Archive for January 10, 2020

Friday, January 10, 2020

Project Zero Remote iPhone Exploitation

Samuel Groß (Hacker News):

This is the first blog post in a three-part series that will detail how a vulnerability in iMessage can be exploited remotely without any user interaction on iOS 12.4 (fixed in iOS 12.4.1 in August 2019).

[…]

This research was mainly motivated by the following question: given only a remote memory corruption vulnerability, is it possible to achieve remote code execution on an iPhone without further vulnerabilities and without any form of user interaction? This blog post series shows that this is in fact possible.

[…]

For the purpose of this blog post series, it is important to realize that a vulnerability in the NSKeyedUnarchiver API can generally be triggered in two different contexts: in the sandboxed imagent and in the unsandboxed SpringBoard process (which manages the main iOS UI, including the homescreen).

Samuel Groß (Hacker News):

The initial primitive gained from the vulnerability is an absolute address dereference in which the read value is afterwards used as an ObjC object. As such, some knowledge of the target address space is required in order to exploit this vulnerability for remote code execution. This blog post describes a way to defeat ASLR remotely without any additional information disclosure vulnerabilities.

First off, the effectiveness of an old technique, heap spraying, is evaluated. Afterwards, a technique is described through which it is possible to infer the base address of the dyld shared cache region given only a memory corruption bug. The released code implements the presented attack and can infer the shared cache base address remotely on vulnerable devices within a couple of minutes.

Samuel Groß (Hacker News):

At this point, ASLR has been broken as the shared cache’s base address is known and controlled data can be placed at a known address with the heap spray. What remains is to exploit the vulnerability one more time to gain code execution.

After a short introduction to some relevant ObjC internals, an exploit for devices without pointer authentication (PAC) will be outlined. It involves creating code pointers, so it no longer works with pointer authentication enabled. Afterwards, a different exploit that works against PAC and non-PAC devices will be presented. Finally, a technique to chain the presented attack with a kernel exploit, which involves implementing the kernel exploit in JavaScript, will be shown.

Previously:

Observing Appearance Changes

Jesse Squires:

I needed to get notified when the system appearance changed. On iOS, this is very straight-forward and a first-class API. On iOS 13, the interface style is part of UITraitCollection.

[…]

[On macOS,] you can KVO on NSApp.effectiveappearance. […] Using KVO still does not feel great, but this is the best solution I could find without having an explicit API like iOS.

Previously:

KVO, My Enemy

Brent Simmons:

One of the keys to the stability of the shipping versions of NetNewsWire is that we don’t allow KVO (Key-Value Observing).

KVO is a false convenience — it’s often easier than setting up a delegate or old-fashioned notification. But to use KVO is to just ask for your app to crash.

And not just crash, but crash in hard-to-figure-out ways.

Drew McCormack:

As others point out, there are a bunch of issues with the FeedlyOperation class, such as the isAsynchronous override, and not changing to the final state atomically. But I think maybe the biggest problem is the use of Swift key paths. Not sure if that should be supported, but in my testing, it doesn’t work. Changing to strings for the key paths fixed things for me.

I’m not sure what the issue is—perhaps a Swift bug or incorrect property declarations so that there’s disagreement about whether is is part of the property name—but Swift key paths seem to be a common source of problems.

Brent Simmons:

We’re going to write a replacement for OperationQueue.

Previously:

Update (2020-01-24): Adam Maxwell:

If @brentsimmons is writing an NSOperationQueue replacement, I did that a few years ago, for deployment to Leopard.

Brent Simmons (tweet):

We fixed our mystery KVO crash by writing a replacement for OperationQueue.

[…]

MainThreadOperationQueue and MainThreadOperation are part of our RSCore framework.

How to Downgrade a New Mac to Mojave From Catalina

Armin Briegel:

Apple has started shipping Mac models that used to come with Mojave pre-installed with Catalina. If your organization has blockers for Catalina (incompatible software, etc.) you may want to install Mojave on these Macs. Unfortunately, this is not so easy.

[…]

Directly downgrading from Catalina to Mojave with the startosinstall --eraseinstall command will fail. Attempts to run the Mojave installer from a Catalina Recovery (local or Internet) will also fail. The reason seems to be that the Mojave Installer application chokes on some aspect of Catalina APFS.

[…]

The solution requires a Mojave Installer USB disk.

[…]

To boot a new Mac with a T2 chip off an external drive, you need to allow external boot from the Security Utility in the Recovery partition.

Via Josh Centers:

We’re still hesitant to recommend upgrading to Catalina, particularly if you use Mail, since reports of email data loss continue.

I continue to receive reports of Mail messages lost when upgrading/migrating/rebuilding and when moving messages between mailboxes (particularly between different accounts). There also seem to be a bunch of new crashing bugs affecting Exchange users, as well as problems with messages not moving (but, thankfully, not disappearing either). Yet many customers are also using Catalina without these issues. It’s not yet clear why some are affected and others aren’t, but it’s good to know that downgrading is possible (unless you have a 16-inch MacBook Pro or a 2019 Mac Pro).

Previously: