The iOS kernel thought it was safe to free() this object... YT
Description
Are you a security researcher or reverse engineer?
For 50% off IDA Products use promo code BILLY50, https://hex-rays.com/pricing *
For 30% off IDA Training use promo code BILLY30, https://hex-rays.com/training **
*License discounts are only valid for individuals, not corporations. Cannot be combined with any other promo code or discount.
** Cannot be combined with any other promo code or discount.
/////////////////////////////////////
Hey guys,
In today's video we're rewinding the clock and diving into CVE-2017-13861, an iOS kernel bug from 2017 that was found to be exploited in the wild on iOS 11 devices.
The root cause of this kernel vulnerability is an incorrect handling of reference counting semantics on an ipc_port structure (the structure that represents a mach port).
Mach ports in the kernel use reference counters to keep track of their lifecycle. When a ports' reference count drops to 0, the kernel will free() that ipc_port structure back to the allocator.
In this video we explore how CVE-2017-13861 is used to drop one-too-many references on a mach port to achieve a use-after-free condition.
We also look at how this bug can be exploited to build kernel exploitation primitives and gain code execution.
Thanks for watching,
~ Billy
References:
https://projectzero.google/2019/08/in-wild-ios-exploit-chain-2.html
https://sparkes.zone/blog/ios/2019/04/30/machswap-ios-12-kernel-exploit.html
https://blog.siguza.net/v0rtex/
https://newosxbook.com/QiLin/qilin.pdf
https://github.com/blacktop/async_wake
 this object... [CkZn_SZPRfo].webp){kind=link}