Hackers of India

Putting it all together: building an iOS jailbreak from scratch

By  Umang Raghuvanshi  on 06 Mar 2020 @ Nullcon

Presentation Material

Abstract

iOS jailbreaks have always been shrouded in mystery, with their inner workings known only to a select few. In this talk, I embark upon a journey with the audience to lift the curtain and put together a semi-untethered iOS jailbreak from the ground up. Starting from a memory corruption vulnerability, this talk covers defeating Kernel Address Space Layout Randomisation, escaping the iOS sandbox, remounting the root filesystem and defeating code signing and library validation to inject code into other processes. Also, for the first time ever, this talk details how all of this can be done on the latest Apple devices without having to bypass ARMv8.3’s Pointer Authentication.

AI Generated Summarymay contain errors

Here is a summarized version of the content:

The text discusses a research on jailbreaking and bypassing sandbox restrictions in a specific operating system. The author explains that the Magna tree access control framework is the foundation of the OS’s security, sandboxing mechanism, for controlling what applications can do within their containers.

To defeat this, , the author suggests two approaches:

  1. Changing the CR label to a null pointer to bypass some NEC checks.
  2. Using a Mach port to change the label and gain elevated permissions.

However, these methods have limitations and may cause panics or crashes when attempting to perform unauthorized actions.

The text also delves into the implementation of sandbox policies in the kernel binary, specifically in the espy_evaluate function, which evaluates the sandbox policies. The author notes that while this mitigation is a great idea, its implementation has flaws, allowing for potential exploitation.

Furthermore, the text explores ways to remount the root filesystem and write files outside of the container sandbox. This can be achieved by patching the perlu_check function that verifies mount operations. However, this approach is complicated due to memory management unit restrictions, which prevent writes to non-writable kernel memory regions.

Overall, the text presents a detailed analysis of the OS’s security mechanisms and potential vulnerabilities, as well as creative approaches to bypassing these restrictions.