This week at HITB Singapore, Zimperium zLabs’ security researcher, Rani Idan (@raniXCH), is conducting a session titled “The Road to iOS Sandbox Escape.” Rani’s fellow zLab’s researcher, Adam Donenfeld (@doadam), is also conducting a session titled “Viewer Discretion Advised: (De)coding an iOS Vulnerability.”
Here is the abstract for Rani’s session. We will post the recording of the session when it is available. If you would like to review the presentations, including both Rani’s and Adam’s, you can view them here: https://gsec.hitb.org/materials/sg2018/ .
The Road to iOS Sandbox Escape
Apple’s sandbox may seem the “safest”, but we decided to research an interesting and not well known IPC. Among the history of iOS vulnerabilities, many vulnerabilities were discovered mostly on XPC; we decided to reveal the mach messages mechanism Apple still uses and poorly designed daemons based on mach message IPC.
With all of this in mind, we started to research all the mach ports accessible from within the sandbox and it revealed a new world to explore.
In order to have better understanding on the different mach message handlers, we created several research tools we are willing to share with the community. Those scripts were the key and the breakthrough to better reveal the backend of most of Apple’s API between the sandbox and the daemons. Nevertheless, we will share several vulnerabilities that were found during the research, mainly focus on the vulnerability that leads to execution of arbitrary code on most of the daemons outside the sandbox, for example, sharingd, coreduetd, SpringBoard, mDNSResponder, aggregated, wifid, Preferences, CommCenter, iaptransportd, findmydeviced, routined, UserEventAgent, carkitd, mediaserverd, bluetoothd and so on.
The vulnerability is giving full control on PC and on several registers on the vulnerable daemons and exists on all of Apple mobile devices (iOS, WatchOS and tvOS).
Moreover, we will cover possible exploitation and reveal necessary gadgets that may be used for full chain.