The presentation will reveal the journey towards sandbox escape, covering different approaches, methods and tools.
Apple’s sandbox may seem the “safest”, we decided to research interesting and not well known IPC. Among the history of iOS vulnerabilities, many vulnerabilities were discovered mostly on XPC, we decided to reveal the mach messages mechanism Apple still uses and poorly designed daemons based on mach message IPC. With all of this in mind, we started to research all the mach ports accessible from within the sandbox and it revealed a new world to explore.
In order to have better understanding on the different mach message handlers, we created several research tools we are willing to share with the community. Those scripts were the key and the breakthrough to better reveal the backend of most of Apple’s API between the sandbox and the daemons. Nevertheless, we will share several vulnerabilities that were found during the research, mainly focus on the vulnerability that leads to execution of arbitrary code on most of the daemons outside the sandbox, for example, sharingd, coreduetd, SpringBoard, mDNSResponder, aggregated, wifid, Preferences, CommCenter, iaptransportd, findmydeviced, routined, UserEventAgent, carkitd, mediaserverd, bluetoothd and so on. The vulnerability is giving full control on PC and on several registers over the vulnerable daemons and exists on all of Apple mobile devices (iOS, WatchOS and tvOS). Moreover, we will cover possible exploitation and reveal necessary gadgets that may be used for full chain. Moreover, the vulnerability itself is hijacking the session between bluetoothd and its clients, that means that the same technique can be used not only to pwn the device but also get sensitive information that may not be accessible to applications from within the sandbox. Even after the fix from Apple’s side, it seems like Apple does not fully understand mach messages and the fix is not sufficient and may still be vulnerable. Two vulnerabilities were acknowledged by Apple CVE-2018-4087 and CVE-2018-4095 and were fixed on the latest version (11.2.5).