Hack Different: Pwning iOS 14 with Generation Z Bugz

Conference:  BlackHat USA 2021



The presentation discusses iOS exploitation techniques and vulnerabilities, including the use of fake objects and shell code execution.
  • The speaker discusses two bugs from the late 2000s that can be exploited without memory corruption
  • The presentation demonstrates the use of fake objects to exploit vulnerabilities in iOS
  • The speaker explains how to use shell code execution to gain privileged access and install monitoring software
  • The presentation recommends reading additional materials for further information on the topic
The speaker describes how they used a malloc primitive to control the learners and content of a fake object, which they then used to exploit a vulnerability in iOS. They also discuss the use of shell code execution to gain access to privileged information and install monitoring software.


The traditional Safari exploit is to gain code execution in the renderer first, then escape the sandbox with userland bugs or directly attack the kernel. However, since Safari has been under attention for a long time, it is not easy to find vulnerabilities in it. Furthermore, the sandbox protection mechanism is becoming more and more challenging, escaping the sandbox is even harder. Instead of struggling with the state-of-the-art mitigations in WebKit, we used a brutally simple logic bug to bypass the renderer sandbox and get arbitrary JavaScript execution in another WebView without initial code execution. It was introduced by iOS 3. By using an Inter-App XSS, we can launch the Calculator from MobileSafari with literally zero memory corruption. It can even read the phone number and Apple ID directly. But the exploit chain doesn't end here.Since other WebView applications usually use JS Bridge to provide other JSAPI interfaces, they generally expose more attack surfaces than Safari. In the XSS-ed WebView, a mis implemented access control of bridged Objective-C objects effectively leads to object life-cycle control, which makes a perfectly exploitable UAF. Together with another logic information leakage, they showed how logic bugs can threaten memory safety.We built the arbitrary call primitive despite the PAC, and further bypass APRR to load arbitrary shellcode in a loosely sandboxed context that can access various critical personal information, such as Apple ID credentials, contacts, and camera.