v=Kh6sEcdGruU https://support.apple.com/en-us/HT211931 https://support.apple.com/en-us/HT211850 https://support.apple.com/en-us/HT212011 https://support.apple.com/en-us/HT212317 https://helpx.adobe.com/security/products/acrobat/apsb20-24.html https://helpx.adobe.com/security/products/acrobat/apsb20-48.html https://helpx.adobe.com/security/products/acrobat/apsb20-67.html

Presenters:

• Chuanda Ding - Senior Researcher, Tencent Security Xuanwu Lab
  Chuanda Ding is a senior security researcher on Windows platform security. He leads EcoSec team at Tencent Security Xuanwu Lab. He was a speaker at Black Hat Europe 2018, DEF CON China 2018, CanSecWest 2017, CanSecWest 2016, and QCon Beijing 2016. @FlowerCode_
• Yuebin Sun - Senior Researcher, Tencent Security Xuanwu Lab
  Yuebin Sun is a senior security researcher at Tencent Security Xuanwu Lab. @yuebinsun2020
• Zhipeng Huo - Senior Researcher, Tencent Security Xuanwu Lab
  Zhipeng Huo is a senior security researcher on macOS and Windows platform security at Tencent Security Xuanwu Lab. He was a speaker at Black Hat Europe 2018 and DEF CON 28. @R3dF09

Links:

• https://defcon.org/html/defcon-29/dc-29-speakers.html#huo
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Zhipeng Huo Yuebin Sun Chuanda Ding - Caught you - reveal and exploit IPC logic bugs inside Apple.mp4
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 presentations/Zhipeng Huo Yuebin Sun Chuanda Ding - Caught you - reveal and exploit IPC logic bugs inside Apple.pdf (slides)
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Zhipeng Huo Yuebin Sun Chuanda Ding - Caught you - reveal and exploit IPC logic bugs inside Apple.srt (subtitles)
• https://www.youtube.com/watch?v=oAMZxKsZQp0

Similar Presentations:

• DEF CON 25 (2017) / Jailbreaking Apple Watch
• DEF CON 31 (2023) / The Nightmare of Apple's OTA Update: Bypassing the Signature Verification and Pwning the Kernel Canceled
• Black Hat Europe 2017 / Jailbreaking Apple Watch