PDF Editor
PDF Converter
Image Converter
Video Converter
Audio Converter
File Compressor
the userland exploits of pangu 8

The Userland Exploits of Pangu 8 @PanguTeam Outline Introduction - PowerPoint PPT Presentation

Sep 23, 2023 •220 likes •822 views

The Userland Exploits of Pangu 8 @PanguTeam Outline Introduction New Security Enhancements in iOS 8 Pangu 8 Overview Bypass Team ID Validation by Teasing the Trust-Cache Bypass Code Signing Validation by Segment Overlapping

  1. The Userland Exploits of Pangu 8 @PanguTeam

  2. Outline • Introduction • New Security Enhancements in iOS 8 • Pangu 8 Overview • Bypass Team ID Validation by Teasing the Trust-Cache • Bypass Code Signing Validation by Segment Overlapping • Sandbox Escape • Conclusion

  3. Pangu Team • Security research team in China • Focused on iOS security for more than 3 years • Release two untether jailbreaks in half a year • 2014.6 - Pangu Axe for iOS 7.1.x • 2014.10 - Xuanyuan Sword for iOS 8-8.1

  4. Pangu Team • Xiaobo Chen (@dm557) • Hao Xu (@windknown) • Tielei Wang (@INT80_pangu) • @ogc557 • @tb557 • @zengbanxian • Siglos (@0x557)

  5. Outline • Introduction • New Security Enhancements in iOS 8 • Pangu 8 Overview • Bypass Team ID Validation by Teasing the Trust-Cache • Bypass Code Signing Validation by Segment Overlapping • Sandbox Escape • Conclusion

  6. Team ID • Check the entitlements of binary built by latest Xcode • com.apple.developer.team-identifier

  7. Data Protection • Data protection class • A - NSFileProtectionComplete • B - NSFileProtectionCompleteUnlessOpen • C - NSFileProtectionCompleteUntilFirstUserAuthentication • D - NSFileProtectionNone

  8. Data Protection • Lots of files in “/var” are protected with • Class C - NSFileProtectionCompleteUntilFirstUserAuthentication • Even root cannot access those files if a device is never unlocked • Create a file in “/var/mobile/Media” and print the attributes

  9. Data Protection • Apple adds a special flag for folders • fcntl with F_GETPROTECTIONCLASS flag to get the protection class • 0 for “/var/mobile/Media”

  10. Data Protection • It is possible to change the protection class of folder to turn off the default protection • fcntl with F_SETPROTECTIONCLASS to set protection class = 4 which is NSFileProtectionNone

  11. Launchd • Move core code from launchctl to launchd • Kill arguments normally used by jailbreak • “launchctl load -D all” no longer work • Strict loading process • Load all plist files from xpcd_cache.dylib • Assert plist files also exist in /System/Library/LaunchDaemons • If you want to load a service from /System/Library/ LaunchDaemons, the plist file must exist in xpcd_cache

  12. Launchd • Weakness • Other arguments still work • “launchctl load paths” • Putting your plist files in /Library/LaunchDaemons seems no difference

  13. Outline • Introduction • New Security Enhancements in iOS 8 • Pangu 8 Overview • Bypass Code Signing Validation by Segment Overlapping • Bypass Team ID Validation by Teasing the Trust-Cache • Sandbox Escape • Conclusion

  14. Tethered jailbreak Backup •Get a backup of iOS device Restore Debug Deploy

  15. Tethered jailbreak Backup •Inject an expired enterprise license Restore •Turn off network connection •Inject an app containing a dylib signed 
 by the enterprise license Debug Deploy

  16. Tethered jailbreak Backup Restore •Mount the developer disk image •Instruct debugserver to debug neagent Debug •Force neagent to load the dylib by setting 
 DYLD_INSERT_LIBRARIES Deploy

  17. Tethered jailbreak Backup Restore Debug •Attack kernel through the dylib •Disable sandbox •Modify rootfs to place libmis.dylib and 
 enable-dylibs-to-override-cache Deploy •Adjust the boot sequence of launchd daemons

  18. Untethered jailbreak •Bypass Code Signing Disable AMFID •Bypass Team ID validation Run Untethered •Exploit and patch the kernel Payload Launch The Rest Services

  19. Outline • Introduction • New Security Enhancements in iOS 8 • Pangu 8 Overview • Bypass Team ID Validation by Teasing the Trust-Cache • Bypass Code Signing Validation by Segment Overlapping • Sandbox Escape • Conclusion

  20. Team Identifier Verification • A new security mechanism introduced in iOS 8 • A team identifier (Team ID) is a 10-character alphanumeric string extracted from an Apple issued certificate.

  21. Team Identifier Verification • A program may link against any platform library that ships with the system or any library with the same team identifier in its code signature as the main executable. • System executables can only link against libraries that ship with the system itself.

  22. Troubles for jailbreak • Code signing bypass • Method: force dyld to load a fake libmis.dylib • evasi0n, evasi0n 7, pangu 7 • Challenge: the fake libmis.dylib must also pass the TeamID validation • Sandbox escape • Method: Inject a dynamic library signed by a developer license into system processes, e.g., setting DYLD_INSERT_LIBRARIES • Challenge: the injected library has to pass the TeamID validation

  23. Team ID verification Implementation • AppleMobileFileIntegrity hooks the mmap function • When a file is mapped into memory: • csfg_get_platform_binary • csfg_get_teamid • csproc_get_platform_binary • csproc_get_teamid

  24. if (permissions & PROT_EXEC) PASS csfg_get_teamid csfg_get_platform_binary if(the lib has no team id && is not a platform binary) if(the lib is not a platform PASS binary) csproc_get_teamid csproc_get_platform_binary if(main executable has no team id && is not a platform binary) if(main executable is a platform binary) if(main executable’s team id if(main executable has != lib’s team id) com.apple.private.skip-library-validation) PASS FAIL

  25. if (permissions & PROT_EXEC) PASS csfg_get_teamid csfg_get_platform_binary if(the lib has no team id && is not a platform binary) if(the lib is not a platform PASS binary) csproc_get_teamid csproc_get_platform_binary if(main executable has no team id && is not a platform binary) if(main executable is a platform binary) if(main executable’s team id if(main executable has != lib’s team id) com.apple.private.skip-library-validation) PASS FAIL

  26. Who has the com.apple.private.skip- library-validation Good News: neagent has the entitlement Bad News: neagent is the only one with the entitlement

  27. Recall: Troubles for jailbreak • Code signing bypass • Method: force dyld to load a fake libmis.dylib • Challenge: the fake libmis.dylib must also pass the TeamID validation • Unsolved • Sandbox escape • Method: Inject a dynamic library signed by a developer license into system processes, e.g., setting DYLD_INSERT_LIBRARIES • Challenge: the injected library has to pass the TeamID validation • Solved: inject the library to neagent

  28. if (permissions & PROT_EXEC) PASS csfg_get_teamid csfg_get_platform_binary if(the lib has no team id && is not a platform binary) if(the lib is not a platform PASS binary) csproc_get_teamid csproc_get_platform_binary if(main executable has no team id && is not a platform binary) if(main executable is a platform binary) if(main executable’s team id if(main executable has != lib’s team id) com.apple.private.skip-library-validation) PASS FAIL

  29. How does iOS confirm a platform binary?

  30. How does iOS confirm a platform binary? • Trust Cache • The kernel records the hash values of system executables • Rather than storing the hash value of the whole file, the trust cache only stores the sha1 value of the CS_CodeDirectory structure of the code signature segment in a system executable

  31. Fake libmis with a “correct” code signature segment real system executable fake libmis code code signature signature segment segment copy

  32. Outline • Introduction • New Security Enhancements in iOS 8 • Pangu 8 Overview • Bypass Team ID Validation by Teasing the Trust-Cache • Bypass Code Signing Validation by Segment Overlapping • Sandbox Escape • Conclusion

  33. Code Signing Workflow Execve Kernel If in Trust Cache PASS AMFI kext HASH comparison happens later If trustly signed PASS Userland AMFID HASH comparison happens later FAIL

  34. Code Signing Workflow Execve Kernel If in Trust Cache PASS AMFI kext HASH comparison happens later If trustly signed PASS call MISValidateSignature Userland AMFID in libmis.dylib HASH comparison happens later FAIL

  35. High Level Idea • First proposed by evad3rs since evasi0n 6 • Use a simple dylib with no executable pages to replace libmis.dylib • The simple dylib itself does not trigger code signing checks at all, but it can interpose critical APIs responsible for the code signing enforcement

  36. Code Signing Bypass Execve Kernel If in Trust Cache PASS AMFI kext HASH comparison happens later If trustly signed Fake libmis.dylib and re- PASS Userland AMFID exports MISValidateSignature always returning 0 HASH comparison happens later FAIL

  37. How to construct the dylib amfid libmis.dylib Macho Header Remove X bit TEXT No codesign checking segment _MISValidateSignature _CFEqual _kMISValidation… _kCFUserNotification… LINKEDIT segment … Dyld re-expot info

  38. Segment Overlapping Attack in evasi0n 6 Mach O File in Disk Memory Loading into Memory R.-.X R.-.X TEXT Segment A VMAddr: 0 TEXT Segment A VMSize: 4KB R.-.- TEXT Segment B VMAddr: 0 VMSize: 4KB

  39. Segment Overlapping Attack in evasi0n 6 Mach O File in Disk Memory R.-.X R.-.- TEXT Segment A VMAddr: 0 TEXT Segment A Loading into Memory TEXT Segment B VMSize: 4KB R.-.- TEXT Segment B VMAddr: 0 VMSize: 4KB

Recommend

The K Project Jump to userland Userland Conclusion LSE Team EPITA May 06, 2019 LSE Team

The K Project Jump to userland Userland Conclusion LSE Team EPITA May 06, 2019 LSE Team

The K Project LSE Team Binary loading TSS The K Project Jump to userland Userland Conclusion LSE Team EPITA May 06, 2019 LSE Team (EPITA) The K Project May 06, 2019 1 / 17 Executable and Linkable Format The K Project LSE Team

629 views • 17 slides
net_mdev: userland network IO Fosdem 2018 Ilias Apalodimas Mykyta Iziumtsev

net_mdev: userland network IO Fosdem 2018 Ilias Apalodimas Mykyta Iziumtsev

net_mdev: userland network IO Fosdem 2018 Ilias Apalodimas Mykyta Iziumtsev Franois-Frdric Ozog Why userland network IO? Time sensitive networking Minority of applications need 1s latency 1s delay adapter-adapter latency

377 views • 21 slides
FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT DEVICES LIKE A BOSS) (PWNING IOT DEVICES LIKE A BOSS) @virtualabs | Hack in Paris '18 ABOUT ME ABOUT ME Head of Research @ Econocom Digital

1.73k views • 83 slides
Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter Buchlovsky 8. March 2004 University of Birmingham 1 Contents 1. Call-stacks, shellcode, gets 2. Exploits stack-based, heap-based 3. Defensive

1.56k views • 123 slides
Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits the Ore of Exploits Private & Confidential Property of COSEINC The Bug Mining Analogy The Bug Mining Analogy Phase 1: Extraction Phase 2:

592 views • 37 slides
Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP

Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP

Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP Exploits Long Le longld@vnsecurity.net BLACKHAT USA 2010 BLACKHAT USA 2010 1 Who am I? VNSECURITY founding member Capture-The-Flag

761 views • 43 slides
Pure In-Memory (Shell)Code Injection In Linux Userland DeepSec18, Vienna, Austria Disclaimer

Pure In-Memory (Shell)Code Injection In Linux Userland DeepSec18, Vienna, Austria Disclaimer

Pure In-Memory (Shell)Code Injection In Linux Userland DeepSec18, Vienna, Austria Disclaimer The views and opinions expressed in this presentation are those of the author and do not necessarily represent offjcial policy or position of my

510 views • 36 slides
Kernel Debugging and Virtualization John Baldwin January 15, 2015 What is Kernel Debugging

Kernel Debugging and Virtualization John Baldwin January 15, 2015 What is Kernel Debugging

Kernel Debugging and Virtualization John Baldwin January 15, 2015 What is Kernel Debugging Step in Kernel Development Post-Mortem Crash Analysis Live Inspection Performance Analysis Userland Debugging Wait, Userland

216 views • 10 slides
Linux on Sun Logical Domains David S. Miller Red Hat Inc. linux.conf.au, MEL8OURNE, 2008 David

Linux on Sun Logical Domains David S. Miller Red Hat Inc. linux.conf.au, MEL8OURNE, 2008 David

Background Userland Simulator Implementation Challenges/Futures Summary Linux on Sun Logical Domains David S. Miller Red Hat Inc. linux.conf.au, MEL8OURNE, 2008 David S. Miller Red Hat Inc. Linux on Sun LDOMs Background Userland

516 views • 36 slides
20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About

20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About

About Past Present Future 20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland

803 views • 40 slides
How to boot Linux in one second why userland is a waste of time ;) Jan Altenberg Linutronix

How to boot Linux in one second why userland is a waste of time ;) Jan Altenberg Linutronix

How to boot Linux in one second why userland is a waste of time ;) Jan Altenberg Linutronix GmbH Jan Altenberg Linutronix GmbH 1 from zero Jan Altenberg Linutronix GmbH 2 to hero Jan Altenberg Linutronix GmbH 3 Overview

829 views • 71 slides
Attention Mechanism Exploits Temporal Contexts: Real-time 3D Human Pose Reconstruction Code is

Attention Mechanism Exploits Temporal Contexts: Real-time 3D Human Pose Reconstruction Code is

Attention Mechanism Exploits Temporal Contexts: Real-time 3D Human Pose Reconstruction Code is available at: (https://github.com/lrxjason/Attention3DHumanPose) Attentional Mechanism Temporal Attention (weights on tensors) Attention Kernel

814 views • 25 slides
Macro-Reliability in Win32 Exploits A la conquete du monde... Kostya Kortchinsky

Macro-Reliability in Win32 Exploits A la conquete du monde... Kostya Kortchinsky

Macro-Reliability in Win32 Exploits A la conquete du monde... Kostya Kortchinsky http://www.immunityinc.com/ Agenda Problems with large scale exploitation Immunity's Solutions Common Addresses Remote Language Fingerprinting

877 views • 43 slides
Machine Detectable Network Behavioural Commonalities for Exploits & Malware University of

Machine Detectable Network Behavioural Commonalities for Exploits & Malware University of

Machine Detectable Network Behavioural Commonalities for Exploits & Malware University of Amsterdam Alexandros Stavroulakis MSc System & Network Engineering Research Project II What is this about? Automatic generation of malicious

249 views • 22 slides
Off-Path TCP Exploits: Global Rate Limit Considered Dangerous

Off-Path TCP Exploits: Global Rate Limit Considered Dangerous

Off-Path TCP Exploits: Global Rate Limit Considered Dangerous Yue Cao , Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth Krishnamurthy, Lisa M. Marvel USENIX

377 views • 36 slides
Memory Exploits & Defenses Presenter: Kevin Snow What is the threat? How do we defend

Memory Exploits & Defenses Presenter: Kevin Snow What is the threat? How do we defend

Memory Exploits & Defenses Presenter: Kevin Snow What is the threat? How do we defend ourselves? What is the threat? Stack Smashing Return-to-libc Format String Error Heap Overflow Generic Stack Frame Caller Callee Stack

1.13k views • 79 slides
Weaviate OSS Smart Graph FOSDEM 2020 About 2019 2020 What is Weaviate? How Weaviate evolved

Weaviate OSS Smart Graph FOSDEM 2020 About 2019 2020 What is Weaviate? How Weaviate evolved

Weaviate OSS Smart Graph FOSDEM 2020 About 2019 2020 What is Weaviate? How Weaviate evolved Tech Demo Contextionary - GraphQL From the docs to the interface 2 About Weaviate is an open source smart graph 4 Weaviate is an open source

1.1k views • 44 slides
Revealing Private Information in a Patent Race Pavel Kocourek 1 February 15, 2020 1

Revealing Private Information in a Patent Race Pavel Kocourek 1 February 15, 2020 1

Patent Race Under Secrecy One Player Known to be Successful Revealing Breakthroughs Welfare and Policy Revealing Private Information in a Patent Race Pavel Kocourek 1 February 15, 2020 1 pk1050@nyu.edu Patent Race Under Secrecy One Player

707 views • 46 slides
Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

Chair of Network Architectures and Services TUM Department of Informatics Technical University of Munich (TUM) Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication Matthias Wachs, Quirin Scheitle, and

463 views • 14 slides
Sequence to Sequence models: Attention Models 1 Sequence-to-sequence modelling Problem:

Sequence to Sequence models: Attention Models 1 Sequence-to-sequence modelling Problem:

Deep Learning Sequence to Sequence models: Attention Models 1 Sequence-to-sequence modelling Problem: A sequence goes in A different sequence comes out E.g. Speech recognition: Speech goes in, a word

1.77k views • 162 slides
Do Don't t Trust t Your Eye: Ap Apple Graphics Is Compromised! Liang Chen (@chenliang0817)

Do Don't t Trust t Your Eye: Ap Apple Graphics Is Compromised! Liang Chen (@chenliang0817)

Do Don't t Trust t Your Eye: Ap Apple Graphics Is Compromised! Liang Chen (@chenliang0817) Marco Grassi (@marcograss) Qidan He (@flanker_hqd) CanSecWest Vancouver 2016 About Us Liang Chen Senior Security Researcher @ Tencent

1.21k views • 62 slides
CSE 110A: Winter 2020 Fundamentals of Compiler Design I Intro to Haskell Owen Arden

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Intro to Haskell Owen Arden

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Intro to Haskell Owen Arden UC Santa Cruz Based on course materials developed by Nadia Polikarpova and Ranjit Jhala Why Haskell? Haskell programs tend to be simple and

191 views • 17 slides
CS137: Electronic Design Automation Day 1: September 26, 2005 Introduction CALTECH CS137

CS137: Electronic Design Automation Day 1: September 26, 2005 Introduction CALTECH CS137

CS137: Electronic Design Automation Day 1: September 26, 2005 Introduction CALTECH CS137 Fall2005 -- DeHon Apple Pie Intro (1) How do we design modern computational systems? Millions billions of devices used in everything

359 views • 23 slides
Getting to the Core of Algorithmic News Curators: A Case Study of Apple News Jack Bandy

Getting to the Core of Algorithmic News Curators: A Case Study of Apple News Jack Bandy

Getting to the Core of Algorithmic News Curators: A Case Study of Apple News Jack Bandy (Northwestern University) @jackbandy 2 My Research Ideation Machine (Beta) (platform or technology) (vice or trait) Facebook Google Search antisocial

319 views • 13 slides

More recommend

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2025 SAMBUZ, All right reserved.