The presentation discusses the limitations and challenges of exploiting iOS 14 and proposes a new method using the IO surface object to modify kernel memory.
- iOS 14 has new security measures that make it difficult to exploit bugs
- The presentation focuses on CVE 2021-1782, a risk condition bug in module fcwater that was fixed in iOS 14.4
- The authors propose using the IO surface object to modify kernel memory and overcome the limitations of previous methods
- The set indexed timestamp and get YCbCr matrix external methods of the IO surface object are used to obtain new read and write primitives
- Shared memory, specifically the pipe buffer, is used to modify kernel memory
- The proposed method allows for more stable and reliable kernel rewrite primitives
The presenter explains that previous methods of exploiting iOS 14 were limited by the new security measures, making it difficult to access kernel tasks from user space. They then describe how they discovered that the IO surface object was a good candidate for a new method of modifying kernel memory. By using the set indexed timestamp and get YCbCr matrix external methods, they were able to obtain new read and write primitives. They then used shared memory, specifically the pipe buffer, to modify kernel memory. The presenter emphasizes that this new method allows for more stable and reliable kernel rewrite primitives.
iOS 14.0 was released on Sep 16, 2020, but people got their first real 14.x jailbreak after more than 5 months. In the past, every time Apple released a security update, there would soon be new vulnerabilities, and almost every version would be exploited quickly. Why is iOS 14 so hard to be pwned?Apple has introduced many new exploit mitigations in iOS 14, such as kernel heap isolation, data PAC, userspace PAC hardening, tfp0 hardening. These mitigations, acting on exploit stage or post-exploit stage, make many vulnerabilities unusable. So, everything has changed in iOS 14. Maybe it is the most secure kernel ever. Now only high-quality vulnerabilities can survive, e.g., CVE-2021-1782, the first public iOS 14 exploitable vulnerability.Then I published the first stable kernel r/w primitives based on ModernPwner' cicuta_virosa, and achieved SSH with full root shell on iOS 14. (I had achieved this with my own not-fixed 0-day before.) In this talk, I will share how I achieved a "jailbreak” and detail the techniques I used to bypass Apple's new mitigations. I hope my findings can be of some help to security researchers.