Wednesday, July 30, 2014

Mac OS X and iPhone sandbox escapes

Posted by Chris Evans, Finder of None Of These

As part of our launch manifesto, we committed to openness and transparency, including sharing full details of our research.

About a month ago, Apple released two security advisories which fixed some Project Zero findings. Today, we’re releasing the technical details by making some bugs public. Why now? Generally, we’ll always wait a little while after a patch is available, to give users time to apply the patch.

We won’t be writing a blog post for every set of bugs we make public. The main reason for this particular blog post is to highlight our process for making bugs public. That said, there are some interesting bug details available as of today! To highlight a few:

  • These two bugs describe a heap corruptions in launchd. launchd is a service that sandboxed processes can talk to and it runs unsandboxed. Therefore memory corruptions in this process are an excellent sandbox escape. As you can see, this bug was discovered by code auditing.
  • This OS X bug fully demonstrates the ability to read arbitrary kernel memory from within the sandbox. As you can see, the proof of concept C code is attached for you to study.
  • This OS X bug covers a very interesting validation failure leading to an integer underflow, leading in turn to the kernel trying to read a kernel structure from a non-NULL userspace address. The kernel structure involved contains a function pointer so getting in-kernel code execution at a chosen address follows trivially. An annotated analysis of the faulty assembly instructions is included.
  • This OS X bug covers NULL pointer dereferences in the kernel—four in fact. It goes into detail about which circumstances result in sandbox escapes and which are “only” privilege escalations. Two of the bugs are quite neat because they call an attacker-specified offset from a good vtable base. Because this situation does not involve knowing any absolute kernel addresses, the bug could be used to both defeat kernel ASLR and then gain kernel code execution.

If you want a single URL to enumerate all of our publicly viewable bugs, click here. Enjoy! And thanks for following Project Zero.

No comments:

Post a Comment