{"id":37660,"date":"2022-11-20T14:23:00","date_gmt":"2022-11-20T19:23:00","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=37660"},"modified":"2022-11-20T14:23:00","modified_gmt":"2022-11-20T19:23:00","slug":"forcedentry-sandbox-escape-via-nsexpression","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/11\/20\/forcedentry-sandbox-escape-via-nsexpression\/","title":{"rendered":"FORCEDENTRY Sandbox Escape via NSExpression"},"content":{"rendered":"

Ian Beer and Samuel Groß<\/a> (back in March):<\/p>\n

It’s clearly a serialized NSKeyedArchiver<\/a>. Definitely not what you’d expect to see in a JBIG2Bitmap<\/code> object. Running strings<\/code> we see plenty of interesting things[…]<\/p>

[…]<\/p>

NSPredicates<\/code> using the FUNCTION<\/code> keyword are effectively Objective-C scripts. With some tricks it’s possible to build nested function calls which can do almost anything you could do in procedural Objective-C. Figuring out some of those tricks was the key to the 2019 Real World CTF<\/a>DezhouInstrumenz<\/a> challenge, which would evaluate an attacker supplied NSExpression<\/code> format string. The writeup by the challenge author<\/a> is a great introduction to these ideas[…]<\/p>

[…]<\/p>

Prior to iOS 14.5 the isa field of an Objective-C object was not protected by Pointer Authentication Codes (PAC), so the JBIG2 machine builds a fake Objective-C object with a fake isa such that the invocation of the dealloc<\/code> selector causes the deserialization and evaluation of the NSFunctionExpression<\/code>. This is very similar to the technique used by Samuel in the 2020 SLOP post<\/a>.<\/p>

[…]<\/p>

Perhaps the most striking takeaway is the depth of the attack surface reachable from what would hopefully be a fairly constrained sandbox.<\/p><\/blockquote>\n\n

Previously:<\/p>\n