FORCEDENTRY Sandbox Escape via NSExpression

Ian Beer and Samuel Groß (back in March):

It’s clearly a serialized NSKeyedArchiver. Definitely not what you’d expect to see in a JBIG2Bitmap object. Running strings we see plenty of interesting things[…]

[…]

NSPredicates using the FUNCTION keyword are effectively Objective-C scripts. With some tricks it’s possible to build nested function calls which can do almost anything you could do in procedural Objective-C. Figuring out some of those tricks was the key to the 2019 Real World CTFDezhouInstrumenz challenge, which would evaluate an attacker supplied NSExpression format string. The writeup by the challenge author is a great introduction to these ideas[…]

[…]

Prior to iOS 14.5 the isa field of an Objective-C object was not protected by Pointer Authentication Codes (PAC), so the JBIG2 machine builds a fake Objective-C object with a fake isa such that the invocation of the dealloc selector causes the deserialization and evaluation of the NSFunctionExpression. This is very similar to the technique used by Samuel in the 2020 SLOP post.

[…]

Perhaps the most striking takeaway is the depth of the attack surface reachable from what would hopefully be a fairly constrained sandbox.

Previously:

• FORCEDENTRY iMessage Zero-click Remote Code Execution
• iMessage, NSKeyedArchiver, and _NSDataFileBackedFuture

Cocoa Exploit Objective-C Programming Security XPC

Comments RSS · Twitter

Leave a Comment