bazad.github.io

bazad.github.io Brandon Azad's security blog https://bazad.github.io/ Wed, 05 Aug 2020 21:08:54 +0000 Wed, 05 Aug 2020 21:08:54 +0000 An introduction to exploiting userspace race conditions on iOS XPC service vulnerabilities are a convenient way to elevate privileges and/or evade the sandbox. This post will look at a race condition in GSSCred on macOS and iOS. Fri, 09 Nov 2018 04:45:00 +0000 https://bazad.github.io/2018/11/introduction-userspace-race-conditions-ios/ https://bazad.github.io/2018/11/introduction-userspace-race-conditions-ios/ iOS macOS Bypassing platform binary restrictions with task_threads() Apple introduced a mitigation against the use of task ports in exploits. In this post we examine the mitigation, find a loophole, and develop a new code injection library. Wed, 24 Oct 2018 04:05:00 +0000 https://bazad.github.io/2018/10/bypassing-platform-binary-task-threads/ https://bazad.github.io/2018/10/bypassing-platform-binary-task-threads/ iOS iOS privilege escalation via crashing Blanket is an exploit for CVE-2018-4280, a Mach port replacement vulnerability in launchd, that can be used to take control of every process on an iOS device. iOS versions up to and including 11.4 are vulnerable, but the exploit is specific to iOS 11.2.6. Tue, 25 Sep 2018 00:00:00 +0000 https://bazad.github.io/2018/09/ios-privilege-escalation-via-crashing/ https://bazad.github.io/2018/09/ios-privilege-escalation-via-crashing/ iOS Reading process memory using XPC strings The discovery and analysis of CVE-2018-4248, a vulnerability in Apple's libxpc library that could be used to read out-of-bounds heap data from certain XPC services, including diagnosticd. Mon, 09 Jul 2018 21:32:00 +0000 https://bazad.github.io/2018/07/xpc-string-leak/ https://bazad.github.io/2018/07/xpc-string-leak/ iOS macOS Analyzing the iOS 12 kernelcache's tagged pointers Apple introduced a new kernelcache format for iOS 12 that includes what appear to be tagged kernel pointers. In this post I examine changes in the kernelcache layout and show what those tags represent to lay the groundwork for future iOS 12 kernelcache analysis. Wed, 20 Jun 2018 15:35:00 +0000 https://bazad.github.io/2018/06/ios-12-kernelcache-tagged-pointers/ https://bazad.github.io/2018/06/ios-12-kernelcache-tagged-pointers/ iOS How to build an iOS command line tool with Xcode 9.3 When developing exploits or working on jailbroken devices, it's often useful to build command-line tools for iOS. While the Xcode UI does not support this, I'll document a workaround that can be used to build standalone Mach-O binaries for iOS with Xcode. Mon, 23 Apr 2018 22:40:00 +0000 https://bazad.github.io/2018/04/xcode-command-line-targets-ios/ https://bazad.github.io/2018/04/xcode-command-line-targets-ios/ Xcode iOS Designing an advanced kernel function call primitive on iOS An explanation of the design process of the jump-oriented programs used by libmemctl to call kernel functions on iOS 11.1.2. Sat, 07 Apr 2018 22:45:00 +0000 https://bazad.github.io/2018/04/ios-advanced-kernel-call-jop/ https://bazad.github.io/2018/04/ios-advanced-kernel-call-jop/ iOS memctl Who put that kernel pointer in my crash log? In February 2018 I noticed that kernel pointers were showing up in register x18 of iOS crash logs. Figuring out why took me all the way back to the Meltdown vulnerability and the buggy fix that made it trivial to bypass Apple's kernel ASLR defense. Fri, 06 Apr 2018 17:15:00 +0000 https://bazad.github.io/2018/04/kernel-pointer-crash-log-ios/ https://bazad.github.io/2018/04/kernel-pointer-crash-log-ios/ iOS Reconstructing C++ classes in the iOS kernelcache using IDA Pro The ida_kernelcache IDA Pro toolkit now supports autogenerating class structs based on memory access patterns. Tue, 06 Mar 2018 23:00:00 +0000 https://bazad.github.io/2018/03/ida-kernelcache-class-reconstruction/ https://bazad.github.io/2018/03/ida-kernelcache-class-reconstruction/ iOS CVE-2017-13868: A fun XNU infoleak The discovery and exploitation of CVE-2017-13868, a race condition in XNU leading to the disclosure of uninitialized kernel heap data. Sat, 03 Mar 2018 02:00:00 +0000 https://bazad.github.io/2018/03/a-fun-xnu-infoleak/ https://bazad.github.io/2018/03/a-fun-xnu-infoleak/ iOS macOS Live kernel introspection on iOS A live kernel memory inspection tool to aid in analyzing vulnerabilities and modifying the kernel. Fri, 15 Sep 2017 23:00:00 +0000 https://bazad.github.io/2017/09/live-kernel-introspection-ios/ https://bazad.github.io/2017/09/live-kernel-introspection-ios/ memctl iOS macOS physmem: Accessing Physical Memory from User Space on OS X Exploiting a logic bug in IOKit to directly access physical memory from user space. Mon, 16 Jan 2017 18:08:00 +0000 https://bazad.github.io/2017/01/physmem-accessing-physical-memory-os-x/ https://bazad.github.io/2017/01/physmem-accessing-physical-memory-os-x/ CVE-2016-1825 CVE-2016-7617 macOS Mac OS X Privilege Escalation via Use-After-Free: CVE-2016-1828 Exploiting a use-after-free vulnerability in the OS X kernel to elevate privileges on Yosemite. Tue, 17 May 2016 22:00:00 +0000 https://bazad.github.io/2016/05/mac-os-x-use-after-free/ https://bazad.github.io/2016/05/mac-os-x-use-after-free/