Technical Analysis of the Pegasus Exploits on iOS

More documents

Recommendations

Info

To determine whe<strong>the</strong>r <strong>the</strong> <strong>the</strong> device has already been jailbroken, Stage 2 attempts to acquire a valid mach port (a handle) into <strong>the</strong> iOS kernel using a common jailbreak backdoor. This check is performed simply by calling task_for_pid with <strong>the</strong> PID value set to 0. Patching task_for_pid in this way is a common backdoor mechanism used by iOS jailbreaks that provides direct kernel memory access to a user mode process. Calling task_for_pid with a PID <strong>of</strong> 0 is not normally allowed by iOS. If task_for_pid returns a valid task port, <strong>the</strong>n <strong>the</strong> Stage 2 process has elevated access to <strong>the</strong> kernel and can forgo <strong>the</strong> privilege escalation steps described previously. Stage 2 also checks for <strong>the</strong> presence <strong>of</strong> <strong>the</strong> binary /bin/sh. On a non-jailbroken phone, this binary should never exist. When Stage 2 detects <strong>the</strong> presence <strong>of</strong> this binary, it assumes that <strong>the</strong> existing jailbreak is ei<strong>the</strong>r incompatible with <strong>Pegasus</strong> or that all required kernel patches are already in place and no fur<strong>the</strong>r action is needed. When /bin/sh is identified on a device, prior to exploitation, Stage 2 simply exits cleanly. Page 37
Section 4: <strong>Pegasus</strong> Persistence Mechanism This section details <strong>the</strong> persistence mechanism used by <strong>Pegasus</strong> to remain on <strong>the</strong> device after compromise via an exploit <strong>of</strong> <strong>the</strong> Trident vulnerabilities, and continue to execute unsigned code each time <strong>the</strong> device reboots. Page 38
Page 1 and 2: Technical
Page 3 and 4: Section 1: Pegasus
Page 5 and 6: objects, stored within the<
Page 7 and 8: cell on the Heap.
Page 9 and 10: arr) will not be explicitly protect
Page 11 and 12: } to_overwrite(); The address <stro
Page 13 and 14: Analysis o
Page 15 and 16: In order to determine the</
Page 17 and 18: 9.3 Beta 7 ✅ 9.3.1 ✅ ✅ ✅
Page 19 and 20: unsigned char properties[] = { // k
Page 21 and 22: The first parameter to the<
Page 23 and 24: clock_ops_overwrite Buffer: [00] (r
Page 25 and 26: p = (unsigned int)&stackAnchor & 0x
Page 27 and 28: Within OSUnserializeBinary, a while
Page 29 and 30: The macro will expand the</
Page 31 and 32: eing called again, but the<
Page 33 and 34: Section 3: Privilege Escalation and
Page 35 and 36: com.apple.driver.AppleMobileFileInt
Page 37: pszJBFilenamePath = "/private/var/t
Page 41 and 42: } return JSValue::encode(jsUndefine
Page 43: var body = '' for (var k = 0; k < 0

Technical Analysis of the Pegasus Exploits on iOS

Create successful ePaper yourself

Delete template?

Save as template?