Exploiting User-land vulnerabilities to Get Rogue App Installed Remotely on iOS 11

Presented at REcon 2018, June 16, 2018, 1 p.m. (60 minutes)

Apple has introduced several security enhancements to mitigate known attacks in iOS 11. Those enhancements include reducing attack surfaces from Apple sandbox, adding kernel protection mechanism, etc. As a result, chaining a series of vulnerabilities to defeat all iOS’s defense in depth became harder and harder. Furthermore, thanks to the enforced code signing requirement by Apple, a kernel exploit is usually needed to run unsigned applications on iOS system. And even on the fully compromised iOS system, in most cases the exploit can not persist upon a reboot.

During Mobile Pwn2Own 2017, we (KeenLab) remotely pwned iOS 11 system twice - one by exploiting the browser, another by exploiting the WIFI - each only involved one click by the user. We broke Apple sandbox after achieving in-sandbox code execution, then install a rogue application and bypass the code signing requirement. The application installed can persist upon reboot. Surprisingly all the bugs we used in the whole chain are all from user-land.

In this talk we will discuss the whole strategy to achieve this. We will disclose the details of the vulnerability we used to break sandbox (CVE-2017-7162), a double free vulnerability in IOKit framework. The bug needs to be exploited by the approach of racing on a separate thread, but by our advanced exploit techniques we got 100% reliable exploitation. We will also talk about our approach to install application and code signing bypass. We will do a demo to illustrate our techniques.

Presenters:

• Marco Grassi
  Marco Grassi is currently a Senior Security Researcher of the Keen Lab of Tencent (previously known as Keen Team). He is part of the team that won the "Mobile Master of Pwn" title in Tokyo for Mobile Pwn2Own 2016, working on iOS. He was also one of the main contributors at Desktop Pwn2Own 2016 for the Safari target with sandbox escape to root. He is a member of the team who won the title of "Master Of Pwn" at Pwn2Own 2016. He found a VMWare escape at Desktop pwn2own 2017, and baseband RCE and wifi iOS at Mobile pwn2own 2017 where we were awarded "Master Of Pwn" for the third time. He has spoken at several international security conferences such as Black Hat USA, Defcon, CanSecWest, ZeroNights, Codegate, HITB and ShakaCon. You can find him on Twitter at @marcograss.
• Liang Chen
  Liang Chen is a senior security researcher at KeenLab of Tencent (formerly known as Keen Team). Liang has a strong research experience on software vulnerability exploitation and vulnerability discovery. During these years, Liang's major research area was browser exploitation including Safari, Chrome, Internet Explorer, etc on both PC and mobile platform. Also Liang researches sandbox escape technology on various platforms. Liang led Tencent Security Team Sniper to win "Master of Pwn" in Pwn2own 2016. Liang led the team to win "Master of Pwn" in Mobile Pwn2Own 2016 and Mobile Pwn2Own 2017. Liang is also the winner of iPhone Safari category in Mobile Pwn2own 2013 and Mavericks Safari category in Pwn2Own 2014. Liang developed Keen Jailbreak for iOS 10.3.2 and iOS 11.1.1. Liang has spoken at several security conferences including XCON 2013, BlackHat Europe 2014, CanSecWest 2015/2016, POC 2015/2016/2017, BlackHat 2016, RECon 2016, Infiltrate 2017 etc.

Links:

• https://recon.cx/2018/montreal/schedule/events/113.html

Similar Presentations:

• Black Hat USA 2014 / Exploiting Unpatched iOS Vulnerabilities for Fun and Profit
• DEF CON 26 (2018) / Fasten your seatbelts: We are escaping iOS 11 sandbox!
• DEF CON 24 (2016) / A Journey Through Exploit Mitigation Techniques in iOS