Technical Analysis of the Pegasus Exploits on iOS

More documents

Recommendations

Info

deserialized, <strong>the</strong> object’s reference count is decremented by calling o->release(), which will lead to <strong>the</strong> object being free()ed in most cases. The exception to this behavior occurs within kOSSerializeObject objects. Since a kOSSerializeObject object represents an object that is referenced by o<strong>the</strong>r entries, it is necessary to retain <strong>the</strong> object after serialization. As a result, during deserialization kOSSerializeObject objects will call o->retain(), <strong>the</strong>reby incrementing <strong>the</strong> reference count for <strong>the</strong> object and preventing its removal from memory. A serialized data blob allows for <strong>the</strong> same key to be used more than once. In o<strong>the</strong>r words, it is possible to have XML code that looks like: KEY1 1 KEY1 2 The above XML, once serialized, will contain five objects. The first object will be <strong>the</strong> dictionary container ( as a kOSSerializeDictionary object), followed by a symbol representing <strong>the</strong> key (as a kOSSerializeSymbol entry containing “KEY1”) and its data object (a kOSSerializeNumber entry for <strong>the</strong> integer 1). The fourth entry specifies ano<strong>the</strong>r key object, assigned KEY1 again, which is now a string object (kOSSerializeString) containing <strong>the</strong> string “2”. As part <strong>of</strong> <strong>the</strong> deserialization process, <strong>the</strong> reuse <strong>of</strong> KEY1 results in <strong>the</strong> object that follows replacing <strong>the</strong> original value assigned to KEY1. This reassignment <strong>of</strong> a key with new data is <strong>the</strong> situation where OSUnserializeBinary is vulnerable to attack. As stated previously, when an object is deserialized, and so long as that object is not a kOSSerializeObject, <strong>the</strong> object is stored in <strong>the</strong> objsArray for later reference. This storage is <strong>the</strong> result <strong>of</strong> <strong>the</strong> setAtIndex macro seen here: #define setAtIndex(v, idx, o) \ if (idx >= v##Capacity) \ { \ uint32_t ncap = v##Capacity + 64; \ type<strong>of</strong>(v##Array) nbuf = (type<strong>of</strong>(v##Array)) kalloc_container(ncap * size<strong>of</strong>(o)); \ if (!nbuf) ok = false; \ if (v##Array) \ { \ bcopy(v##Array, nbuf, v##Capacity * size<strong>of</strong>(o)); \ kfree(v##Array, v##Capacity * size<strong>of</strong>(o)); \ } \ v##Array = nbuf; \ v##Capacity = ncap; \ } \ if (ok) v##Array[idx] = o; Page 27
The macro will expand <strong>the</strong> objsArray to accommodate <strong>the</strong> additional object and assign <strong>the</strong> object to <strong>the</strong> end <strong>of</strong> <strong>the</strong> objsArray without increasing its reference count by means <strong>of</strong> a o- >retain() call. The problem with this method is that when a second object replaces an existing object (in our example this is whenever <strong>the</strong> string object replaces <strong>the</strong> number object for KEY1), <strong>the</strong> first object is released and subsequently freed, but a pointer to <strong>the</strong> now freed object exists within <strong>the</strong> objsArray. Normally this would simply be a bad programming design issue, but <strong>the</strong> problem is compounded if a reference is made to <strong>the</strong> object via a kOSSerializeObject entry. If a kOSSerializeObject entry references, by index, <strong>the</strong> now dangling pointer <strong>of</strong> <strong>the</strong> freed object, <strong>the</strong> call to o->retain() will attempt to execute a virtual function that is attacker-controlled. In order to exploit this use-after-free condition, 32Stage2 must take control <strong>of</strong> <strong>the</strong> memory location that was deallocated and place a custom vtable that will have <strong>the</strong> entry for retain directed to a function <strong>of</strong> its own choosing. Installing a custom vtable requires having access to two deallocated, adjacent memory locations. Since it is not possible to directly overwrite <strong>the</strong> vtable <strong>of</strong> an object during <strong>the</strong> serialization process, by allocating and <strong>the</strong>n freeing two memory locations, 32Stage2 can use an OSData or OSString object to replace two memory locations at once with one <strong>of</strong> <strong>the</strong> memory locations containing <strong>the</strong> malicious vtable. The easiest way to understand this concept is to look at <strong>the</strong> payload that 32Stage2 generates to exploit <strong>the</strong> OSUnserializeBinary UAF vulnerability. The malicious payload that 32Stage2 generates for this vulnerability depends on <strong>the</strong> iOS version. For iOS version 9.3.2 through at least 9.3.3, <strong>the</strong> payload takes <strong>the</strong> following form: [0x00] kOSSerializeBinarySignature [0x04] kOSSerializeEndCollecton | kOSSerializeDictionary | 0x10 [0x08] kOSSerializeString | 4 [0x0C] “sy2” [0x10] kOSSerializeData | 0x14 [0x14] {payload buffer} [0x28]kOSSerializeEndCollecton | kOSSerializeObject | 1 For iOS 9.0 through 9.3.1, <strong>the</strong> payload takes <strong>the</strong> following form: [0x00] kOSSerializeBinarySignature [0x04] kOSSerializeEndCollecton | kOSSerializeDictionary | 0x10 [0x08] kOSSerializeString | 4 [0x0C] “sy2” [0x10] kOSSerializeEndCollecton | kOSSerializeArray | 0x10 [0x14] kOSSerializeDictionary | 0x10 [0x18] kOSSerializeSymbol | 4 [0x1C] “sy1” [0x20] kOSSerializeData | 0x14 [0x24] ”ffff\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0” [0x38] kOSSerializeSymbol | 4 [0x3C] “sy1” [0x40] kOSSerializeEndCollecton | kOSSerializeSymbol | 4 [0x44] “sy1” [0x48] kOSSerializeString | 0x1C [0x4C] {payload buffer} Page 28
Page 1 and 2: Technical
Page 3 and 4: Section 1: Pegasus
Page 5 and 6: objects, stored within the<
Page 7 and 8: cell on the Heap.
Page 9 and 10: arr) will not be explicitly protect
Page 11 and 12: } to_overwrite(); The address <stro
Page 13 and 14: Analysis o
Page 15 and 16: In order to determine the</
Page 17 and 18: 9.3 Beta 7 ✅ 9.3.1 ✅ ✅ ✅
Page 19 and 20: unsigned char properties[] = { // k
Page 21 and 22: The first parameter to the<
Page 23 and 24: clock_ops_overwrite Buffer: [00] (r
Page 25 and 26: p = (unsigned int)&stackAnchor & 0x
Page 27: Within OSUnserializeBinary, a while
Page 31 and 32: eing called again, but the<
Page 33 and 34: Section 3: Privilege Escalation and
Page 35 and 36: com.apple.driver.AppleMobileFileInt
Page 37 and 38: pszJBFilenamePath = "/private/var/t
Page 39 and 40: Section 4: Pegasus
Page 41 and 42: } return JSValue::encode(jsUndefine
Page 43: var body = '' for (var k = 0; k < 0

Technical Analysis of the Pegasus Exploits on iOS

Create successful ePaper yourself

Delete template?

Save as template?