Fasten your seatbelts: We are escaping iOS 11 sandbox!

Conference:  Defcon 26



The presentation discusses the iOS sandbox and how to exploit vulnerabilities to gain control of a remote process through the task pod.
  • Introduction to iOS sandbox and classic ways to breach it
  • Discovery of two new vulnerabilities in latest iOS version
  • Exploiting vulnerabilities to gain control of a remote process through the task pod
  • Importance of updating to latest iOS version to defend against potential attacks
The presenter explains how they found a way to trigger the vulnerability by manually clicking the Bluetooth steam, which was not ideal. They then discovered a function called pitydiscovery agent create, which allowed them to create a callback for the discovery agent and trigger the vulnerability without a manual click.


Apple's sandbox was introduced as "SeatBelt" in macOS 10.5 which provided the first full-fledged implementation of the MACF policy. After a successful trial on macOS, Apple applied sandbox mechanism to iOS 6. In its implementation, the policy hooked dozens of operations. The number of hooks has been growing steadily when new system calls or newly discovered threats appeared. In the beginning, Apple's sandbox used a black list approach which means Apple originally concentrated on the known dangerous APIs and blocked them, allowing all others by default. However, with the evolution of Apple's sandbox, it applies a white list approach that denies all APIs and only allows secure ones that Apple trusts. In this talk, we will first introduce Apple's sandbox mechanism and profiles in the latest iOS. Then, we discuss iOS IPC mechanism and review several old classic sandbox escape bugs. Most importantly, we show two new zero-day sandbox escape vulnerabilities we recently discovered in the latest iOS 11.4. Besides, we share our experience of exploiting vulnerabilities in system services through OOL msg heap spray and ROP (Return-oriented programming). In addition, we discuss a task port exploit technique which can be used to control the whole remote process through Mach messages. By using these techniques, security researchers could find and exploit sandbox escape bugs to control iOS user mode system services and further attack the kernel.