Last December, in a talk at 36th Chaos Communication Congress, Samuel Groß presented a technical report about the infamous iOS vulnerability that allowed remote code execution on all iDevices up to iOS 12.4, within a couple of minutes and without user interaction.



The talk will dive into the internals of the iMessage exploit that achieves unsandboxed remote code execution: all that is necessary for a successful attack in a default configuration is knowledge of the target’s phone number or an email address:



Recently, Samuel also published a series of three articles on Google's Project Zero blog, essentially a more detailed version of the CCC talk.

In the first post [2], Groß provides an in-depth discussion of the vulnerability, with a useful overview on iMessage architecture.

Incoming iMessages pass through multiple services and frameworks before a notification is finally displayed to the user and the message is written to the messages database. The main services handling iMessages on iOS 12.4 without requiring user interaction are depicted below. A red border indicates the existence of a sandbox for the process.

The second part [3] presents the technique used to remotely break the address space layout randomization, in order to obtain the target address space required to exploit the vulnerability.

The initial primitive gained from the vulnerability is an absolute address dereference in which the read value is afterwards used as an ObjC object. As such, some knowledge of the target address space is required in order to exploit this vulnerability for remote code execution.
This blog post describes a way to defeat ASLR remotely without any additional information disclosure vulnerabilities. First off, the effectiveness of an old technique, heap spraying, is evaluated. Afterwards, a technique is described through which it is possible to infer the base address of the dyld shared cache region given only a memory corruption bug.
The released code implements the presented attack and can infer the shared cache base address remotely on vulnerable devices within a couple of minutes.

Finally, the third article [4] explains how to perform the remote code execution using a kernel exploit.

At this point, ASLR has been broken as the shared cache’s base address is known and controlled data can be placed at a known address with the heap spray.
What remains is to exploit the vulnerability one more time to gain code execution.
After a short introduction to some relevant ObjC internals, an exploit for devices without pointer authentication (PAC) will be outlined. It involves creating code pointers, so it no longer works with pointer authentication enabled. Afterwards, a different exploit that works against PAC and non-PAC devices will be presented. Finally, a technique to chain the presented attack with a kernel exploit, which involves implementing the kernel exploit in JavaScript, will be shown.


So sit back, relax, and enjoy the reading!


References

  1. media.ccc.de - Messenger Hacking: Remotely Compromising an iPhone through iMessage
  2. Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641
  3. Remote iPhone Exploitation Part 2: Bringing Light into the Darkness -- a Remote ASLR Bypass
  4. Remote iPhone Exploitation Part 3: From Memory Corruption to JavaScript and Back -- Gaining Code Execution