Ian Beer

hello #35C3

A blog post about turning back the clock to 2014, and thinking about what 2022 might be like: https://googleprojectzero.blogspot.com/2018/10/deja-xnu.html …

And if you're using the mptcp/vfs exploits for security research (eg with Electra 11.3.1) you should just keep using that. I'll release the 11.4.1 exploits I have but the focus will shift to iOS 12 now :)

The iOS 12 security bulletin seems to only include iOS-only bugs this time (as opposed to those which affect iOS *and* MacOS.) There are far more fixes in iOS 12 than are mentioned, including a nasty logic bug to break you out of the app sandbox. Update your personal devices!

I'd love to get a chance to sit down with you and discuss how together we can make iOS even more secure for all our users. Cheers, Ian Beer.

Please read README_KDP before trying to use this. There are many limitations, but I have found it useful for vulnerability research nevertheless.

Here's an updated version of async_wake with a more usable KDP-based kernel debugger: https://bugs.chromium.org/p/project-zero/issues/detail?id=1417#c17 …

Slides from my #MOSEC2018 talk "build your own iOS kernel debugger": https://bugs.chromium.org/p/project-zero/issues/attachment?aid=346425&signed_aid=drSMyPfPWvCZgYKtiwI2iA== …

Fixing that in combination with enabling 20 spinner threads seems to show reliability closer to 50% in some very unscientific testing, but I'm sure there are still plenty of bugs. @Externalist's writeup had plenty more good ideas for improving reliability.

credit to @Externalist for spotting a bug in empty_list: on devices with 16k pages there are 0x61 ipc_port allocations per zone refill (not sure where 0xe0 came from...); so it should look like this: int ports_per_zcram = kernel_page_size == 0x1000 ? 0x49 : 0x61;

empty_list, a proof-of-concept exploit for the getvolattrlist iOS 11.3.1 kernel bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=1564 … Please read the README.

(footnote: for the vfs bug technically you can control a handful of bits in the 8 overflow bytes, the overflow value is actually two 4 byte flag fields. This may or may not help.)

Finally: always keep your personal iOS devices up to date and only use these tools on devices which don't have any personal information and are only used for research.

The trigger is here: https://bugs.chromium.org/p/project-zero/issues/detail?id=1564 … If you're in to iOS exploit dev take a go at it and blog about it! I'll publish what I have soon, hopefully this week.

see eg The Poisoned Nul Byte, 2014 by @scarybeasts https://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html … . But it takes time. The mptcp exploit is mostly recycled bits of earlier exploits. The getvolattrlist bug needs some new techniques.

The vfs bug doesn't require an Apple developer cert but is considerably harder to exploit. You get to write 8 NULL bytes off the end of a kalloc.16 buffer. It's sufficiently hard to exploit that it's worth trying just to demonstrate that such issues are reliably exploitable...