Version alpha
lecture: Exploiting User-land vulnerabilities to Get Rogue App Installed Remotely on iOS 11
![Event large](/2018/montreal/schedule/assets/event_large-4b8aa978adbb7c8e80151f5a83c6782a12e763374ae3a042a55e7e626a64d93b.png)
Apple has introduced several security enhancements to mitigate known attacks in iOS 11. Those enhancements include reducing attack surfaces from Apple sandbox, adding kernel protection mechanism, etc. As a result, chaining a series of vulnerabilities to defeat all iOS’s defense in depth became harder and harder. Furthermore, thanks to the enforced code signing requirement by Apple, a kernel exploit is usually needed to run unsigned applications on iOS system. And even on the fully compromised iOS system, in most cases the exploit can not persist upon a reboot.
During Mobile Pwn2Own 2017, we (KeenLab) remotely pwned iOS 11 system twice - one by exploiting the browser, another by exploiting the WIFI - each only involved one click by the user. We broke Apple sandbox after achieving in-sandbox code execution, then install a rogue application and bypass the code signing requirement. The application installed can persist upon reboot. Surprisingly all the bugs we used in the whole chain are all from user-land.
In this talk we will discuss the whole strategy to achieve this. We will disclose the details of the vulnerability we used to break sandbox (CVE-2017-7162), a double free vulnerability in IOKit framework. The bug needs to be exploited by the approach of racing on a separate thread, but by our advanced exploit techniques we got 100% reliable exploitation. We will also talk about our approach to install application and code signing bypass. We will do a demo to illustrate our techniques.
Info
Day:
2018-06-16
Start time:
13:00
Duration:
01:00
Room:
Grand salon
Track:
Exploitation
Links:
Concurrent Events
Speakers
![]() |
Liang Chen |
![]() |
Marco Grassi |