Mobile Security & Enterprise Mobility Blog

zLabs at HITB Singapore: (De)coding an iOS Vulnerability

This week at HITB Singapore, Zimperium zLabs’ security researcher, Adam Donenfeld (@doadam) is conducting a session titled “Viewer Discretion Advised: (De)coding an iOS Vulnerability.” Another zLabs researcher, Rani Idan (@raniXCH), is also doing a session titled “The Road to iOS Sandbox Escape.”

Here is the abstract for Adam’s session. We will post the recording of the session when it is available. If you would like to review the presentations, including both Adam’s and Rani’s, you can view them here: https://gsec.hitb.org/materials/sg2018/ .

Viewer Discretion Advised: (De)coding an iOS Vulnerability.

Over the years, ring-0 vulnerabilities in mobile devices have become increasingly difficult to find and exploit. Attackers and defenders alike must find new attack vectors, as well as develop tools to expedite the research process and increase coverage. One significant challenge is a more confining sandbox. While vendors usually put less emphasis on the security of mechanisms which are not operable from within the sandbox, sandboxing applications appropriately is not always that easy.

This talk is a real-world journey of finding, we will be uncovering a deeply buried vulnerability in the iOS kernelcache. The vulnerability, which is hidden within the video-decoder driver, can be triggered by processing maliciously crafted codec frames. The driver is normally not accessible to the standard application. This vulnerability, however, is still exploitable from within a sandboxed process or application. During this talk, concepts, tools and methods of work will be given: from initial search till getting familiar with a complete closed-source environment, as well as a real-world example of finding “sandbox-restrictive” vulnerabilities and exploiting them from the most narrowed context nevertheless.