Technical Analysis of the Pegasus Exploits on iOS

More documents

Recommendations

Info

9.3.2 Beta 2 ✅ ✅ ✅ ✅ ✅ 9.3.2 Beta 3 ✅ ✅ ✅ ✅ ✅ 9.3.2 Beta 4 ✅ ✅ ✅ ✅ ✅ 9.3.2 ✅ ✅ ✅ ✅ ✅ 9.3.3 Beta ✅ ✅ ✅ ✅ ✅ 9.3.3 Beta 2 ✅ ✅ ✅ ✅ ✅ 9.3.3 Beta 3 ✅ ✅ ✅ ✅ ✅ 9.3.3 Beta 4 ✅ ✅ ✅ ✅ ✅ 9.3.3 ✅ ✅ ✅ ✅ ✅ Similarly, <strong>the</strong> 64-bit version <strong>of</strong> <strong>the</strong> Stage 2 binary supports 99 different iOS and iPhone combinations. The supported iPhone and iOS versions <strong>of</strong> 64Stage2 are identified in <strong>the</strong> table below. iOS Version iPhone 5s (iPhone6, 1) iPhone 5s (iPhone6, 2) iPhone 6 Plus (iPhone7, 1) iPhone 6 (iPhone7, 2) iPhone 6s (iPhone8, 1) iPhone 6s Plus (iPhone8, 2) iPhone SE (iPhone 8,4) 9.2.1 (13D15) iOS 9.2.1 (13D20) 9.3 (13E233) ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ 9.3 (13E234) ✅ ✅ 9.3 (13E237) ✅ ✅ 9.3 Beta 4 9.3 Beta 6 ✅ ✅ Page 15
9.3 Beta 7 ✅ 9.3.1 ✅ ✅ ✅ ✅ ✅ ✅ ✅ 9.3.2 Beta 9.3.2 Beta 2 9.3.2 Beta 3 9.3.2 Beta 4 ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ 9.3.2 ✅ ✅ ✅ ✅ ✅ ✅ ✅ 9.3.3 Beta 9.3.3 Beta 2 9.3.3 Beta 3 9.3.3 Beta 4 ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ 9.3.3 ✅ ✅ ✅ ✅ ✅ ✅ ✅ Defeating KASLR The majority <strong>of</strong> Stage 2’s functionality deals with manipulating <strong>the</strong> kernel in order to disable security features on <strong>the</strong> victim’s device. In order to manipulate <strong>the</strong> kernel, Stage 2 must first locate <strong>the</strong> kernel. Under normal circumstances <strong>the</strong> kernel will be mapped into a randomized location due to <strong>the</strong> kernel address space layout randomization (KASLR) mechanism that iOS employs. KASLR is designed to prevent processes from locating <strong>the</strong> kernel in memory by mapping <strong>the</strong> kernel to a pseudorandom location in memory each time <strong>the</strong> device is powered on by <strong>the</strong> user. In order to locate <strong>the</strong> kernel, Stage 2 must find a way to expose a memory address within kernel memory space to a process in user space. Stage 2 uses <strong>the</strong> vulnerability CVE- 2016-4655 1 in order expose a memory address in kernel space. 1 http://www.securityfocus.com/bid/92651 Page 16
Page 1 and 2: Technical
Page 3 and 4: Section 1: Pegasus
Page 5 and 6: objects, stored within the<
Page 7 and 8: cell on the Heap.
Page 9 and 10: arr) will not be explicitly protect
Page 11 and 12: } to_overwrite(); The address <stro
Page 13 and 14: Analysis o
Page 15: In order to determine the</
Page 19 and 20: unsigned char properties[] = { // k
Page 21 and 22: The first parameter to the<
Page 23 and 24: clock_ops_overwrite Buffer: [00] (r
Page 25 and 26: p = (unsigned int)&stackAnchor & 0x
Page 27 and 28: Within OSUnserializeBinary, a while
Page 29 and 30: The macro will expand the</
Page 31 and 32: eing called again, but the<
Page 33 and 34: Section 3: Privilege Escalation and
Page 35 and 36: com.apple.driver.AppleMobileFileInt
Page 37 and 38: pszJBFilenamePath = "/private/var/t
Page 39 and 40: Section 4: Pegasus
Page 41 and 42: } return JSValue::encode(jsUndefine
Page 43: var body = '' for (var k = 0; k < 0

Technical Analysis of the Pegasus Exploits on iOS

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?