Return of the iOS sandbox escape: lightspeed's back in the race

栏目: IT技术 · 发布时间: 4年前

内容简介:Since iOS 8 in 2014, this is the first jailbreak using a 0-day vulnerability, a vulnerability still unknown to Apple at the time of the release, to break iPhone security measures. To keep this vulnerability secret, the jailbreak is heavily obfuscated and p

Since iOS 8 in 2014, this is the first jailbreak using a 0-day vulnerability, a vulnerability still unknown to Apple at the time of the release, to break iPhone security measures. To keep this vulnerability secret, the jailbreak is heavily obfuscated and protected against dynamic inspection.

However, since this vulnerability is not exactly new to us and since the cat is out of the bag, now seems a good time to write about it :).

TL;DRDisclosure of an old new XNU kernel bug that was reintroduced with iOS 13

Quick recap of the situation

During late 2018, we published the details about a XNU kernel vulnerability that we dubbed lightspeed . This vulnerability started as a racy UaF in the syscall lio_listio that allows the liberation of a kernel object twice. You can read all the details about it in our post.

This vulnerability was patched early in iOS 12 and 11.4.1 was the last vulnerable iOS version. We were wondering if someone would make something out of it, and were thrilled to see that both the JakeBlair420 team( @s1guza , @stek29 , @sparkey , @littlelailo ) and @tihmstar were successful in doing so.

So when iOS 12 came out this vulnerability died and the lio_listio implementation was correct, right? Well, not really... In the blogpost we explained that, while the issue was fixed, a memory leak was introduced, and it was now possible to force the kernel to panic. As the conclusion of the blogpost we were wondering if Apple would fix it or not.

Apple cares about mem leaks!

We don't know if the XNU developers read the Synacktiv blog, but it turned out that they were bothered by the memory leak, and they even opened a radar issue about it. So they fixed it during the early version of iOS 13. And here is the fix from the xnu-6153.4.3 sources (that has not changed since).

int lio_listio(proc_t p, struct lio_listio_args *uap, int *retval )
{
    // [...]
    for (i = 0; i < uap->nent; i++) {
        // [...]
        aio_proc_lock_spin(p);
        // [...]
        lck_mtx_convert_spin(aio_proc_mutex(p));
        aio_enqueue_work(p, entryp, 1); // I/O enqueuing 
        aio_proc_unlock(p);
        // [...]
    }
    // [...]

    aio_proc_lock_spin(p);
    switch (uap->mode) {
        // [...]
    case LIO_NOWAIT:
        /* If no IOs were issued must free it (rdar://problem/45717887) */
        if (lio_context->io_issued == 0) {
            free_context = TRUE;
        }
        break;
    }
    aio_proc_unlock(p);
    // [...]

    if (free_context) {
        free_lio_context(lio_context);
    }
    // [...]
    return call_result;
} /* lio_listio */

We observe that if no I/O were issued in the LIO_NOWAIT case (lio_context->io_issued == 0) , the context is now freed again, preventing the allocation to remain in memory. We also notice that they reworked the way they take the proc lock a bit. But we also spot that they fixed it wrongly and reintroduced lightspeed!

Indeed, taking the lock with aio_proc_lock_spin(p) is irrelevant here to prevent the race. At this point the kernel worker may already have raced the main thread and freed the allocation (see our previous blogpostfor more details).

Return of the iOS sandbox escape: lightspeed's back in the race

As a consequence, the exact same vulnerability is back, with the same primitives. You can even test it with our old PoC(but you may need to tweak the parameters). From our tests it seems that the race probability changed a bit since the proc lock is now taken but that is not a big deal.

Conclusion

There is no doubt that lightspeed will be fixed again in the next iOS version. One way to fix that would be to never free the lio_context once I/O were scheduled, while using another variable to keep trace of the submitted tasks to free the context if none were.

Even if this is still a 0-day at the time this blog post is released, we think that it is the right time to publish as an exploit is out. Moreover, the regression was really easy to spot by diffing the sources months ago. So it was merely an open secret and it is likely that most researchers and bad actors already knew about it. The good news is that this vulnerability cannot be exploited from the WebKit renderer process since its sandbox has been considerably tightened since iOS 13 with the introduction of syscall whitelist.

This means that the risk for this vulnerability to be used by malicious actors is relatively low. An attacker would first have to compromise a vulnerable service or application in order to exploit this vulnerability. Nevertheless, you should update your iPhone as soon as a patch is made available by Apple.

As a final note, we would like to congratulate @Pwn20wnd and the unc0ver team for their successful exploit.

References


以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

超越门户

超越门户

吴晨光 / 中国人民大学出版社 / 2015-4-17 / 39.80

在这个PC端影响力下降、人们对手机的依赖与日俱增的时代,这种探索的意义非同寻常,可以说是试图树立新媒体时代的行业标准。 ——陈彤(小米内容投资与运营副总裁、新浪网前总编辑、资深网络媒体人) 我将对此书的阅读,视作对往日岁月的怀念,它提醒我,自己曾 投身于多么富有蓬勃朝气和探索精神的事业。而对这种事业的原则、逻辑和方法的继承和继续学习,对于互联网时代的企业形象塑造 ,同样有融会变通的参考......一起来看看 《超越门户》 这本书的介绍吧!

JSON 在线解析
JSON 在线解析

在线 JSON 格式化工具

正则表达式在线测试
正则表达式在线测试

正则表达式在线测试