Kernel Exploitation on Apple's M1 chip

Presented at Objective by the Sea version 4.0 (2021), Sept. 30, 2021, 3:25 p.m. (25 minutes)

As the Mac product line gradually enters the M1 chip era, the macOS security of the arm64e architecture is beginning to approach iOS. The mitigations that only existed on iOS in the past are now also applicable to macOS. As well as... the vulnerabilities that only affected iOS in the past are now also brought into macOS. Lol.

AppleAVE2 (AVEVideoEncoder) is a graphics IOKit driver that runs in kernel space and exists only on iOS and M1 chip-based Macs. The complexity of the driver itself and the extensive use of user-kernel memory mapping make it a desirable target for kernel exploitation. I used it to develop kernel exploits for iOS 12 and iOS 13 Jailbreak. CVE-2019-8795, CVE-2020-9907, CVE-2020-9907b.

This talk will explain in detail how Apple "fixed" the AppleAVE2 driver and how we can exploit AppleAVE2 once again to achieve kernel r/w on M1 Macbook, at last I'll share some of my thoughts on post-exploitation.

Presenters:

• 08Tc3wBB - Bug Bounty Hunter and a Security Researcher at ZecOps   as 08tc3wbb
  08tc3wbb is a Bug Bounty Hunter and a Security Researcher at ZecOps, investigating potential attacks and developing various exploits for macOS and iOS.

Links:

• https://objectivebythesea.org/v4/talks.html#Kernel Exploitation
• https://objectivebythesea.org/v4/talks/OBTS_v4_08tc3wbb.pdf

Similar Presentations:

• Black Hat USA 2011 / Exploiting the iOS Kernel
• DEF CON 25 (2017) / macOS/iOS Kernel Debugging and Heap Feng Shui
• ekoparty 14 (2018) / iOS JB: Present and Future