iOS patch diffing#cybsec16 rump session Julien Bachmann

@milkmix_

intro | pegasus

• Last August: information about new malware for iOS

• Better: infected device through a browser exploit !

• Looked like a good idea to finally start analysing iOS patches

patches | up to iOS 9• Updates

• rootfs is encrypted and decrypted only on device

• need keys but only available for devices before A6

• kernelcache is also encrypted

• OTA updates

• Initially only partial updates

• From around September 2015, full OTA updates made available

patches | up to iOS 9

patches | iOS 10

• Updates

• rootfs is no more encrypted

• kernelcache is encrypted (again…)

patches | extracting rootfs$ mkdir rootfs

$ unzip 2f3a0cb8c741f31b19576656765fad3616ecbfef.zip

$ pbzx AssetData/payloadv2/payload > rootfs/pb.xz && cd rootfs

$ xz --decompress pb.xz

$ otaa -e '*' ./pb

patches | finding modified files• Using partial update

patches | extracting frameworks

• On iOS all frameworks are bundled into cache file

• dyld_shared_cache_arm64

• Possible to extract specific frameworks using jtool

$ jtool -extract JavaScriptCore /tmp/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64

diffing | diaphora

diffing | diaphora

finding the vuln | analysis

• Last browser exploit I did was 10 years ago on ActiveX applets

• heap spray all the things

• Was expecting for the exploit to be released and then trace using debugger starting from slowAppend

finding the vuln | analysis

• All that to say…

finding the vuln | analysis• Use Slack, use Github