Attacking iPhone XS Max Tielei Wang and Hao Xu About us • Tielei Wang and Hao Xu (@windknown) • Co-founders of Team Pangu • Known for releasing jailbreak tools for iOS 7-9 • Organizers of MOSEC (Mobile Security Conference) at Shanghai Outline • UNIX Socket Bind Race Vulnerability in XNU • PAC Implementation and Effectiveness • Exploit the Bug on iPhone XS Max • Conclusion Unix Domain Socket • A UNIX socket is an inter-process communication mechanism that allows bidirectional data exchange between processes running on the same machine. int sock; struct sockaddr_un name; char buf[1024]; /* Create socket from which to read. */ sock = socket(AF_UNIX, SOCK_DGRAM, 0); int sock; struct sockaddr_un name; char buf[1024]; /* Create socket from which to write. */ sock = socket(AF_UNIX, SOCK_DGRAM, 0); /* Create name. */ name.sun_family = AF_UNIX; strcpy(name.sun_path, "1.txt"); name.sun_len = strlen(name.sun_path); /* Create name. */ name.sun_family = AF_UNIX; strcpy(name.sun_path, "1.txt"); name.sun_len = strlen(name.sun_path); /* Bind socket to the path. */ bind(sock, (struct sockaddr *)&name, SUN_LEN(&name)); /* Connect the socket to the path. */ connect(sock, (struct sockaddr *)&name, SUN_LEN(&name)); /* Read from the socket. */ read(sock, buf, 1024); /* Write to the socket. */ write(sock, buf, 1024); close(sock); close(sock); A simple server A simple client int sock; struct sockaddr_un name; char buf[1024]; /* Create socket from which to read. */ sock = socket(AF_UNIX, SOCK_DGRAM, 0); /* Create name. */ name.sun_family = AF_UNIX; strcpy(name.sun_path, "1.txt"); name.sun_len = strlen(name.sun_path); /* Bind socket to the path. */ bind(sock, (struct sockaddr *)&name, SUN_LEN(&name)); /* Read from the socket. */ read(sock, buf, 1024); close(sock); A simple server From the kernel point of view please refer to xnu source code for more details int sock; struct sockaddr_un name; char buf[1024]; /* Create socket from which to read. */ sock = socket(AF_UNIX, SOCK_DGRAM, 0); /* Create name. */ name.sun_family = AF_UNIX; strcpy(name.sun_path, "1.txt"); name.sun_len = strlen(name.sun_path); /* Bind socket to the path. */ bind(sock, (struct sockaddr *)&name, SUN_LEN(&name)); socket socket_common socreate_internal soalloc unp_attach /* Read from the socket. */ read(sock, buf, 1024); close(sock); A simple server From the kernel point of view proc_t struct filedesc p_fd int sock; struct sockaddr_un name; char buf[1024]; /* Create socket from which to read. */ sock = socket(AF_UNIX, SOCK_DGRAM, 0); /* Create name. */ name.sun_family = AF_UNIX; strcpy(name.sun_path, "1.txt"); name.sun_len = strlen(name.sun_path); /* Bind socket to the path. */ bind(sock, (struct sockaddr *)&name, SUN_LEN(&name)); fd_ofiles struct fileproc * … struct fileproc * 0 1 struct fileproc * 2 … … struct fileproc * struct fileglob struct fileproc … … fg_data f_fglob … … struct socket struct unpcb … so_proto unp_socket so_pcb unp_vnode … so_usecount /* Read from the socket. */ read(sock, buf, 1024); close(sock); struct protosw … pr_lock pr_unlock a number of function pointers … A simple server From the kernel point of view int sock; struct sockaddr_un name; char buf[1024]; /* Create socket from which to read. */ sock = socket(AF_UNIX, SOCK_DGRAM, 0); /* Create name. */ name.sun_family = AF_UNIX; strcpy(name.sun_path, "1.txt"); name.sun_len = strlen(name.sun_path); struct socket struct unpcb … so_proto unp_socket so_pcb unp_vnode … so_usecount /* Bind socket to the path. */ bind(sock, (struct sockaddr *)&name, SUN_LEN(&name)); /* Read from the socket. */ read(sock, buf, 1024); close(sock); A simple server From the kernel point of view int sock; struct sockaddr_un name; char buf[1024]; /* Create socket from which to read. */ sock = socket(AF_UNIX, SOCK_DGRAM, 0); /* Create name. */ name.sun_family = AF_UNIX; strcpy(name.sun_path, "1.txt"); name.sun_len = strlen(name.sun_path); /* Bind socket to the path. */ bind(sock, (struct sockaddr *)&name, SUN_LEN(&name)); /* Read from the socket. */ read(sock, buf, 1024); bind sobindlock socket_lock unp_bind socket_unlock close(sock); A simple server From the kernel point of view Note that unp_bind is surrounded by socket_(un)lock int sock; struct sockaddr_un name; char buf[1024]; /* Create socket from which to read. */ sock = socket(AF_UNIX, SOCK_DGRAM, 0); /* Create name. */ name.sun_family = AF_UNIX; strcpy(name.sun_path, "1.txt"); name.sun_len
盘古 Attacking iPhone XS Max 北京网络安全大会2019
文档预览
中文文档
54 页
50 下载
1000 浏览
0 评论
0 收藏
3.0分
温馨提示:本文档共54页,可预览 3 页,如浏览全部内容或当前文档出现乱码,可开通会员下载原始文档
本文档由 思安 于 2022-10-19 12:25:49上传分享