logo
allArticlesConferencesPresentations

Towards Discovering Remote Code Execution Vulnerabilities in Apple FaceTime

Conference:  BlackHat USA 2019

2019-08-08

Summary

The presentation discusses the vulnerabilities found in Apple's iMessage and FaceTime applications and the attack surface exposed by messaging interface.
  • The speaker found significant improvements in the fist x implementation but also discovered many trivial bugs in the attack surface exposed by messaging interface.
  • The presentation focuses on two types of vulnerabilities: stack overflows and hipper flows.
  • The speaker explains how an attacker can send a notification to the victim's device through a pessoa, PSD, and i-10 service T, and how an attacker can send a signal packet to AV Conference D through i-10 SOC.
  • The presentation highlights the need for more attention to be given to the attack surface exposed by messaging interface.
  • The speaker encourages security researchers to take another look at the attack surface to find more interesting vulnerabilities.
The speaker explains how an attacker can send a notification to the victim's device through a pessoa and a PSD. The notification generates a UI notification that prompts the victim to accept the notification. Once the victim accepts the notification, the UI notification is sent across service T and handled by a PSD caller. The caller then deserializes the APS message and passes the data to attend service T. The real value of CL k c is the 233, which means the notification is an accept message. The victim's device is then connected to the attacker's device, and all the data is transformed from a through the socket with UDP or TCP.

Abstract

Zero-click or one-click remote exploits targeting Apple FaceTime or iMessage attract increasing attention, but neither real world vulnerabilities nor the attack surfaces in such targets were fully studied and analyzed in the past. In this talk, we will share reverse engineering results of FaceTime, with a focus on the process of the initialization and connection of a FaceTime call. Along with the attacker-controlled data propagation path, we will discuss different attack surfaces for FaceTime. In particular, besides trivial denial of service issues, we will describe a number of vulnerabilities in FaceTime (and other relevant components), including memory corruption flaws such as heap and stack overflow and out-of-bounds read issues, and develop and demonstrate PoC exploits that can lead to a fully-controlled Objective C ISA pointer or program counter (PC) in FaceTime, affecting both Mac OS and iOS.
Materials:
Slides
Tags:

Post a comment

Related work

CastGuard: Mitigating Type Confusion in C++

Conference:  Black Hat USA 2022
Authors:
2022-08-11

Finding New Bluetooth Low Energy Exploits via Reverse Engineering Multiple Vendors' Firmwares

Conference:  BlackHat USA 2020
Authors:
2020-08-05

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities

Conference:  BlackHat USA 2018
Authors:
2018-08-09

SELECT code_execution FROM * USING SQLite;—Gaining code execution using a malicious SQLite database

Conference:  Defcon 27
Authors:
2019-08-01

Breaking Extreme Networks WingOS: How to own millions of devices running on Aircrafts, Government, Smart cities and more.

Conference:  Defcon 26
Authors:
2018-08-01

Is WebAssembly Really Safe? --Wasm VM Escape and RCE Vulnerabilities Have Been Found in New Way

Conference:  Black Hat USA 2022
Authors:
2022-08-10