Apple's Core • 全文 pdf 作者已免费提供newosxbook.com/MOXiI.pdf • 中文译本:深入解析Mac OS X & iOS操作系统 • 小部分内容已过时 • *OS Internals • Newosxbook.com 书籍的更新版本 • Volume I - User Mode - Available, v1.2 - See detailed ToC • Volume II - Later this year (wrapping up notes for Darwin 19 betas) (暂未完成) • Volume III - Security & Insecurity is available, v1.6
mach_msg_size_t send_size, mach_msg_size_t receive_limit, mach_port_t receive_name, mach_msg_timeout_t timeout, mach_port_t notify); PARAMETERS msg [pointer to in/out structure containing random and reply rights] A message buffer used by mach_msg both for send and receive. This must be naturally aligned.
Always set an event handler. More on this later. }); xpc_connection_resume(c); // Messages are always dictionaries. xpc_dictionary_t message = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_uint64(message, "X", 640); xpc_connection_send_message(c, message); xpc_release(message); xpc_connection_t listener = xpc_connection_create_mach_service(“com.apple.xpc.example”, NULL, XPC_CONNECTION_MACH_SERVICE_LISTENER); xpc_connection_set_event_handler(listener, ^(xpc_object_t event) { // New connections arrive here. You may safely cast to // xpc_connection_t. You will never receive messages here. // The semantics of this handler are similar to those of // of the one given to xpc_main(). new_peer_event_handler((xpc_connection_t)event); }); xpc_connection_resume(listener);
Core • pwn4fun Spring 2014 - Safari - Part II https://googleprojectzero.blogspot.com/2014/11/pwn4fun- spring-2014-safari-part-ii.html • Auditing and Exploiting Apple IPC https://thecyberwire.com/events/docs/IanBeer_JSS_Slides. pdf • CVE-2017-7047 Triple_Fetch漏洞与利用技术分析 https://keenlab.tencent.com/zh/2017/08/02/CVE-2017- 7047-Triple-Fetch-bug-and-vulnerability-analysis/
suid • 可供用户态和内核的 RPC 检查调用者权限 • 与代码签名绑定防止被滥用 • 部分 entitlement 仅 Apple 自带可执行文件可以使用 “taskgated: killed app because its use of the com.apple.*** entitlement is not allowed”
参考 ◦ pwn4fun Spring 2014 - Safari - Part II - Ian Beer ◦ Pwning the macOS Sierra Kernel inside the Safari Sandbox - Team Pangu ◦ IPC Voucher UaF Remote Jailbreak - @S0rryMybad
unexploitable) • https://bugs.chromium.org/p/project-zero/issues/detail?id=851 (AndroidID-29431260; getpidcon() used in the servicemanager) • https://bugs.chromium.org/p/project-zero/issues/detail?id=1404 (AndroidID-68217907; getpidcon() used in the hardware service manager) • https://bugs.chromium.org/p/project-zero/issues/detail?id=1406 (AndroidID-68217699; getpidcon() used in the keystore) • https://bugs.chromium.org/p/project-zero/issues/detail?id=1741 (AndroidID-121035042; getpidcon() usage in hardware binder servicemanager)
execve is unsafe • This is likely done to prevent another attack where a process sends an IPC message, then immediately execve's a privileged binary. The problem here is that the pidversion is incremented "ad-hoc", without updating the global nextpidversion variable. With that it becomes possible to create two processes with the same (pid, pidversion) pair without wrapping around the 32-bit pidversion
when exec-ing suid binaries allows code execution as root on OS X/iOS (CVE-2015-3708) • Issue 353: OS X kextd bad path checking and toctou allow a regular user to load an unsigned kernel extension (CVE- 2015-3709) • Issue 1520: MacOS double mach_port_deallocate in kextd due to failure to comply with MIG ownership rules (CVE- 2018-4139)
when exec-ing suid binaries allows code execution as root on OS X/iOS (CVE-2015-3708) 用户态逻辑漏洞 • Issue 353: OS X kextd bad path checking and toctou allow a regular user to load an unsigned kernel extension (CVE- 2015-3709) 用户态逻辑漏洞 • Issue 1520: MacOS double mach_port_deallocate in kextd due to failure to comply with MIG ownership rules (CVE- 2018-4139) 用户态,MIG 生命周期
• 更灵活的 suid • 可供用户态和内核的 RPC 检查调用者权限 • 与代码签名绑定防止被滥用 • 部分 entitlement 仅 Apple 自带可执行文件可以使用 “taskgated: killed app because its use of the com.apple.*** entitlement is not allowed”
0x4D4F5358 /* 'MOSX' */ typedef struct mkext2_header { // #define MKEXT_HEADER_CORE uint32_t magic; // always 'MKXT' uint32_t signature; // always 'MOSX' uint32_t length; // the length of the whole file uint32_t adler32; // checksum from &version to end of file uint32_t version; // a 'vers' style value uint32_t numkexts; // how many kexts are in the archive cpu_type_t cputype; // same as Mach-O cpu_subtype_t cpusubtype; // same as Mach-O uint32_t plist_offset; uint32_t plist_compressed_size; uint32_t plist_full_size; } mkext2_header;
zero, file is not compressed uint32_t full_size; // full size of data w/o this struct uint8_t data[0]; // data is inline to this struct } mkext2_file_entry;