lecture: Exploiting User-land vulnerabilities to Get Rogue App Installed Remotely on iOS 11
Apple has introduced several security enhancements to mitigate known attacks in iOS 11. Those enhancements include reducing attack surfaces from Apple sandbox, adding kernel protection mechanism, etc. As a result, chaining a series of vulnerabilities to defeat all iOS’s defense in depth became harder and harder. Furthermore, thanks to the enforced code signing requirement by Apple, a kernel exploit is usually needed to run unsigned applications on iOS system. And even on the fully compromised iOS system, in most cases the exploit can not persist upon a reboot.
During Mobile Pwn2Own 2017, we (KeenLab) remotely pwned iOS 11 system twice - one by exploiting the browser, another by exploiting the WIFI - each only involved one click by the user. We broke Apple sandbox after achieving in-sandbox code execution, then install a rogue application and bypass the code signing requirement. The application installed can persist upon reboot. Surprisingly all the bugs we used in the whole chain are all from user-land.
In this talk we will discuss the whole strategy to achieve this. We will disclose the details of the vulnerability we used to break sandbox (CVE-2017-7162), a double free vulnerability in IOKit framework. The bug needs to be exploited by the approach of racing on a separate thread, but by our advanced exploit techniques we got 100% reliable exploitation. We will also talk about our approach to install application and code signing bypass. We will do a demo to illustrate our techniques.