Professional Documents
Culture Documents
2015.eu 15 Todesco Attacking The XNU Kernel in El Capitain
2015.eu 15 Todesco Attacking The XNU Kernel in El Capitain
<me@qwertyoruiop.com>
BlackHat EU 2015
About Me
• Controlled size!
• But
..
(service, owningTask, connect_type, ndr, properties, propertiesCnt, *result, *connection)
Io_service_open_extended()
<IOKit/iokitmig.h>
User mode
Kernel Mode
..
(service, owningTask, connect_type, ndr, properties, propertiesCnt, *result, *connection)
Io_service_open_extended()
<IOKit/iokitmig.h>
User mode
Kernel Mode
Io_service_open_extended()
Iokit/Kernel/IOUserClient.cpp
...
tpwn: a 10.10 kernel exploit
..
(service, owningTask, connect_type, ndr, properties, propertiesCnt, *result, *connection)
Io_service_open_extended()
<IOKit/iokitmig.h>
User mode
Kernel Mode
Io_service_open_extended()
Iokit/Kernel/IOUserClient.cpp
..
(service, owningTask, connect_type, ndr, properties, propertiesCnt, *result, *connection)
Io_service_open_extended()
<IOKit/iokitmig.h>
User mode
Kernel Mode
IOHDIXControllerUserClient::initWithTask()
tpwn: a 10.10 kernel exploit
..
(service, owningTask, connect_type, ndr, properties, propertiesCnt, *result, *connection)
Io_service_open_extended()
<IOKit/iokitmig.h>
User mode
Kernel Mode
Io_service_open_extended() IOHDIX’s
.. And passes
user client
to bsd_set_dependency_capable...
initializer blindly trusts task argument
Iokit/Kernel/IOUserClient.cpp
bsd/kern/kern_proc.c
IOHDIXControllerUserClient::initWithTask()
tpwn: a 10.10 kernel exploit
1 KALLOC.1024
1 KALLOC.1024
3 NOT ADJACENT.
FREE, ALLOCATE PLACEHOLDER
1 KALLOC.1024
3 NOT ADJACENT.
FREE, ALLOCATE PLACEHOLDER
1 KALLOC.1024
3 NOT ADJACENT.
FREE, ALLOCATE PLACEHOLDER
5 NOT ADJACENT.
FREE, ALLOCATE PLACEHOLDER
1 KALLOC.1024
3 NOT ADJACENT.
FREE, ALLOCATE PLACEHOLDER
5 NOT ADJACENT.
FREE, ALLOCATE PLACEHOLDER
1 KALLOC.1024
3 NOT ADJACENT.
FREE, ALLOCATE PLACEHOLDER
5 NOT ADJACENT.
FREE, ALLOCATE PLACEHOLDER
ADJACENT.
7 FREE FIRST OBJECT,
ALLOCATE VM_MAP_COPY
IOAudioEngineUserClient
vm_map_copy
vtable pointer
0x3A8 (size)
0 (offset)
3 (type)
HEAP LAYOUT
IOAudioEngineUserClient
vm_map_copy
vtable pointer
0x3B8 (size)
0 (offset)
3 (type)
leaked first
OR 0x10 0x10 bytes
HEAP LAYOUT
• Result:
https://github.com/kpwn/tpwn
(fairly straightforward code)
vm_map_copy corruption
10.11 Info Leaking Strategies
The XNU Heap: vm_map_copy in 10.11
• Allocate OSData
Leaking arbitrary memory in 10.11
+0x0 3 (type)
0 (offset)
104 (size)
vm_map_copy
+0x80
3 (type)
0 (offset)
104 (size)
vm_map_copy
Heap corruption
+0x0 3 (type)
0 (offset)
232 (size)
vm_map_copy
+0x80
3 (type)
0 (offset)
104 (size)
vm_map_copy
+0x0
free chunk in kalloc.256
Read out
vm_map_copy
(freeing into the
wrong zone)
+0x80
0 (type)
0 (offset)
0 (size)
vm_map_copy
232 (size)
vm_map_copy
+0x80
3 (type)
sizeof(OSData) - sizeof(vm_map_copy)
0 (offset)
24 (size)
Attacker
controlled values vm_map_copy
+0x0 3 (type)
0 (offset)
232 (size)
vm_map_copy
+0x80
free chunk in kalloc.48
Read out
vm_map_copy
(freeing into the
wrong zone)
+0x0 3 (type)
0 (offset)
232 (size)
R/W Access
vtable pointer Allocate OSData
vm_map_copy
refcount
+0x80
data pointer OSData object
length
(etc..)
time of execution of a
mach_msg call with OOL
data
vm_map_copyin
(newly mapped page)
zalloc() Timing Attack
Free
controlled register
Use
return value passed to userland
Both of these functions are IOExternalMethods
CVE-2015-6974: OS”notso”SafeRelease
By controlling the vtable pointer you can get code exec easily with these
constraints:
• on non-SMEP OS X you can point the vtable in userland and jump to user
memory
• on non-SMAP OS X you can point the vtable in userland and ROP with a
kASLR info leak
• on iOS and SMAP OS X you need to use an heap info leak as well as a
kASLR info leak
CVE-2015-6974
An alternate avenue for exploitation for SMAP / iOS requires a tightly controlled heap layout.
The vtable index for the vcall is 0x948 and the object lives in kalloc.256.
POKE HOLE
POKE HOLE
POKE HOLE
REALLOCATE AT +0x900
+0x0
+0x100
+0x200
+0x300
+0x400
+0x500
+0x600
+0x700
+0x800
+0x900
REF COUNT
+0x100
+0x200
+0x300
+0x400
+0x500
+0x600
+0x700
+0x800
+0x900
UAF OBJECT
CVE-2015-6974
An alternate avenue for exploitation requires a tightly controlled heap layout.
The vtable index for the vcall is 0x948 and the object lives in kalloc.256.
REF COUNT
KERNEL DATA
+0x100
+0x200
+0x300
+0x400
+0x500
+0x600
+0x700
+0x800
+0x900
UAF OBJECT
CVE-2015-6974
An alternate avenue for exploitation requires a tightly controlled heap layout.
The vtable index for the vcall is 0x948 and the object lives in kalloc.256.
REF COUNT
+0x100
+0x200
+0x300
+0x400
+0x500
+0x600
+0x700
+0x800
+0x900
UAF OBJECT
CVE-2015-6974
An alternate avenue for exploitation requires a tightly controlled heap layout.
The vtable index for the vcall is 0x948 and the object lives in kalloc.256.
REF COUNT
*(vtable+0x948)
ADJACENT KALLOC.256 ALLOCS
Heap Layout
+0x0
+0x100
+0x200
+0x300
+0x400
+0x500
+0x600
+0x700
+0x800
+0x900
UAF OBJECT
CVE-2015-6974
• Apple has been trying to harden the kernel heap for years
now but it’s still fairly easy to carry out attacks.
Twitter: @qwertyoruiop
Mail: me at qwertyoruiop dot com
Thanks to:
• Jonathan Levin
• windknown (@windknown) &
(@Technologeeks / http://
Pangu Team (@PanguTeam) newosxbook.com/)
• Pangu9 was amazing stuff! • Stefan Esser (@i0n1c)