Scribd Logo
Cargar

¡Te damos la bienvenida a Scribd!

  • iOS Exploits - iOS - EDG Confluence PDF

    Cargado por

    Thomas Felder
    81 vistas3 páginas

    Título original

    iOS Exploits - iOS - EDG Confluence.pdf

    Derechos de autor

    © © All Rights Reserved

    Formatos disponibles

    PDF, TXT o lea en línea desde Scribd

    ¿Le pareció útil este documento?

    ¿Este contenido es inapropiado?

    Denunciar este documento

    Copyright:

    © All Rights Reserved
    Descargue como PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    81 vistas3 páginas

    iOS Exploits - iOS - EDG Confluence PDF

    Cargado por

    Thomas Felder

    Copyright:

    © All Rights Reserved
    Descargue como PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    de 3

    8/12/2015 iOS Exploits - iOS - EDG Confluence

    Pages / iOS

    iOSExploits
    CreatedbyHP(193pt),lastmodifiedbyBenM.ATTLERyesterdayat4:10PM

    iOSExploitsData
    Name Type Access BornDate ModificationDate Death Foundby Description
    Granted &iOS Date
    Version

    Archon technique Remote (camewith


    Architecture purchase)
    Detection

    Dyonedo machoparsing Codesign JDWGCHQ


    Defeat

    Earth/Eve Remote PurchasedbyNSA


    Exploit
    SharedwithCIA
    PortedbyGCHQ

    Elderpiggy Sandbox Peppermint(NSAVR


    Escape Contract)
    Implementedby
    GCHQatJDW

    Ironic KernelASLR iOS8 Publicvulnerability


    Defeat researcher:Steffan
    Esser(i0nic)

    Nandao Heapoverflow KernelExploit GCHQ


    corruption?

    Juggernaut PurchaseBaitshop

    Persistence Executionvia Reboot June2013, June2014,JDW CIA Byselectingspecificexecutablesonthesystem


    symboliclinks Persistence JDWXXXX XXXX partitionthatarerunwithrootprivileges,
    asymboliclinkcanbecreated(oniOS7.x)oran
    existingfilecanbeoverwritten(iOS8.x)
    thatwillrunourbootstrapper,givinguseinitial
    executiononeveryboot.

    Redux Sandbox CloseAccess June2012, 7/15,workaroundfor 11/17/14, GCHQ SandboxProfiles:


    misconfiguration iOS6 missing iOS8.1.1
    vpnagentiniOS8 Availablefor:iPhone4Sandlater,iPodtouch(5th
    devdmgs generation)andlater,iPad2andlater
    Impact:Amaliciousapplicationmaybeableto
    launcharbitrarybinariesonatrusteddevice
    Description:Apermissionsissueexistedwiththe
    debuggingfunctionalityforiOSthatallowedthe
    spawningofapplicationsontrusteddevicesthatwere
    notbeingdebugged.Thiswasaddressedby
    changestodebugserver'ssandbox.
    PubliclydiscoveredbytheChineseJailbreak
    team,Pangu
    CVE:20144457

    Rhino APImisuse KernelASLR April2013, June2014, GCHQ ReadsKEXTinfothatrevealstheKASLRvaluesby


    Defeat iOS7 iOS8Beta callingtheOSKextCopyLoadedKextInfofunction.
    1

    Sal Abnormalcode Codesign DATE???, 2/15,bugfix FBI,ROU Copiesnonpagedsizedchunkssothatthe


    path Defeat iOS7 vm_map_copy_overwrite_unaligned()pathistakenin
    inthekernel thekernel.
    Thisabnormalcodepathresultsinpagesofmemory
    notbeingpagedin,sothecs_taintedflagisnever
    seton
    thepagesinmemory,causingnosignaturechecks.

    Saline BufferOverflow ROP DATE???, 2/15,Productizedat PurchaseBaitshop SendingacraftedNSArchiverobjecttoanyprocess


    causedby execution iOS8 TRICLOPS thatcallsNSArchiveunarchivemethodwillresultin
    deserialization workshop abufferoverflow,allowingforROP.
    parsingerror
    inFoundation
    library

    Wintersky SizeMismatch KernelASLR DATE???, NOCTURNALFEARS WinterSkyleaksthekerneladdressoftheipc_port


    betweenuser Defeat iOS8 structofauserprovidedmachport.
    andkernel
    structures

    Xiphos ValidationIssue KernelExploit March2014, 11/14,iOS CIA Availablefor:iPhone4Sandlater,iPodTouch5th


    iOS7 8.1.1 genandlater,iPad2andLater.
    Impact:Amaliciousapplicationmaybeableto
    executearbitrarycodewithsystemprivileges.
    Description:Avalidationissueexistedinthe
    handlingofcertainmetadatafieldsof
    IOSharedDataQueueobjects.
    PubliclydiscoveredbytheChineseJailbreak
    team,Pangu.

    https://confluence.devlan.net/display/NS/iOS+Exploits 1/3
    8/12/2015 iOS Exploits - iOS - EDG Confluence

    Exploits

    Release Access Kernel Kernel Sandbox CodeSign Persistence Persistence


    Date(s) Info Exploit Escape Defeat
    (reboot) (update)
    Leak (browser)

    iOS4(4.0 Remote 6/21/2010 SafferonSkies <NR> <NR> ?? EarlyKatana overrides.plist No


    3/11/2011
    4.3.3) (OTA<NR>)
    Local SLIDE <NR>

    iOS5(5.0 Remote 10/12/2011 SunsetSkies <NR> Corona(5.0.1) ?? EarlyKatana overrides.plist Yes


    5/7/2012
    5.1.1) (sysnot
    Local SLIDE <NR> <NR> touched)

    iOS6(6.x Remote 9/19/2012 Wby Rhino Cutlass SandShrew Katana overrides.plist block
    2/16/2013
    6.1.2) Local Redux <NR> (libamfi) launchd.conf

    iOS6(6.1.3 Remote 3/19/2013 Wby Rhino Scimitar SandShrew Dyonedo dirhelper block
    5/2/2013
    6.1.4) Local Redux <NR>

    iOS7(7.0 Remote 9/18/2013 Eve <NR> Xiphos Piggy Dyonedo dirhelper block
    6/20/2014
    7.1.2) Local Redux <NR>

    iOS8(8.0& Remote 9/17/2014 Earth Ironic Nandao <NR> Dyonedo dirhelper block
    9/25/2014
    8.0.2) Local Saline

    iOS8(8.1 Remote 10/10/2014 Earth Ironic Nandao <NR> Dyonedo dirhelper block
    12/19/2014
    8.1.2) Local Saline

    iOS8(8.1.3 Remote 1/27/2015 Earth WinterSky Nandao <NR> Dyonedo mountNFS block
    3/9/2015
    8.2) Local Saline

    IOS8.3 Remote 4/8/2015 Earth WinterSky Nandao <NR> Juggernaut mountNFS block

    Local Saline

    iOS8.4 Remote 6/30/2015 Earth WinterSky Nandao <NR> Juggernaut mountNFS block

    Local Saline

    Key

    NewExploit

    MajorUpdate

    MinorUpdate

    MinimalChanges

    <NR> NotRequired

    ?? Unknown

    OldTables(Toberemoved)
    iOS4(4.04.3.3) iOS5(5.05.1.1) iOS6(6.x6.1.2) iOS6.1.36.1.4 iOS7 iOS8

    Remote Local Remote Local Remote Local Remote Local Remote Local

    KernelInfo <NR> <NR> <NR> <NR> rhino rhino rhino rhino <NR> <NR>
    Leak

    Sandbox ?? <NR> ?? <NR> sandshrew <NR> sandshrew <NR> piggy <NR>


    Escape
    (browser)

    Kernel <NR> <NR> <NR>, <NR> cutlass cutlass scimitar scimitar xiphos xiphos

    https://confluence.devlan.net/display/NS/iOS+Exploits 2/3
    8/12/2015 iOS Exploits - iOS - EDG Confluence
    Exploit CORONA(5.0.1)

    CodeSign EARLYKATANA EARLYKATANA EARLYKATANA EARLYKATANA katana katana dyonedo dyonedo dyonedo dyonedo
    Defeat (libamfi) (libamfi)

    Access SAFFRONSKIES SLIDE SUNSETSKIES SLIDE wby redux wby redux eve redux
    (4.3only?)

    Persistence overrides.plist overrides.plist overrides.plist overrides.plist overrides.plist overrides.plist dirhelper dirhelper dirhelper dirhelper
    (reboot) / /
    launchd.conf launchd.conf

    Persistence NO(OTA<NR>) NO(OTA<NR>) YES(sysnot YES(sysnot block block block block block block
    (update) touched) touched)

    iOS8(8.0&8.0.2) iOS8.18.1.2 iOS8.1.38.2 IOS8.3 iOS8.4

    Release 9/17/20149/25/2014 10/10/201412/19/2014 1/27/20153/9/2015 4/8/2015 6/30/2015


    Date(s)

    Remote Local Remote Local Remote Local Remote Local Remote Local

    KernelInfo Ironic Ironic Ironic Ironic WinterSky WinterSky WinterSky WinterSky WinterSky WinterSky
    Leak

    Sandbox <NR> <NR> <NR> <NR> <NR> <NR> <NR> <NR> <NR> <NR>
    Escape
    (browser)

    Kernel Nandao Nandao Nandao Nandao Nandao Nandao Nandao Nandao Nandao Nandao
    Exploit

    CodeSign dyonedo dyonedo dyonedo dyonedo dyonedo dyonedo Juggernaut Juggernaut Juggernaut Juggernaut
    Defeat

    Access Earth Saline Earth Saline Earth Saline Earth Saline Earth Saline

    Persistence dirhelper dirhelper dirhelper dirhelper dirhelper dirhelper Mount Mount Mount Mount
    (reboot) NFS NFS NFS NFS

    Persistence block block block block block block block block block block
    (update)


    XX=required,butnotavailable.
    <NR>=notrequired
    ??Unknown/someelsefillthisin

    Like Bethefirsttolikethis Nolabels

    https://confluence.devlan.net/display/NS/iOS+Exploits 3/3

    También podría gustarte