Technical Analysis of the Pegasus Exploits on iOS

More documents

Recommendations

Info

Section 1: <strong>Pegasus</strong> Exploitation <strong>of</strong> Safari (CVE-2016-4657) 2 Background 3 Exploitation 7 Setting up and triggering <strong>the</strong> vulnerability 7 Acquiring an arbitrary read/write primitive 9 Leaking an object address 9 Native code execution 9 Evading detection 10 Section 2: Exploitation <strong>of</strong> KASLR by <strong>Pegasus</strong> 11 Differences Between 32 and 64-Bit Binaries 12 API Loading 12 Environment Setup and Platform Determination 13 Defeating KASLR 16 Establishing Read/Write/Execute Primitives on Previously Rooted Devices (32-Bit) 19 Thread Manipulation 21 Establishing Communication Channel (32-Bit) 21 Payload Construction and Kernel Insertion (32-Bit) 22 Payload Construction and Kernel Insertion (64-Bit) 25 Establishing Kernel Read/Write Primitives (32-Bit) 25 Establishing Kernel Read/Write Primitives (64-Bit) 30 Establishing a Kernel Execute Primitive (32-Bit) 31 Patching <strong>the</strong> Kernel to Allow Kernel Port Access 31 Section 3: Privilege Escalation and Activating <strong>the</strong> Jailbreak Binary 33 System Modification for Privilege Escalation 34 Disabling Code Signing 34 Remounting <strong>the</strong> Drive 35 Cleanup 36 Next Stage Installation 36 Existing Jailbreak Detection 37 Section 4: <strong>Pegasus</strong> Persistence Mechanism 39 <strong>Pegasus</strong> Persistence Mechanism 40 JavaScriptCore Memory Corruption Issue 40 Exploitation 41 Acquiring an arbitrary read/write primitive 41 Leaking an object address 42 Unsigned native code execution 42 Page 1
Section 1: <strong>Pegasus</strong> Exploitation <strong>of</strong> Safari (CVE- 2016-4657) The First Stage <strong>of</strong> Infection This section reports on first stage <strong>of</strong> <strong>the</strong> <strong>Pegasus</strong> exploit <strong>of</strong> <strong>the</strong> “Trident” zero-day vulnerabilities on iOS, discovered by researchers at Lookout and Citizen Lab. The first stage <strong>of</strong> <strong>the</strong> attack is triggered when <strong>the</strong> user clicks a spear-phishing link that opens <strong>the</strong> Safari browser. This enables <strong>the</strong> exploit <strong>of</strong> a vulnerability in WebKit’s JavaScriptCore library (CVE-2016-4657). Page 2
Page 1: Technical
Page 5 and 6: objects, stored within the<
Page 7 and 8: cell on the Heap.
Page 9 and 10: arr) will not be explicitly protect
Page 11 and 12: } to_overwrite(); The address <stro
Page 13 and 14: Analysis o
Page 15 and 16: In order to determine the</
Page 17 and 18: 9.3 Beta 7 ✅ 9.3.1 ✅ ✅ ✅
Page 19 and 20: unsigned char properties[] = { // k
Page 21 and 22: The first parameter to the<
Page 23 and 24: clock_ops_overwrite Buffer: [00] (r
Page 25 and 26: p = (unsigned int)&stackAnchor & 0x
Page 27 and 28: Within OSUnserializeBinary, a while
Page 29 and 30: The macro will expand the</
Page 31 and 32: eing called again, but the<
Page 33 and 34: Section 3: Privilege Escalation and
Page 35 and 36: com.apple.driver.AppleMobileFileInt
Page 37 and 38: pszJBFilenamePath = "/private/var/t
Page 39 and 40: Section 4: Pegasus
Page 41 and 42: } return JSValue::encode(jsUndefine
Page 43: var body = '' for (var k = 0; k < 0

Technical Analysis of the Pegasus Exploits on iOS

Create successful ePaper yourself

Delete template?

Save as template?