Submit Search
Upload
CanSecWest 2017 - Port(al) to the iOS Core
ā¢
5 likes
ā¢
8,116 views
Stefan Esser
Follow
Introduction to a previously private iOS Kernel Exploitation Technique
Read less
Read more
Technology
Report
Share
Report
Share
1 of 51
Download now
Download to read offline
Recommended
Find your own iOS kernel bug
Find your own iOS kernel bug
Gustavo Martinez
Ā
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Stefan Esser
Ā
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
Ā
OS X Drivers Reverse Engineering
OS X Drivers Reverse Engineering
Positive Hack Days
Ā
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
Angel Boy
Ā
Reliable Windows Heap Exploits
Reliable Windows Heap Exploits
amiable_indian
Ā
Page cache in Linux kernel
Page cache in Linux kernel
Adrian Huang
Ā
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
Ā
Recommended
Find your own iOS kernel bug
Find your own iOS kernel bug
Gustavo Martinez
Ā
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Stefan Esser
Ā
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
Ā
OS X Drivers Reverse Engineering
OS X Drivers Reverse Engineering
Positive Hack Days
Ā
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
Angel Boy
Ā
Reliable Windows Heap Exploits
Reliable Windows Heap Exploits
amiable_indian
Ā
Page cache in Linux kernel
Page cache in Linux kernel
Adrian Huang
Ā
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
Ā
[CB16] House of Einherjar :GLIBCäøć®ę°ććŖćć¼ćę“»ēØććÆćććÆ by ę¾é大ęع
[CB16] House of Einherjar :GLIBCäøć®ę°ććŖćć¼ćę“»ēØććÆćććÆ by ę¾é大ęع
CODE BLUE
Ā
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
Csaba Fitzl
Ā
Blazing Performance with Flame Graphs
Blazing Performance with Flame Graphs
Brendan Gregg
Ā
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
Ā
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
Russell Sanford
Ā
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
Ā
Sniffing Mach Messages
Sniffing Mach Messages
Mikhail Sosonkin
Ā
Google V8 engine
Google V8 engine
XuĆ¢n Thu Nguyį» n
Ā
Linux SMEP bypass techniques
Linux SMEP bypass techniques
Vitaly Nikolenko
Ā
Overlapped IOģ IOCP ģ”°ģ¬ ė°ķ
Overlapped IOģ IOCP ģ”°ģ¬ ė°ķ
Kwen Won Lee
Ā
0ē« Linuxć«ć¼ćć«ćčŖćåć«ęä½éē„ć£ć¦ććć¹ćććØ
0ē« Linuxć«ć¼ćć«ćčŖćåć«ęä½éē„ć£ć¦ććć¹ćććØ
mao999
Ā
WSL Reloaded
WSL Reloaded
Anthony LAOU-HINE TSUEI
Ā
ä»®ę³åęč”ć«ćććć«ć¦ć§ć¢åƾēćØćć®åé”ē¹
ä»®ę³åęč”ć«ćććć«ć¦ć§ć¢åƾēćØćć®åé”ē¹
Kuniyasu Suzaki
Ā
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
Koan-Sin Tan
Ā
Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
Ā
TDOH x å°ē§ pwnčŖ²ēØ
TDOH x å°ē§ pwnčŖ²ēØ
Weber Tsai
Ā
Return to dlresolve
Return to dlresolve
Angel Boy
Ā
Introduction to memcached
Introduction to memcached
Jurriaan Persyn
Ā
Percona toolkit
Percona toolkit
Karwin Software Solutions LLC
Ā
Fast boot
Fast boot
SZ Lin
Ā
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger
Ā
ė¦¬ė ģ¤ ėė¼ģ“ė² #2
ė¦¬ė ģ¤ ėė¼ģ“ė² #2
Sangho Park
Ā
More Related Content
What's hot
[CB16] House of Einherjar :GLIBCäøć®ę°ććŖćć¼ćę“»ēØććÆćććÆ by ę¾é大ęع
[CB16] House of Einherjar :GLIBCäøć®ę°ććŖćć¼ćę“»ēØććÆćććÆ by ę¾é大ęع
CODE BLUE
Ā
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
Csaba Fitzl
Ā
Blazing Performance with Flame Graphs
Blazing Performance with Flame Graphs
Brendan Gregg
Ā
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
Ā
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
Russell Sanford
Ā
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
Ā
Sniffing Mach Messages
Sniffing Mach Messages
Mikhail Sosonkin
Ā
Google V8 engine
Google V8 engine
XuĆ¢n Thu Nguyį» n
Ā
Linux SMEP bypass techniques
Linux SMEP bypass techniques
Vitaly Nikolenko
Ā
Overlapped IOģ IOCP ģ”°ģ¬ ė°ķ
Overlapped IOģ IOCP ģ”°ģ¬ ė°ķ
Kwen Won Lee
Ā
0ē« Linuxć«ć¼ćć«ćčŖćåć«ęä½éē„ć£ć¦ććć¹ćććØ
0ē« Linuxć«ć¼ćć«ćčŖćåć«ęä½éē„ć£ć¦ććć¹ćććØ
mao999
Ā
WSL Reloaded
WSL Reloaded
Anthony LAOU-HINE TSUEI
Ā
ä»®ę³åęč”ć«ćććć«ć¦ć§ć¢åƾēćØćć®åé”ē¹
ä»®ę³åęč”ć«ćććć«ć¦ć§ć¢åƾēćØćć®åé”ē¹
Kuniyasu Suzaki
Ā
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
Koan-Sin Tan
Ā
Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
Ā
TDOH x å°ē§ pwnčŖ²ēØ
TDOH x å°ē§ pwnčŖ²ēØ
Weber Tsai
Ā
Return to dlresolve
Return to dlresolve
Angel Boy
Ā
Introduction to memcached
Introduction to memcached
Jurriaan Persyn
Ā
Percona toolkit
Percona toolkit
Karwin Software Solutions LLC
Ā
Fast boot
Fast boot
SZ Lin
Ā
What's hot
(20)
[CB16] House of Einherjar :GLIBCäøć®ę°ććŖćć¼ćę“»ēØććÆćććÆ by ę¾é大ęع
[CB16] House of Einherjar :GLIBCäøć®ę°ććŖćć¼ćę“»ēØććÆćććÆ by ę¾é大ęع
Ā
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
Ā
Blazing Performance with Flame Graphs
Blazing Performance with Flame Graphs
Ā
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Ā
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
Ā
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Ā
Sniffing Mach Messages
Sniffing Mach Messages
Ā
Google V8 engine
Google V8 engine
Ā
Linux SMEP bypass techniques
Linux SMEP bypass techniques
Ā
Overlapped IOģ IOCP ģ”°ģ¬ ė°ķ
Overlapped IOģ IOCP ģ”°ģ¬ ė°ķ
Ā
0ē« Linuxć«ć¼ćć«ćčŖćåć«ęä½éē„ć£ć¦ććć¹ćććØ
0ē« Linuxć«ć¼ćć«ćčŖćåć«ęä½éē„ć£ć¦ććć¹ćććØ
Ā
WSL Reloaded
WSL Reloaded
Ā
ä»®ę³åęč”ć«ćććć«ć¦ć§ć¢åƾēćØćć®åé”ē¹
ä»®ę³åęč”ć«ćććć«ć¦ć§ć¢åƾēćØćć®åé”ē¹
Ā
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
Ā
Pwning in c++ (basic)
Pwning in c++ (basic)
Ā
TDOH x å°ē§ pwnčŖ²ēØ
TDOH x å°ē§ pwnčŖ²ēØ
Ā
Return to dlresolve
Return to dlresolve
Ā
Introduction to memcached
Introduction to memcached
Ā
Percona toolkit
Percona toolkit
Ā
Fast boot
Fast boot
Ā
Similar to CanSecWest 2017 - Port(al) to the iOS Core
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger
Ā
ė¦¬ė ģ¤ ėė¼ģ“ė² #2
ė¦¬ė ģ¤ ėė¼ģ“ė² #2
Sangho Park
Ā
Usernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root user
Akihiro Suda
Ā
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
Synack
Ā
Attack your Trusted Core
Attack your Trusted Core
Di Shen
Ā
Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...
Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...
Codemotion
Ā
Kubernetes Architecture and Introduction ā Paris Kubernetes Meetup
Kubernetes Architecture and Introduction ā Paris Kubernetes Meetup
Stefan Schimanski
Ā
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NoSuchCon
Ā
Deep learning beyond the learning - Jƶrg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jƶrg Schad - Codemotion Rome 2018
Codemotion
Ā
Strata - Scaling Jupyter with Jupyter Enterprise Gateway
Strata - Scaling Jupyter with Jupyter Enterprise Gateway
Luciano Resende
Ā
An Introduction to the Kubernetes API
An Introduction to the Kubernetes API
Stefan Schimanski
Ā
[CONFidence 2016] SÅawomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] SÅawomir Kosowski - Introduction to iOS Application Securit...
PROIDEA
Ā
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Liang Chen
Ā
Auditing the Opensource Kernels
Auditing the Opensource Kernels
Silvio Cesare
Ā
Operating Flink on Mesos at Scale
Operating Flink on Mesos at Scale
Biswajit Das
Ā
HKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP Workshop
Linaro
Ā
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
armmbed
Ā
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith Wiles
Jim St. Leger
Ā
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIO
Chris Simmonds
Ā
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Carlos Eduardo
Ā
Similar to CanSecWest 2017 - Port(al) to the iOS Core
(20)
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Ā
ė¦¬ė ģ¤ ėė¼ģ“ė² #2
ė¦¬ė ģ¤ ėė¼ģ“ė² #2
Ā
Usernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root user
Ā
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
Ā
Attack your Trusted Core
Attack your Trusted Core
Ā
Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...
Luciano Resende - Scaling Big Data Interactive Workloads across Kubernetes Cl...
Ā
Kubernetes Architecture and Introduction ā Paris Kubernetes Meetup
Kubernetes Architecture and Introduction ā Paris Kubernetes Meetup
Ā
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
Ā
Deep learning beyond the learning - Jƶrg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jƶrg Schad - Codemotion Rome 2018
Ā
Strata - Scaling Jupyter with Jupyter Enterprise Gateway
Strata - Scaling Jupyter with Jupyter Enterprise Gateway
Ā
An Introduction to the Kubernetes API
An Introduction to the Kubernetes API
Ā
[CONFidence 2016] SÅawomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] SÅawomir Kosowski - Introduction to iOS Application Securit...
Ā
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Ā
Auditing the Opensource Kernels
Auditing the Opensource Kernels
Ā
Operating Flink on Mesos at Scale
Operating Flink on Mesos at Scale
Ā
HKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP Workshop
Ā
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
Ā
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith Wiles
Ā
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIO
Ā
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Ā
More from Stefan Esser
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
Stefan Esser
Ā
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
Stefan Esser
Ā
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
Stefan Esser
Ā
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in Fail
Stefan Esser
Ā
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
Stefan Esser
Ā
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
Stefan Esser
Ā
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
Stefan Esser
Ā
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
Stefan Esser
Ā
More from Stefan Esser
(8)
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
Ā
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
Ā
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
Ā
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in Fail
Ā
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
Ā
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
Ā
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
Ā
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
Ā
Recently uploaded
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Ā
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
Ā
š¬ The future of MySQL is Postgres š
š¬ The future of MySQL is Postgres š
RTylerCroy
Ā
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
Ā
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
The Digital Insurer
Ā
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Ā
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(āļø+971_581248768%)**%*]'#abortion pills for sale in dubai@
Ā
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
Ā
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
Ā
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Ā
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Ā
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Ā
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
Ā
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel AraĆŗjo
Ā
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Pixlogix Infotech
Ā
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Ā
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Ā
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Ā
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Ā
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
Ā
Recently uploaded
(20)
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Ā
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
Ā
š¬ The future of MySQL is Postgres š
š¬ The future of MySQL is Postgres š
Ā
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Ā
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
Ā
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Ā
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Ā
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
Ā
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Ā
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Ā
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Ā
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Ā
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Ā
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Ā
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Ā
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Ā
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Ā
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Ā
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Ā
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
Ā
CanSecWest 2017 - Port(al) to the iOS Core
1.
Port(al) to the
iOS Core Introduction to a previously private iOS Kernel Exploitation Technique March, 2017
2.
| Ā© 2017
by ANTID0TE All rights reserved Who am I? ā¢ Stefan Esser ā¢ from Germany ā¢ in Information Security since 1998 ā¢ SektionEins GmbH from (2007 - 2016) ā¢ Antid0te UG (2013 - now) 2
3.
| Ā© 2017
by ANTID0TE All rights reserved What is this talk about? ā¢ a ānewā (set of) iOS kernel exploitation technique(s) ā¢ previously only discussed in my iOS Kernel Exploitation trainings ā¢ part of teaching material since around 2015 ā¢ trainee from Dec 2016 leaked it within one month to developers of Yalu ā¢ who then distributed an iOS 10.2 jailbreak using this technique in Jan 2017 3
4.
| Ā© 2017
by ANTID0TE All rights reserved Previous iOS Kernel Heap Feng Shui / Exploitation Techniques ā¢ BlackHat 2012 - iOS Kernel Heap Armageddon Revisited ā Author: Stefan Esser ā Idea: Fill kernel heap with C++ objects via OSUnserializeXML() and overwrite them ā Status: Apple mitigated but a slightly modified technique still usable in iOS 10 ā¢ Hack In The Box 2012 - iOS 6 Security ā Author(s): Mark Dowd / Tarjei Mandt ā Idea: Fill heap with vm_copy_t structures and get information leaks and extended buffer overflows from overwriting them ā Status: Apple added mitigations so that technique got less and less valuable 4
5.
| Ā© 2017
by ANTID0TE All rights reserved Status of public iOS Kernel Exploitation ā¢ everybody is using the public heap feng shui techniques ā¢ bugs are often overflows or UAF ā¢ exploitation often targets vm_map_copy_t or kernel C++ objects ā¢ Apple keeps adding mitigations against the publicly seen techniques ā¢ public techniques become less and less usable ā” we need a different / new technique 5
6.
| Ā© 2017
by ANTID0TE All rights reserved Ingredients of our Kernel Exploitation Technique(s) 1. idea for a different / new kernel data structure to attack 2. way to fill the kernel heap with this structure or pointers to it 3. strategy how to continue once overwritten 6
7.
| Ā© 2017
by ANTID0TE All rights reserved What Kernel Data Structure should we attack? ā¢ there are for sure many data structures in the kernel ā¢ but when you look at the Mach part of the kernel ā¢ one data structure jumps into your face immediately ā” mach ports! 7
8.
What are Mach
Ports?
9.
| Ā© 2017
by ANTID0TE All rights reserved What are Mach Ports? ā¢ likely the most important data structure in Mach part of kernel ā¢ have multiple purposes ā act like handles to kernel objects / subsystems ā allow sending / receiving messages for IPC ā¢ stored internally in ipc_port_t structure 9
10.
| Ā© 2017
by ANTID0TE All rights reserved ipc_port_t (I) IPC ports are internally hold in the following structure defined in /osfmk/ipc/ipc_port.h 10 struct ipc_port { /* * Initial sub-structure in common with ipc_pset * First element is an ipc_object second is a * message queue */ struct ipc_object ip_object; struct ipc_mqueue ip_messages; union { struct ipc_space *receiver; struct ipc_port *destination; ipc_port_timestamp_t timestamp; } data; union { ipc_kobject_t kobject; ipc_importance_task_t imp_task; uintptr_t alias; } kdata; struct ipc_port *ip_nsrequest; struct ipc_port *ip_pdrequest; struct ipc_port_request *ip_requests; struct ipc_kmsg *ip_premsg; mach_port_mscount_t ip_mscount; mach_port_rights_t ip_srights; mach_port_rights_t ip_sorights;
11.
| Ā© 2017
by ANTID0TE All rights reserved ipc_port_t (II) IPC ports are internally hold in the following structure defined in /osfmk/ipc/ipc_port.h 11 natural_t ip_sprequests:1, /* send-possible requests outstanding */ ip_spimportant:1, /* ... at least one is importance donating */ ip_impdonation:1, /* port supports importance donation */ ip_tempowner:1, /* dont give donations to current receiver */ ip_guarded:1, /* port guarded (use context value as guard) */ ip_strict_guard:1, /* Strict guarding; Prevents user manipulation of context values directly */ ip_reserved:2, ip_impcount:24; /* number of importance donations in nested queue */ mach_vm_address_t ip_context; #if MACH_ASSERT #define IP_NSPARES 4 #define IP_CALLSTACK_MAX 16 queue_chain_t ip_port_links; /* all allocated ports */ thread_t ip_thread; /* who made me? thread context */ unsigned long ip_timetrack; /* give an idea of "when" created */ uintptr_t ip_callstack[IP_CALLSTACK_MAX]; /* stack trace */ unsigned long ip_spares[IP_NSPARES]; /* for debugging */ #endif /* MACH_ASSERT */ };
12.
| Ā© 2017
by ANTID0TE All rights reserved ipc_object_t (I) common data structure for IPC objects like ports defined in /osfmk/ipc/ipc_object.h 12 /* * The ipc_object is used to both tag and reference count these two data * structures, and (Noto Bene!) pointers to either of these or the * ipc_object at the head of these are freely cast back and forth; hence * the ipc_object MUST BE FIRST in the ipc_common_data. * * If the RPC implementation enabled user-mode code to use kernel-level * data structures (as ours used to), this peculiar structuring would * avoid having anything in user code depend on the kernel configuration * (with which lock size varies). */ struct ipc_object { ipc_object_bits_t io_bits; ipc_object_refs_t io_references; lck_spin_t io_lock_data; };
13.
| Ā© 2017
by ANTID0TE All rights reserved Ports as Handles to Kernel Objects / Data Structures ā¢ io_bits field filled with kobject type ā¢ receiver field points to ipc_space_kernel ā¢ kobject field points to kernel data structure 13
14.
| Ā© 2017
by ANTID0TE All rights reserved Possible Kobject Types IPC Kobject types are defined in /osfmk/ipc/ipc_kobject.h 14 #define IKOT_NONE 0 #define IKOT_THREAD 1 #define IKOT_TASK 2 #define IKOT_HOST 3 #define IKOT_HOST_PRIV 4 #define IKOT_PROCESSOR 5 #define IKOT_PSET 6 #define IKOT_PSET_NAME 7 #define IKOT_TIMER 8 #define IKOT_PAGING_REQUEST 9 #define IKOT_MIG 10 #define IKOT_MEMORY_OBJECT 11 #define IKOT_XMM_PAGER 12 #define IKOT_XMM_KERNEL 13 #define IKOT_XMM_REPLY 14 #define IKOT_UND_REPLY 15 #define IKOT_HOST_NOTIFY 16 #define IKOT_HOST_SECURITY 17 #define IKOT_LEDGER 18 #define IKOT_MASTER_DEVICE 19 #define IKOT_TASK_NAME 20 #define IKOT_SUBSYSTEM 21 #define IKOT_IO_DONE_QUEUE 22 #define IKOT_SEMAPHORE 23 #define IKOT_LOCK_SET 24 #define IKOT_CLOCK 25 #define IKOT_CLOCK_CTRL 26 #define IKOT_IOKIT_SPARE 27 #define IKOT_NAMED_ENTRY 28 #define IKOT_IOKIT_CONNECT 29 #define IKOT_IOKIT_OBJECT 30 #define IKOT_UPL 31 #define IKOT_MEM_OBJ_CONTROL 32 #define IKOT_AU_SESSIONPORT 33 #define IKOT_FILEPORT 34 #define IKOT_LABELH 35 #define IKOT_TASK_RESUME 36 #define IKOT_VOUCHER 37 #define IKOT_VOUCHER_ATTR_CONTROL 38
15.
| Ā© 2017
by ANTID0TE All rights reserved Examples ā¢ kobject always points to an IKOT specified data structure 15
16.
What are Mach
Messages?
17.
| Ā© 2017
by ANTID0TE All rights reserved What are Mach Messages? ā¢ data structures sent to or received from Mach Ports ā header with routing information for kernel ā optionally descriptors for COMPLEX messages ā data that is only between sender and receiver ā¢ used for IPC and the Mach API ā¢ sent to kernel via mach traps 17
18.
| Ā© 2017
by ANTID0TE All rights reserved Simple vs. Complex Messages ā¢ simple messages are just data blobs ā¢ complex messages contain descriptors with special meaning for kernel ā MACH_MSG_PORT_DESCRIPTOR - embedding a port in a message ā MACH_MSG_OOL_DESCRIPTOR - attaching OOL data to message ā MACH_MSG_OOL_PORTS_DESCRIPTOR - attaching OOL ports array to message 18 typedef struct { mach_msg_header_t header; char body[]; } mach_msg_simple_t; typedef struct { mach_msg_header_t header; mach_msg_body_t body; mach_msg_descriptor_t desc[x]; char data[]; } mach_msg_complex_t;
19.
| Ā© 2017
by ANTID0TE All rights reserved Mach Message Header 19 typedef struct { mach_msg_bits_t msgh_bits; mach_msg_size_t msgh_size; mach_port_t msgh_remote_port; mach_port_t msgh_local_port; mach_port_name_t msgh_voucher_port; mach_msg_id_t msgh_id; } mach_msg_header_t; where to send to where to get reply from id between sender and receiver
20.
| Ā© 2017
by ANTID0TE All rights reserved Sending and Receiving Messages ā¢ Mach messages are sent via mach traps 20 mach_msg_return_t mach_msg(msg, option, send_size, rcv_size, rcv_name, timeout, notify) mach_msg_header_t *msg; mach_msg_option_t option; mach_msg_size_t send_size; mach_msg_size_t rcv_size; mach_port_t rcv_name; mach_msg_timeout_t timeout; mach_port_t notify; mach_msg_return_t mach_msg_overwrite(msg, option, send_size, rcv_limit, rcv_name, timeout, notify, rcv_msg, rcv_scatter_size) mach_msg_header_t *msg; mach_msg_option_t option; mach_msg_size_t send_size; mach_msg_size_t rcv_limit; mach_port_t rcv_name; mach_msg_timeout_t timeout; mach_port_t notify; mach_msg_header_t *rcv_msg; mach_msg_size_t rcv_scatter_size;
21.
| Ā© 2017
by ANTID0TE All rights reserved Sending Mach Messages (Function Overview) 21
22.
| Ā© 2017
by ANTID0TE All rights reserved What is the Mach API? ā¢ programming interface offering huge number of functions ā¢ internally converts C style function calls into messages ā¢ first parameter is always the kernel object port to send message to ā¢ usually they manipulate the objects behind the kernel object ports ā¢ special code path detects if receiver=ipc_space_kernel ā¢ headerās id field selects what API is called 22
23.
| Ā© 2017
by ANTID0TE All rights reserved Mach API Example: vm_write() ā¢ C level call to vm_write() automatically converted into Mach message ā target_task set as remote port ā id set to 3807 23 typedef struct { mach_msg_header_t Head; /* start of the kernel processed data */ mach_msg_body_t msgh_body; mach_msg_ool_descriptor_t data; /* end of the kernel processed data */ NDR_record_t NDR; vm_address_t address; mach_msg_type_number_t dataCnt; } __Request__vm_write_t; kern_return_t vm_write (vm_task_t target_task, vm_address_t address, pointer_t data, mach_msg_type_number_t data_count);
24.
Heap-Feng-Shui for Ports?
25.
| Ā© 2017
by ANTID0TE All rights reserved Ports as Target ā¢ kernel object ports point to kernel data structures ā¢ overwriting/replacing them would allow calling APIs on fake data structures ā¢ wide variety of IKOT types means many types to choose from ā IKOT_FILEPORT - fileglob structure has function pointer list ā IKOT_IOKIT_CONNECT - C++ object with vtable pointer ā ā¦ 25
26.
| Ā© 2017
by ANTID0TE All rights reserved Filling the Heap with Ports? ā¢ so should we create a lot of ports to fill the heap? ā¢ would be possible but ports are stored in their own memory zone ā¢ memory corruptions usually involve other memory zones ā¢ cross zone attacks are possible but not KISS ā” letās add a level of indirection 26
27.
| Ā© 2017
by ANTID0TE All rights reserved Filling the Heap with Pointers to Ports? ā¢ instead of filling the heap with ipc_port_t structures fill it with pointers ā¢ overwriting a pointer to an ipc_port_t still allows to create a fake port ā¢ idea is that pointers are likely allocated in same memory zones as buffers ā¢ when in same memory zone exploitation gets a lot easier 27
28.
| Ā© 2017
by ANTID0TE All rights reserved How to fill the memory with Port pointers? ā¢ we can fill the memory with pointers to ports by Mach messages ā¢ we use MACH_MSG_OOL_PORTS_DESCRIPTOR for this ā¢ kernel will allocate memory via kalloc() to store pointers in memory ā¢ arbitrary sized allocations by sending right amount of ports 28 /* calculate length of data in bytes, rounding up */ ports_length = count * sizeof(mach_port_t); names_length = count * sizeof(mach_port_name_t); if (ports_length == 0) { return user_dsc; } data = kalloc(ports_length);
29.
| Ā© 2017
by ANTID0TE All rights reserved How to fill the memory with Port pointers? (II) ā¢ sending enough messages will fill up the heap pretty quickly ā¢ we can send MACH_PORT_NULL or MACH_PORT_DEAD 29
30.
| Ā© 2017
by ANTID0TE All rights reserved Poking holesā¦ ā¢ poking holes in the allocation is done by receiving selected messages ā¢ kernel code will free the previously allocated memory ā¢ deallocation is fine grained because we select what messages to receive ā¢ keep in mind the heap randomization since iOS 9.2 30 /* copyout to memory allocated above */ void *data = dsc->address; if (copyoutmap(map, data, rcv_addr, names_length) != KERN_SUCCESS) *mr |= MACH_MSG_VM_SPACE; kfree(data, ports_length);
31.
| Ā© 2017
by ANTID0TE All rights reserved Corrupting Port Pointers ā¢ when messages are received all ports within are registered in IPC space ā¢ corrupting any of the allocated pointer lists allows injecting a fake port ā¢ user space can access the fake port 31 /* copyout port rights carried in the message */ for ( i = 0; i < count ; i++) { ipc_object_t object = (ipc_object_t)objects[i]; *mr |= ipc_kmsg_copyout_object(space, object, disp, &names[i]); }
32.
Faking Ports
33.
| Ā© 2017
by ANTID0TE All rights reserved How to fake a port? (I) ā¢ fake pointer must point to something that looks like a port ā¢ we need to setup a number of fields for our port to work ā io_bits - select one of the possible types and make it active ā io_references - better give it some references ā io_lock_data - must be valid lock data ā kobject - pointer to a fake data structure ā receiver - we cannot fill out because we donāt know ipc_space_kernel 33
34.
| Ā© 2017
by ANTID0TE All rights reserved How to fake a port? (II) ā¢ fake port and fake data must be in attacker controlled memory ā¢ it is required to know address of that memory ā¢ easy to do for 64 bit devices (except iPhone 7) because of user land dereferences ā¢ requires additional information leaks for iPhone 7 and 32 bit devicesāØ (unless already privileged outside the sandbox) 34
35.
| Ā© 2017
by ANTID0TE All rights reserved What can we do with such a faked port? ā¢ because we cannot fill in receiver not a fully usable port ā¢ it works fine when used as argument to ā syscalls ā mach traps ā as additional parameter Mach API (not 1st argument) ā¢ but it will NOT work as first argument to a MachAPIāØ (for this we need the receiver to be ipc_space_kernel) 35
36.
| Ā© 2017
by ANTID0TE All rights reserved Some Examples ā¢ some examples of ports we can fake ā IKOT_IOKIT_CONNECT - driver connection to a IOUserClient derived object ā IKOT_CLOCK - clock object ā IKOT_TASK - task object 36
37.
| Ā© 2017
by ANTID0TE All rights reserved Faking IOKit Driver Connection Ports ā¢ ports of type IKOT_IOKIT_CONNECT can be used via iokit_user_client_trap() ā¢ kobject pointer points to a C++ object ā¢ good target because it allows control of the method table ā¢ see āHITB2013 - Tales from iOS 6 Exploitationā for example 37
38.
| Ā© 2017
by ANTID0TE All rights reserved Faking Clock Ports (I) ā¢ ports of type IKOT_CLOCK can be used via clock_sleep_trap() ā¢ kobject pointer points to a struct clock ā¢ looks like a good target because there is a function pointer list 38 /* * Actual clock object data structure. Contains the machine * dependent operations list and clock operation ports. */ struct clock { clock_ops_t cl_ops; /* operations list */ struct ipc_port *cl_service; /* service port */ struct ipc_port *cl_control; /* control port */ }; pointer to list of function pointers
39.
| Ā© 2017
by ANTID0TE All rights reserved Faking Clock Ports (II) ā¢ code of clock_sleep_internal() will not allow a fake clock struct ā¢ only the valid SYSTEM_CLOCK pointer is accepted ā¢ otherwise function errors out - triggering code execution not possible 39 validation against our fake clock struct pointer if (clock == CLOCK_NULL) return (KERN_INVALID_ARGUMENT); if (clock != &clock_list[SYSTEM_CLOCK]) return (KERN_FAILURE); /* * Check sleep parameters. If parameters are invalid * return an error, otherwise post alarm request. */ (*clock->cl_ops->c_gettime)(&clock_time); chkstat = check_time(sleep_type, sleep_time, &clock_time); if (chkstat < 0) return (KERN_INVALID_VALUE);
40.
| Ā© 2017
by ANTID0TE All rights reserved if (clock == CLOCK_NULL) return (KERN_INVALID_ARGUMENT); if (clock != &clock_list[SYSTEM_CLOCK]) return (KERN_FAILURE); /* * Check sleep parameters. If parameters are invalid * return an error, otherwise post alarm request. */ (*clock->cl_ops->c_gettime)(&clock_time); chkstat = check_time(sleep_type, sleep_time, &clock_time); if (chkstat < 0) return (KERN_INVALID_VALUE); Faking Clock Ports (III) ā¢ wait a second! ā¢ a wrong clock pointer will lead to KERN_FAILURE ā¢ a good pointer with bad other arguments leads to KERN_INVALID_VALUE 40 error if our pointer is not pointing to the SYSTEM_CLOCK error if our pointer was okay but other arguments bad
41.
| Ā© 2017
by ANTID0TE All rights reserved Faking Clock Ports (IV) ā¢ if we can change kobject we can bruteforce the SYSTEM_CLOCK address ā¢ userland dereference makes this easy on 64 bit pre iPhone 7 ā¢ this reveals pointer inside kernel image and therefore breaks KASLR 41 our_fake_port->io_bits = IKOT_CLOCK | IO_BITS_ACTIVE; our_fake_port->kobject = low_kernel_address; while (1) { our_fake_port->kobject+= 8; kret = clock_sleep_trap(magicport, 0x12345, 0, 0, NULL); if (kret != KERN_FAILURE) { break; } }
42.
| Ā© 2017
by ANTID0TE All rights reserved Faking Task Ports (I) ā¢ ports of type IKOT_TASK have kobject pointer pointing to a task struct ā¢ unfortunately cannot be used directly in task Mach API functions ā¢ but there are other usages like āØ āØ pid_for_task() - return the pid for a given task 42 t1 = port_name_to_task(t); if (t1 == TASK_NULL) { err = KERN_FAILURE; goto pftout; } else { p = get_bsdtask_info(t1); if (p) { pid = proc_pid(p); reads pointer to struct proc from our fake struct task returns pid from without struct proc
43.
| Ā© 2017
by ANTID0TE All rights reserved Faking Task Ports (II) ā¢ our fake IKOT_TASK port points to a fake task struct ā¢ the bsd_info fields points anywhere in memory ā¢ pid_for_task() will read back at offset 0x10 ā¢ allows to read from anywhere in kernel memory 43
44.
| Ā© 2017
by ANTID0TE All rights reserved Faking Task Ports (III) ā¢ if we can change kobject we can read everything ā¢ userland dereference makes this easy on 64 bit pre iPhone 7 ā¢ this allows to read important variables like ipc_space_kernel ā¢ this means afterwards we can use Mach API with our fake port 44
45.
Our Port(al) to
the Core Kernel Task Port
46.
| Ā© 2017
by ANTID0TE All rights reserved Kernel Task Port ā¢ among all the ports in an iOS system the kernel task port is the holy grail ā¢ with access to the kernel task port we can manipulate the kernel memory ā vm_read - allows reading kernel memory ā vm_write - allows writing kernel memory ā vm_allocate - allows allocating memory inside the kernel address space ā ā¦ ā¢ whoever has access to the kernel task port more or less controls the system ā¢ to turn out fake task port into a kernel task port we need to know kernel_task and ipc_space kernel 46
47.
| Ā© 2017
by ANTID0TE All rights reserved Attack Plan for 64 bit devices (except iPhone 7) ā¢ Corruption Phase - perform heap feng shui with OOL_PORTS_DESCRIPTORS - corrupt any of the āsprayedā port pointers - receive all messages to get access to port ā¢ Post Corruption Phase - fake a CLOCK port to break KASLR - via bruteforce of clock address - fake a TASK port and TASK struct to have arbitrary kernel read - read ipc_space_kernel and kernel_task - fake a kernel TASK port 47
48.
| Ā© 2017
by ANTID0TE All rights reserved Faking the KERNEL TASK Port (I) ā¢ with ipc_space_kernel our fake ports can be used in Mach API ā¢ with kernel_task we can fake a kernel task port ā¢ mach API gives us read/write access to kernel memory ā¢ Game Over! 48
49.
Conclusion
50.
| Ā© 2017
by ANTID0TE All rights reserved Conclusion ā¢ overwriting port pointers ā allows to gain code execution ā or full read write access to kernel memory ā¢ heap feng shui with mach messages and OOL_PORTS_DESCRIPTOR ā gives fine grained control over heap ā fills heap with port pointers that when corrupted ā¢ post corruption code is fully reusable for different corruptions (64bit before i7) 50
51.
Questions ? www.antid0te.com stefan@antid0te.com Ā© 2017
by ANTID0TE. All rights reserved
Download now