logo

Attacking iPhone XS Max

Conference:  BlackHat USA 2019

2019-08-08

Summary

The presentation discusses the process of achieving tethered jailbreaks on iPhone XS/XS Max by exploiting an ancient bug in the XNU and bypassing Pointer Authentication Code (PAC) implemented by Apple.
  • Introduction to UNIX domain socket and kernel functions
  • Analysis of root cause and patent of XNU bug
  • Explanation of how to exploit the bug to bypass PAC and gain arbitrary kernel read/write
  • Discussion of post exploitation techniques
  • Illustration of point through anecdote
  • Importance of paying attention to temporary unlock as a back patent
  • Conclusion on the need for good design and implementation
The speaker explains how they were able to gain control of the kernel by exploiting a bug in the XNU that is still affecting the latest official release of iOS. They were then able to bypass Pointer Authentication Code (PAC) implemented by Apple and achieve tethered jailbreaks on iPhone XS/XS Max. This was done by controlling the two memory loss and making the u-turn jump into a special function that loads trust cash as if the kernel is loading trust cash. The speaker emphasizes the importance of paying attention to temporary unlock as a back patent when doing source code level or binary level auditing.

Abstract

With the release of iPhone XS and XS Max, Apple's implementation of Pointer Authentication Code (PAC) on the A12 SoC comes more into play for exploit mitigations. While PAC effectively makes many of our own kernel vulnerabilities unexploitable on iPhone XS/XS Max, we were able to achieve tethered jailbreaks on iPhone XS/XS Max. This talk will describe this process. Specifically, this talk will first discuss Apple's PAC implementation based on our tests, introduce an ancient bug in the XNU that is still affecting the latest official release of iOS (i.e. 12.1.4), and then elaborate how to exploit it to bypass PAC and gain arbitrary kernel read/write. Finally, this talk will explain post exploitation techniques including how to make arbitrary kernel function call based on arbitrary kernel read/write.

Materials:

Tags: