The Road to iOS Sandbox Escape



Apple’s sandbox may seem the “safest”, We decided to research interesting and not well known IPC. Among the history of iOS vulnerabilities, many vulnerabilities were discovered mostly on XPC, we decided to reveal the mach messages mechanism Apple still uses and poorly designed daemons based on mach message IPC.

With all of this in mind, we started to research all the mach ports accessible from within the sandbox and it revealed a new world to explore.

In order to have better understanding on the different mach message handlers, we created several research tools we are willing to share with the community. Those scripts were the key and the breakthrough to better reveal the backend of most of Apple’s API between the sandbox and the daemons. Nevertheless, we will share several vulnerabilities that were found during the research, mainly focus on the vulnerability that leads to execution of arbitrary code on most of the daemons outside the sandbox, for example, sharingd, coreduetd, SpringBoard, mDNSResponder, aggregated, wifid, Preferences, CommCenter, iaptransportd, findmydeviced, routined, UserEventAgent, carkitd, mediaserverd, bluetoothd and so on.

The vulnerability is giving full control on PC and on several registers on the vulnerable daemons and exists on all of Apple mobile devices (iOS, WatchOS and tvOS).

Moreover, We will cover possible exploitation and reveal necessary gadgets that may be used for full chain.

Location: BALLROOM 1 Date: August 31, 2018 Time: 2:00 pm - 3:00 pm Rani Idan