Rump : iOS patch diffing
-
Upload
cyber-security-alliance -
Category
Software
-
view
167 -
download
1
Transcript of Rump : iOS patch diffing
iOS patch diffing#cybsec16 rump session Julien Bachmann
@milkmix_
intro | pegasus
• Last August: information about new malware for iOS
• Better: infected device through a browser exploit !
• Looked like a good idea to finally start analysing iOS patches
patches | up to iOS 9• Updates
• rootfs is encrypted and decrypted only on device
• need keys but only available for devices before A6
• kernelcache is also encrypted
• OTA updates
• Initially only partial updates
• From around September 2015, full OTA updates made available
patches | up to iOS 9
patches | iOS 10
• Updates
• rootfs is no more encrypted
• kernelcache is encrypted (again…)
patches | extracting rootfs$ mkdir rootfs
$ unzip 2f3a0cb8c741f31b19576656765fad3616ecbfef.zip
$ pbzx AssetData/payloadv2/payload > rootfs/pb.xz && cd rootfs
$ xz --decompress pb.xz
$ otaa -e '*' ./pb
patches | finding modified files• Using partial update
patches | extracting frameworks
• On iOS all frameworks are bundled into cache file
• dyld_shared_cache_arm64
• Possible to extract specific frameworks using jtool
$ jtool -extract JavaScriptCore /tmp/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64
diffing | diaphora
diffing | diaphora
finding the vuln | analysis
• Last browser exploit I did was 10 years ago on ActiveX applets
• heap spray all the things
• Was expecting for the exploit to be released and then trace using debugger starting from slowAppend
finding the vuln | analysis
• All that to say…
finding the vuln | analysis• Use Slack, use Github