iOS 14 Userspace Exploitation

4 DAY U_LONG 32 CPE HOUR TRAINING: AUGUST 2021 * WEEK 2: AUG 7-13

Stefan Esser Antid0te UG

Abstract

The iOS 14 Userspace Exploitation Training course is a new addition to our syllabus since 2019. It is meant to complement our set of iOS related training courses and extend them into the userland field.

In this course we will discuss how to attack not only applications and daemons but also Apple's iMessage, which on the one hand has become a favorite target of nation states and on the other hand a place where Apple added new mitigations.

In this four day training participants will take a deep dive into topics related to iOS 14 userpace level exploitation. This starts with an introduction into the specifics of the iOS platform so that trainees with or without deep knowledge of iOS are on the same track. The following days will then concentrate on real world vulnerabilities in applications, daemons, services, and Apple's iMessage.

This 4 day course is an enhanced version of the course we did in 2020 and is targeted at intermediate to advanced exploit developers that want to switch over to iOS or learn how to deal with modern iOS user space targets. To improve on our 2020 course we have selected a number of previously disclosed real world vulnerabilities so that students can learn from real examples and not only via mockup bugs. We have also added more material regarding Swift targets.

Throughout the course we will discuss possible avenues for fuzzing the attack surface of discussed targets. However this is not an iOS fuzzing training course and therefore for full coverage of iOS fuzzing we suggest signing up for another of our courses.

The training excercises will be performed on devices running on 14.x. Students are required to bring their own devices on iOS 14 as long they are supported by the public checkra1n jailbreaks.

The goal of this training is to enable trainees to find and exploit new vulnerabilities in iOS userpace programs despite newest mitigations.

Course Topics

Introduction

  • How to set up your Mac and Device for Vuln Research/Exploit Development
  • iOS Userspace Memory Layout
  • Dynamic Loading Frameworks, Libraries and ASLR
  • iOS Sandboxing and Inter Process Communication
  • Userspace Exploit Mitigations
  • Userspace Attack Surface

Objective-C and SWIFT

  • Exploitation strategies for Objective-C targets
  • Exploitation strategies for Swift targets

iOS Userland Debugging

  • Using the iOS Userland Debugger for vulnerability research
  • How to deal with iOS Anti Debugging Tricks

iOS Userland Heap

  • Discussion of the iOS Userland Heap implementation
  • Discussion of other heap implementations in our targets
  • Introduction of new iOS userland heap visualization toolset

MIG and other forms of IPC

  • Introduction to MIG/IPC
  • Understanding the MIG/IPC architecture and its attach surface
  • Mach messages
  • Fuzzing and Exploitation of MIG services

XPC services

  • Introduction to XPC services
  • Understanding the XPC architecture and attack surface
  • Understanding target specific mitigations
  • XPC serialization / deserialization
  • Fuzzing XPC services
  • Exploiting XPC services

iMessage Exploitation

  • Introduction to iMessage and its architecture
  • Understanding the attack surface
  • Understanding target specific mitigations
  • Introspection and instrumentation
  • Fuzzing iMessage
  • Exploiting iMessage

What is new in iOS 14

  • New mitigations in iOS 14 will be covered

Prerequisites

  • The course will start with an introduction to the specialities of the iOS platform and is therefore suited for trainees with and without iOS userspace exploitation basics
  • This course is an advanced exploitation course it is therefore assumed that all students are familiar with ARM64 exploitation or reverse engineering.

Hardware Requirements

  • An Apple Mac Notebook/Desktop is required in order to run MacOS and XCode
  • We strongly recommend using an M1 based Mac
  • A device running iOS 14 up to iPhone X, that can be used for testing.
  • For the best experience please use a jailbroken device. You may use the checkra1n jailbreak.
  • [optional] In addition to the iOS test device, you may also bring an iOS device newer than the iPhone X for some PAC hands-on. However this is entirely optional.

Software Requirements

  • IDA Pro 7.x or IDA Home license (ARM64 support required)
  • Alternatively Ghidra can be used and is fully supported
  • Hexrays for ARM64 helpful, but not required
  • BinDiff for IDA helpful, but not required
  • Hopper / Binary Ninja or other tools might work but are not officially supported
  • Mac OS X 11, with latest XCode and iOS 14.x SDK (or newer)
  • Additional Software will be made available during the training

Training Takeaways

The whole training material (multiple hundred slides) will be handed to the students in digital form.

Students will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software. This software is currently going through a complete cleanup and modernization to ensure compatibility with all new devices.