fsebugoutzone.org:9999

       Post Acac1VVn4aNbrmbPJA by siguza@infosec.exchange
 (DIR) More posts by siguza@infosec.exchange
 (DIR) Post #AcWPwuafX9kdW6qUbI by zhuowei@notnow.dev
       2023-12-06T04:44:07.488827Z
       
       0 likes, 0 repeats
       
       How do iOS malware use kernel R/W to escape the sandbox?On iOS 15, PAC prevents you from simply disabling the sandbox (https://cameronkatri.com/nullcongoa2022.pdf), so you can&#39;t just `posix_spawn` your payload.
       
 (DIR) Post #AcWWAtVowGFpx5d200 by zhuowei@notnow.dev
       2023-12-06T05:53:50.983623Z
       
       0 likes, 0 repeats
       
       Researchers have captured several malware samples on iOS 15/16, yet nobody documented how they can spawn processes with only kernel R/W. I can&#39;t figure it out either...
       
 (DIR) Post #AcabdI2pUYLV9IVaHA by turbocooler@infosec.exchange
       2023-12-06T21:57:38Z
       
       0 likes, 0 repeats
       
       @zhuowei you can just spawn a legitimate process that runs some interpreted bytecode/language and give it an rwx primitive if you’re a threat actor and don’t particularly care about usability/APIs
       
 (DIR) Post #AcabdJJskda36TUiUi by zhuowei@notnow.dev
       2023-12-08T05:13:51.813996Z
       
       0 likes, 0 repeats
       
       @turbocooler This was what the Pegasus malware on iOS 9 did with jsc (https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf). And on the jailbreak side, Fugu14 also replaced a system binary to run an untether in JavaScript.
       
 (DIR) Post #Acac1UK3UjOmB66WNU by opa334@infosec.exchange
       2023-12-06T16:39:19Z
       
       0 likes, 0 repeats
       
       @zhuowei The simple answer is: You don&#39;t. Spawning binaries with only kernel r/w is no longer feasible, you need additional bugs.
       
 (DIR) Post #Acac1VVn4aNbrmbPJA by siguza@infosec.exchange
       2023-12-06T20:02:41Z
       
       0 likes, 0 repeats
       
       @opa334 @zhuowei researchers have been saying for years that these things only target jailbreakers, not threat actors...
       
 (DIR) Post #Acac1WYJChzL5smvs8 by opa334@infosec.exchange
       2023-12-06T23:28:12Z
       
       0 likes, 0 repeats
       
       @siguza @zhuowei Yeah, but that&#39;s because threat actors might not even need to spawn a binary to begin with. For actually spawning your own binary you definitely need a codesign or PPL bypass though, no urbane technique is going to allow you to do that without one. For spawning an already signed binary, I guess there&#39;s a lot of ways to do it though.
       
 (DIR) Post #Acac1XU5jsD1z5p4wC by zhuowei@notnow.dev
       2023-12-08T05:18:13.924226Z
       
       0 likes, 0 repeats
       
       @opa334 @siguza &gt; For spawning an already signed binary, I guess there&#39;s a lot of ways to do it though.I haven&#39;t seen many examples of this: I only remember one public analysis of an iOS malware that borrowed a validly signed system binary: Pegasus on iOS 9 used JSC for persistence.On the jailbreak side, I know Fugu14 also uses a system binary to start the untether. (And long ago, Corona, an iOS 5 jailbreak, ran `racoon` for its untether, but that was when launchd plists were still loaded from filesystem)Both of these accomplish it by replacing one system binary on the root filesystem with another, which is no longer possible in the age of signed root FS.That&#39;s why the CoreTrust malware is interesting: it really shouldn&#39;t be able to call posix_spawn or launchd or take over someone else&#39;s task port with just (I assume??) kernel R/W, so how does it spawn a process?
       
 (DIR) Post #Acakh0vDzirAn1nm7c by saagar@federated.saagarjha.com
       2023-12-08T06:31:08.927604Z
       
       0 likes, 0 repeats
       
       @zhuowei @opa334 @siguza I mean if you are willing to work for it you can spawn an existing process and use kernel R/W to break it in a way that gets you code execution
       
 (DIR) Post #Acakh1zrzwAO7iz008 by saagar@federated.saagarjha.com
       2023-12-08T06:33:31.609993Z
       
       0 likes, 0 repeats
       
       @zhuowei @opa334 @siguza Are registers for context switch signed, for example? If not you can poke an Apple process into a loop doing something predictable (say a lot of small memcpys) using existing APIs, wait for it to be unscheduled, then corrupt that to get a OOB in userspace
       
 (DIR) Post #Acakh39pgNjJiueTAW by zhuowei@notnow.dev
       2023-12-08T06:55:18.271426Z
       
       0 likes, 0 repeats
       
       @saagar @opa334 @siguza I think only r16, r17, lr, pc, and cpsr are signed, using the exact same signing checks as kernel threads, as spectacularly demonstrated by Linus Henze saving a kernel thread on top of a userspace thread to elevate it to kernel mode in Fugu14.But if I really wanted to mess with defenders, I would simply poke one (1) bool flag in that process&#39;s memory and use NSExpressions to get out of my sandbox. (https://googleprojectzero.blogspot.com/2023/10/an-analysis-of-an-in-the-wild-ios-safari-sandbox-escape.html) And you can probably even get the victim to page in that flag for you by sending an NSExpression to get it to read the &quot;i can has unlimited nsexpression&quot; flag...
       
 (DIR) Post #Acakh3VSNz1knyljsG by saagar@federated.saagarjha.com
       2023-12-08T06:36:06.959070Z
       
       0 likes, 0 repeats
       
       @opa334 @siguza @zhuowei This also probably makes it hard for Citizen Lab or Amnesty International to know what you are doing, so if I was a smart implant writer who didn’t have my hands tied I would do this
       
 (DIR) Post #AcakzcCo770tdRtb6W by saagar@federated.saagarjha.com
       2023-12-08T06:57:24.413163Z
       
       0 likes, 0 repeats
       
       @zhuowei @opa334 @siguza That flag is almost certainly going away at some point, but yes, there is a lot that you can do. I did notably not mention a direct memory write because you’d need to avoid PAN, which I think would be similar shenanigans-wise
       
 (DIR) Post #AcakzdBQTjVEfSG0ae by zhuowei@notnow.dev
       2023-12-08T06:58:45.916962Z
       
       0 likes, 0 repeats
       
       @saagar @opa334 @siguza Isn&#39;t the entire physical memory mapped inside the kernel address space, or is that blocked by hardening?
       
 (DIR) Post #AcamRpjpUdgtfVMRZw by saagar@federated.saagarjha.com
       2023-12-08T07:00:23.421656Z
       
       0 likes, 0 repeats
       
       @zhuowei @opa334 @siguza I was too lazy to check whether physmap was locked down on iOS, hence the roundabout strategies
       
 (DIR) Post #AcamRro9nWLC5VOvbM by zhuowei@notnow.dev
       2023-12-08T07:14:59.447440Z
       
       0 likes, 0 repeats
       
       @saagar @opa334 @siguza Physmap seems to be accessible as of iOS 13.3 and probably iOS 15.x:1) searching for &quot;physmap iOS exploit&quot; shows Ian Beer was able to read from the physmap and dump data from Safari. https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html2) Bazad noted in passing in the one byte research (https://googleprojectzero.blogspot.com/2020/07/one-byte-to-rule-them-all.html) that the physmap was a way to get some user-controlled kernel memory on iOS 13.3) Linus Henze (...again) was reading the entirety of physical memory out of the physmem mapping as part of the Fugu15 DriverKit exploit: https://youtu.be/rPTifU1lG7Q seems to suggest physmem is not locked down?I&#39;m mainly worried because I always thought iOS/macOS is very stingy on paging in memory, so you might find that the page you want to write is compressed or swapped out...