Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Google Project Zero day team does amazing stuff! There are three parts to this article: The vulnerability, defeating ASLR and exploitation.

The bug is an issue in the parser for NSKeyedUnarchiver. This allows for references to other objects within the same object. This can be abused by creating a circular reference where one item being referenced is referenced within another, while the first item is still in the unarchive process.

The start of bypassing ASLR is to use heap spraying to get a usable pointer in a known location. This is essentially just spamming as much data as possible. Then, there is a good chance that the pointer (that we guessed) points to the large amount of data we entered. Creating a large heap spray is an interesting aspect of the exploitation itself.

The second part is discovering the address of the code pages, as the heap is not executable. The system libraries are are prelinked in one giant blob. The reason this is relevant is because all the exact location of these libraries is only randomized once per boot (making it not position independent code). Once the base address of this library is known, this makes for an infinite amount of ROP gadgets!

The way that ASLR is broken is absolute genius! It uses a quirk of the iMessage interface: the showing of a delivered message. If a crash is triggered then no delivery receipt will be sent. Otherwise, one will be sent. They call this a crash oracle. The math on this takes a fair amount of time to go into, but it pretty amazing. By sending a maximum of 20 messages, we can break ASLR without ever leaking anything directly!

With how many different pointers a function has in ObjC, achieving RCE can be done with ROP using the NSSTRING path. However, newer versions of iPhones have what is known as PAC (Pointer authentication). So, exploitation is more difficult on these devices.

After this, I did not understand what was going on... So, the rest of this will be read by me later when I understand more. Overall, this was an amazing read though!

A few things really stick out to me:

1. A deep understanding of EVERYTHING is needed in order to exploit these types of vulnerabilities.
2. They break ASLR without ever leaking anything... That is freaking amazing!
3. They use IDAPython in order to find scripts that can find ROP gadgets. Good thing to know!
4. Bugs are everywhere...We commonly talk about web security because it is so easily accessible. Getting something working, with a very difficult setup, will usually work out in the long run with lots of vulns! :)