Talk Title:

XNU heap exploitation: From kernel bug to kernel control


This talk walks through the exploitation of two kernel bugs (CVE-2018-4344 and CVE-2019-6225) by presenting three kernel exploits namely treadm1ll, v1ntex, and v3ntex. Therefore first a quick introduction into XNU internals of Mach ports and heap allocators zalloc and kalloc is given and afterward shown how to get from a poc to a full kernel exploit.

The main focus here is layed on outlining what primitives can be used for exploitation, which may not be obvious at first glance, as well as giving an example of how the heap can be massaged in a way that is useful for exploitation. Changes between versions (iOS 11 -> iOS 12) which can have impact on the primitives are taken into account because sometimes it is enough to replace just one element in the chain to fix the exploit (v1ntex -> v3ntex).


I started hacking iOS in 2015 and since then i created various tools for research, downgrading and contributed to various jailbreaks. Among those, I created tools for downgrading: futurerestore, tsschecker, img4tool Released various local, remote and untethered jailbreaks (32bit and 64bit) for iOS 8-12 for iPhone, iPod, iPad, AppleWatch, AppleTV

Copyright © 2019-20 | Nullcon India | International Security Conference | All Rights Reserved