iOS 15.2 fixed many bugs in IOMobileFrameBuffer (IOMBF), one of my favorite attack surfaces, and brought me a lot of good memories regarding IOMBF.
I got to notice IOMBF because of JailbreakMe (Star) by comex et al. It was widely believed that the integer overflow in IOSurface (CVE-2010-2973) was the kernel vulnerability exploited by Star, as described by the advisory. In fact, there was a stack-based OOB write in IOMBF.
An IOSurface’s width/height is used to overwrite the return address to hijack the control flow. It reminded me that IOMBF was not well studied. Soon, I found a new overflow in IOMBF::swap_submit. This was the kernel vulnerability we later exploited in Pangu 9.
There was also a double-release vulnerability in swap_submit. The interesting thing is that, the double-release was repeatedly fixed and re-introduced cross many iOS versions. Repeatedly!
IOMBF utilized IOCommandGate. A very common race condition in IOMBF happened when a commandSleep was invoked but no extra retains on the objects that may be released by other threads. IOMBF fixed such bugs in the history. This motived me to check other temporary unlock pattens.
In the past, is_io_connect_method had a logic issue. When ool_input and inband_input were supplied at the same time, the structure input length check was only conducted on ool_input. IOMBF had perfect interfaces for this, leading to many issues such as info leaks.
I also missed many bugs. CVE-2021-30807 is a good example. When checking the function s_displayed_fb_surface, I easily stopped at the entitlement check.
For this year TianfuCup, the vulnerability we first prepared was the integer overflow issue fixed in iOS15.0.2 (CVE-2021-30883), a bug collision with an in-the-wild exploit. Luckily, we had alternatives, as demonstrated in the 15.2 update.
IOMBF also had a reference counter problem. The increment and decrement of references of some handler objects are not atomic, leading to a perfect UaF.
These vulnerabilities made me laugh at many IOKit fuzzers, i.e., identifying the struct input length from the IOExternalMethodDispatch structures and randomly generating the malformed data. It doesn’t work.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
I have been working on iOS security research since iOS 5. Now iOS 15 has come out. I don’t remember how many times, after I completed a jailbreak exploit, I told myself this was the last one. However, when a new version of iOS is released, I can't help myself to start again.
Deep down in my heart, I know I’m afraid that one day I would be unable to create jailbreak exploits anymore. Luckily enough, I'm still keeping the capability now. However, iOS has unknowingly become my conformable zone.
It is my last day at Team Pangu. I’m grateful to have the opportunity to join Team Pangu at its early stage, proud of contributions I've made, and feel so lucky to work with the great mates.