Due iMessage's end to end encryption, it makes it hard to detect exploits. Attacker only needs a phone number and iMessage in its default configuration. #36c3pic.twitter.com/TeyvaPA9RO
U tweetove putem weba ili aplikacija drugih proizvođača možete dodati podatke o lokaciji, kao što su grad ili točna lokacija. Povijest lokacija tweetova uvijek možete izbrisati. Saznajte više
Due iMessage's end to end encryption, it makes it hard to detect exploits. Attacker only needs a phone number and iMessage in its default configuration. #36c3pic.twitter.com/TeyvaPA9RO
First you need an exploit, Samuel goes into detail how he did this IDA and other techniques. Also touches on the iMessage data format which is complex XML. #36c3pic.twitter.com/izJNnAMlNu
iMessage uses NSKeyedUnarchiver which has had many bugs in the past. It is extremely complex and support cyclic relationships which makes it a prime target for an exploit. #36c3pic.twitter.com/qhMibCwjDv
Timeline of the exploits that were developed by Samuel and Natalie and how Apple responded and patched the issues. They disallowed sub-classes to be decoded which reduced the attack surface significantly. #36c3pic.twitter.com/aGzbMd2vou
The vulnerable SharedKeyDictionary subclass which has issues with unnecessary recursion. When it runs the lookup function it is accessing message that it shouldn't be allowed to access which can be used to exploit it. #36c3pic.twitter.com/rO9meLkl44
Using this vulnerability can be exploited to get code execution from the code instruction pointer. #36c3pic.twitter.com/i6RLJ8jjYy
Next challenge, how do we get past ASLR since addresses are randomized. Need an ASLR bypass to get around this issue. Can use Heap Spraying on iOS which exploits the low entropy of the heap base. #36c3pic.twitter.com/bGCND3FlQR
Need to know where the Dyld Shared Cache is mapped for a succesful exploit. Will always be mapped between 0x180000000 and 0x280000000. Addresses are only randomized during boot. #36c3pic.twitter.com/92UnPzXC0F
Can use an Oracle to get around ASLR. Can use binary search once an address has been found. Where do we find this address? iMessage delivery receipts with message states can help with this. #36c3pic.twitter.com/YIpBjvVuUe
Once addresses are found in the shared cache, it can be used to crash the process to trigger a remote ASLR bypass. Crashes are not visible to users and crash logs are limited to 25 per service. #36c3pic.twitter.com/LWRMuK2twH
Pointer Authentication is a new security feature to store a cryptographic signature which can be used for validation on access. This requires CPU support only available in iPhone XS (2018) and later. #36c3pic.twitter.com/Dv1UlpGz79
Samuel talks about how this Pointer Authentication can be bypassed by impersonating another class or pointer. Could use destructors to bypass it as well. #36c3pic.twitter.com/ZuT9dnPU1v
Can sandboxing be an issue? Messages are handled by different services and frameworks. Several processes like springboard are not sandboxed which has been fixed in iOS 13. #36c3pic.twitter.com/LiIhvJpnXP
Calculator pops open in the exploit demo. Trying this in the kernel is hard due to code signing and can't abuse JIT because it isn't running in WebContext. #36c3pic.twitter.com/MUuI2mQ38p
How do we fix these kind of vulnerabilities? Need to improve ASLR as weak ASLR not just in iOS can be abused for code execution. More entropy will make heap spraying more difficult and since it only changes per boot this can make it easy to break. #36c3pic.twitter.com/rUVJ5D5W8C
Anything that is on a 0-click attack surface should be sandboxing but need to consider info leaks by disallowing network activity in sandboxed processes. #36c3pic.twitter.com/6CgSps9ZkK
Message platforms should also allow you to block unknown senders which can limit who could send a message exploit to a client. #36c3pic.twitter.com/GpPagIyhQh
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.