Apple's Predicament: NSPredicate Exploitation on macOS and iOS

Presented at DEF CON 31 (2023), Aug. 12, 2023, 11:30 a.m. (45 minutes)

In 2021 the FORCEDENTRY sandbox escape introduced the usage of NSPredicate in an iOS exploit. This new technique allowed attackers to sidestep codesigning, ASLR, and all other mitigations to execute arbitrary code on Apple devices. As a result, Apple put in place new restrictions to make NSPredicate less powerful and less useful for exploits. This presentation will cover new research showing that these added restrictions could be completely circumvented in iOS 16, and how NSPredicates could be exploited to gain code execution in many privileged iOS processes. This technical deep dive will be a rare instance of iOS security that anyone can comprehend without years of experience. After an overview of the classes involved, we will explore the full syntax of NSPredicate and cover how it can be used to script the Objective-C runtime and even call any C function. It will be shown that PAC can still be bypassed 100% reliably with NSPredicates in order to execute any function with arbitrary arguments. A new tool will be unveiled to help craft complex NSPredicates to execute arbitrary code and inject those predicates in any application. Additionally, a demonstration will be given which executes arbitrary code in the highly privileged Preferences app. Finally, the talk will cover a bypass of NSPredicateVisitor implementations which allows a malicious process to evaluate any NSPredicate within several system processes including coreduetd, appstored, OSLogService, and SpringBoard. Next there will be a live demo of exploiting SpringBoard to steal a user’s notifications and location data. The presentation will end with some discussion about what can still be done with NSPredicates now that these issues have been fixed, including bypassing App Store Review, and what app developers should know to keep their own apps safe. REFERENCES: NSPredicate - https://developer.apple.com/documentation/foundation/nspredicate?language=objc See No Eval: Runtime Dynamic Code Execution in Objective-C by CodeColorist - https://codecolor.ist/2021/01/16/see-no-eval-runtime-code-execution-objc/ FORCEDENTRY: Sandbox Escape by Ian Beer & Samuel Groß of Google Project Zero - https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html

Presenters:

• Austin Emmitt - Senior Security Researcher at Trellix Advanced Research Center
  Austin Emmitt is a vulnerability researcher with a background in mobile security. He has found critical vulnerabilities in Android, iOS, and other platforms. He is also the creator of the radius2 symbolic execution framework.

Links:

• https://forum.defcon.org/node/245734

Similar Presentations:

• Black Hat USA 2015 / TrustKit: Code Injection on iOS 8 for the Greater Good
• DEF CON 26 (2018) / Fasten your seatbelts: We are escaping iOS 11 sandbox!
• Black Hat USA 2016 / Pangu 9 Internals