Tielei Profile picture
14 Dec, 10 tweets, 2 min read
iOS 15.2 fixed many bugs in IOMobileFrameBuffer (IOMBF), one of my favorite attack surfaces, and brought me a lot of good memories regarding IOMBF.
I got to notice IOMBF because of JailbreakMe (Star) by comex et al. It was widely believed that the integer overflow in IOSurface (CVE-2010-2973) was the kernel vulnerability exploited by Star, as described by the advisory. In fact, there was a stack-based OOB write in IOMBF.
An IOSurface’s width/height is used to overwrite the return address to hijack the control flow. It reminded me that IOMBF was not well studied. Soon, I found a new overflow in IOMBF::swap_submit. This was the kernel vulnerability we later exploited in Pangu 9.
There was also a double-release vulnerability in swap_submit. The interesting thing is that, the double-release was repeatedly fixed and re-introduced cross many iOS versions. Repeatedly!
IOMBF utilized IOCommandGate. A very common race condition in IOMBF happened when a commandSleep was invoked but no extra retains on the objects that may be released by other threads. IOMBF fixed such bugs in the history. This motived me to check other temporary unlock pattens.
In the past, is_io_connect_method had a logic issue. When ool_input and inband_input were supplied at the same time, the structure input length check was only conducted on ool_input. IOMBF had perfect interfaces for this, leading to many issues such as info leaks.
I also missed many bugs. CVE-2021-30807 is a good example. When checking the function s_displayed_fb_surface, I easily stopped at the entitlement check.
For this year TianfuCup, the vulnerability we first prepared was the integer overflow issue fixed in iOS15.0.2 (CVE-2021-30883), a bug collision with an in-the-wild exploit. Luckily, we had alternatives, as demonstrated in the 15.2 update.
IOMBF also had a reference counter problem. The increment and decrement of references of some handler objects are not atomic, leading to a perfect UaF.
These vulnerabilities made me laugh at many IOKit fuzzers, i.e., identifying the struct input length from the IOExternalMethodDispatch structures and randomly generating the malformed data. It doesn’t work.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Tielei

Tielei Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @WangTielei

7 Dec
I have been working on iOS security research since iOS 5. Now iOS 15 has come out. I don’t remember how many times, after I completed a jailbreak exploit, I told myself this was the last one. However, when a new version of iOS is released, I can't help myself to start again.
Deep down in my heart, I know I’m afraid that one day I would be unable to create jailbreak exploits anymore. Luckily enough, I'm still keeping the capability now. However, iOS has unknowingly become my conformable zone.
It is my last day at Team Pangu. I’m grateful to have the opportunity to join Team Pangu at its early stage, proud of contributions I've made, and feel so lucky to work with the great mates.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(