你盡力了嗎-25年后的再追問(wèn)-王宇_第1頁(yè)
你盡力了嗎-25年后的再追問(wèn)-王宇_第2頁(yè)
你盡力了嗎-25年后的再追問(wèn)-王宇_第3頁(yè)
你盡力了嗎-25年后的再追問(wèn)-王宇_第4頁(yè)
你盡力了嗎-25年后的再追問(wèn)-王宇_第5頁(yè)
已閱讀5頁(yè),還剩85頁(yè)未讀 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

你盡力了嗎—25年后的再追問(wèn)

王宇

Agenda

-Speakerbiography

-Didyoupushyourlimits?

Part1-Asasystemarchitect

Part2-Asasoftwareengineer

Part3-Asaqualityassurancespecialist

Part4-AsaparticipantinthesoftwaredevelopmentlifecyclePart5-Asasecurityresearcher

-Takeaways

Aboutme

WangYu

Securityresearcher.

Serialentrepreneur,currentlyservingasCEO/CTOofa

leadingdatasecuritycompany.

Engineeringbackground.

Consistentlydeliveringworld-classresearchachievementsbridgingindustryand

academia.

Didyoupushyourlimits?

Part1-Asasystemarchitect

Case#1:ThestorybehindIOMobileFrameBufferandCVE-2024-44199Case#2andCase#3:CVE-2020-3905andCVE-2020-9928

Case#1-ThestorybehindIOMobileFrameBuffer

ThestatisticaldataonIOMobileFrameBuffervulnerabilitiesindicatesthatthe

competitionbetweentheoffensiveanddefensivesidesoncereachedafeverpitch.

Accordingtopubliclyavailablerecords,atotalofsixteenkernelvulnerabilitiesin

IOMobileFrameBufferhavebeenreportedthroughoutitshistory.Amongthem,fourwereactivelyexploitedbyAPTgroups(CVE-2021-30807,CVE-2021-30883,CVE-2021-30983,CVE-2022-22587),twowereleveragedforiOSjailbreaktools(JailbreakMe3.0-CVE-2011-0227,Pangu9-CVE-2016-4654),andonewassuccessfullyutilizedtowinasecuritychallengecompetition(TianfuCup-CVE-2021-30983).

Thehistoricallandscapeofkernelvulnerabilities

2011-CVE-2011-0227(Comex,JailbreakMe3.0)

2012-N/A

2013-N/A

2014-N/A

2015-CVE-2015-1097(BarakGabai),CVE-2015-5843(FilippoBigarella)

2016-CVE-2016-4654(TieleiWang-TeamPangu,Pangu9)

2017-CVE-2017-13879(Apple)

2018-CVE-2018-4335(BrandonAzad)

2019-N/A

2020-N/A

Thehistoricallandscapeofkernelvulnerabilities(cont)

2021-CVE-2021-30807(ITWAPTattack/SaarAmar),CVE-2021-30883(ITWAPTattack/TieleiWang-TeamPangu),CVE-2021-30983(TieleiWang-TeamPangu,TianfuCup

Competition),CVE-2021-30985(TieleiWang-TeamPangu),CVE-2021-30991(TieleiWang-TeamPangu),CVE-2021-30996(SaarAmar)

2022-CVE-2022-22587(ITWAPTattack/MeysamFirouzi/SiddharthAeri),CVE-2022-26768(AnAnonymousResearcher,HighlylikelyexploitedbyanITWAPTattack),CVE-2022-46690(JohnAakerblom),CVE-2022-46697(JohnAakerblom/AntonioZekic)

2023-N/A

2024-Anyideas?

Imissedthatera

《IOMFB的一些陳芝麻》

Pangu9Internals

/docs/us-16/materials/us-16-Wang-Pangu-9-Internals.pdf

Selector0x53-CVE-2021-30807

WebContenttoEL1LPE-OOBRinAppleCLCDandIOMobileFrameBuffer

https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/

Selector0x4E-CVE-2021-30883

BindiffandPoCfortheIOMFBVulnerability,iOS15.0.2

https://saaramar.github.io/IOMFB_integer_overflow_poc/

Theattacksurfaceshavebeenremoved

Case#2and#3-CVE-2020-3905andCVE-2020-9928

CVE-2020-3905:

IOBluetoothHCIUserClient::DispatchHCIWriteEncryptionMode(OpCode0xC22)KernelObjectRaceConditionVulnerability

PatchedviaSecurityUpdate2020-002,butthispatchcanbebypassed.

/en-us/HT211100

CVE-2020-9928:

IOBluetoothFamilyKernelObjectRaceConditionVulnerabilityTriggeredbyMixedHCICommands

PatchedviaSecurityUpdate2020-004

/en-us/HT211289

IOBluetoothHCIUserClient::DispatchHCIChangeLocalName

HackingIOBluetooth

http://colemancda.github.io/2018/03/25/Hacking-IOBluetooth

IOBluetoothFamilyHCIgadgets

Followthecallingsequencebelow:

1.DispatchHCIRequestCreate

2.DispatchHCIReadLocalName

3.DispatchHCIChangeLocalName

4.DispatchHCI......

5.DispatchHCIRequestDelete

Acallstackfrom"HackingIOBluetooth"(selected)

Thread0x2f5DispatchQueue11001samples(1-1001)priority31-46(base31)cputime0.022

8_xpc_connection_call_event_handler+35(libxpc.dylib+44950)[0x7fff96b4bf96]

4???(blued+551462)[0x105f63a26]

4???(blued+239559)[0x105f177c7]

4_NSSetCharValueAndNotify+260(Foundation+448025)[0x7fff82baa619]

4-[NSObject(NSKeyValueObservingPrivate)_changeValueForKey:key:key:usingBlock:]+60(Foundation+27629)[0x7fff82b43bed]

4-[NSObject(NSKeyValueObservingPrivate)_changeValueForKeys:count:maybeOldValuesDict:usingBlock:]+944(Foundation+1579207)[0x7fff82cbe8c7]

4NSKeyValueDidChange+486(Foundation+274052)[0x7fff82b7fe84]

4NSKeyValueNotifyObserver+350(Foundation+275949)[0x7fff82b805ed]

4???(blued+112657)[0x105ef8811]

1???(blued+117061)[0x105ef9945]

1-[BroadcomHostControllerBroadcomHCILEAddAdvancedMatchingRuleWithAddress:address:blob:mask:RSSIThreshold:packetType:matchingCapacity:matchingRemaining:]+200

1sendRawHCIRequest+246(IOBluetooth+344294)[0x7fff830540e6]

1IOConnectCallStructMethod+56(IOKit+29625)[0x7fff830ab3b9]

1IOConnectCallMethod+336(IOKit+29170)[0x7fff830ab1f2]

1io_connect_method+375(IOKit+531601)[0x7fff83125c91]

1mach_msg_trap+10(libsystem_kernel.dylib+74570)[0x7fff96a1f34a]

*1hndl_mach_scall64+22(kernel+638390)[0xffffff800029bdb6]

*1mach_call_munger64+456(kernel+2011608)[0xffffff80003eb1d8]

*1mach_msg_overwrite_trap+327(kernel+919415)[0xffffff80002e0777]

*1ipc_kmsg_send+225(kernel+835505)[0xffffff80002cbfb1]

*1ipc_kobject_server+412(kernel+980924)[0xffffff80002ef7bc]

*1???(kernel+1827576)[0xffffff80003be2f8]

*1is_io_connect_method+497(kernel+7259025)[0xffffff80008ec391]

*1IOBluetoothHCIUserClient::externalMethod(unsignedint,IOExternalMethodArguments*,IOExternalMethodDispatch*,OSObject*,void*)+257

*1IOCommandGate::runAction(int(*)(OSObject*,void*,void*,void*,void*),void*,void*,void*,void*)+314(kernel+7068058)[0xffffff80008bd99a]

*1IOBluetoothHCIUserClient::SimpleDispatchWL(IOBluetoothHCIDispatchParams*)+918(IOBluetoothFamily+83308)[0xffffff7f81eb856c]

*1IOBluetoothHostController::SendRawHCICommand(unsignedint,char*,unsignedint,unsignedchar*,unsignedint)+2423(IOBluetoothFamily+327391)[0xffffff7f81ef3edf]

*1IOBluetoothHCIRequest::Start()+515(IOBluetoothFamily+114737)[0xffffff7f81ec0031]

*1IOEventSource::sleepGate(void*,unsignedlonglong,unsignedint)+83(kernel+7062579)[0xffffff80008bc433]

*1IOWorkLoop::sleepGate(void*,unsignedlonglong,unsignedint)+126(kernel+7057470)[0xffffff80008bb03e]

*1lck_mtx_sleep_deadline+147(kernel+1019715)[0xffffff80002f8f43]

*1thread_block_reason+222(kernel+1061566)[0xffffff80003032be]

*1???(kernel+1066139)[0xffffff800030449b]

*1machine_switch_context+206

Whatcanbereadfromthecallstack

Thisisacompletecallstackforsendingrawvendor-specificcommand.

TheentryandexitofmacOSIOBluetoothFamilyHCIareroutines

IOBluetoothHCIUserClient::SimpleDispatchWLandIOBluetoothHCIRequest::Start.

HowtoensurethatBluetooth-relateddatastructuresaresafeinamultithreadedenvironment?

IOCommandGatemechanism

ClassIOCommandGate

Single-threadedwork-loopclientrequestmechanism.

/documentation/kernel/iocommandgate

RoutineIOCommandGate::runAction

Singlethreadacalltoanactionwiththetargetwork-loop.

RoutineIOCommandGate::commandSleep

Putathreadthatiscurrentlyholdingthecommandgatetosleep.

Yes,youcansleepforawhile

RoutineIOCommandGate::commandSleep

Putathreadtosleepwaitingforaneventbutreleasethegatefirst.

Atthistime,theHCIrequestisNOTcompletedbytheBluetoothcontroller.

Soagain,howtoensuretheBluetooth-relateddatastructuresaresafeinthiswindow?Unfortunately,thisissuehasnotbeenconsidered.

IOBluetoothFamilyHCIrequestflow

Raceconditionwindow

Dataandstateinconsistency

RecalltheWin32Kusermodecallbackmechanism

Win32kcannotholdthelockwhencallingbacktousermode.Releasingthelockmeansthatthereisawindowinwhichthekerneldatastructuresarenotprotected.

Referencecountingandobjectlifecyclemanagementareveryimportant.

ANewCVE-2015-0057ExploitTechnology

/docs/asia-16/materials/asia-16-Wang-A-New-CVE-2015-

0057-Exploit-Technology-wp.pdf

nt!KeUserModeCallbackandnt!NtCallbackReturn

CasestudyofCVE-2020-9928

(lldb)registerreadrdxrsiGeneralPurposeRegisters:

rdx=0xffffff801270fcfa""Element%pfromzone%scaughtbeingfreedtowrongzone%s\n"@/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu/xnu-4570.61.1/osfmk/kern/zalloc.c:3528"

rsi=0xffffff8012749a40"panic"

(lldb)bt

thread#1,stopreason=signalSIGSTOP

frame#0:0xffffff8011f7c8eakernel.development`panic_trap_to_debugger[inlined]current_cpu_datap

frame#1:0xffffff8011f7c8eakernel.development`panic_trap_to_debugger[inlined]current_processor

frame#2:0xffffff8011f7c8eakernel.development`panic_trap_to_debugger[inlined]DebuggerTrapWithStateframe#3:0xffffff8011f7c8bakernel.development`panic_trap_to_debugger

frame#4:0xffffff8011f7c6bckernel.development`panic(str=<unavailable>)atdebug.c:611:2[opt]

frame#5:0xffffff8011fd5f09kernel.development`zfree(zone=0xffffff80128c10d0,addr=0xffffff80403ae070)frame#6:0xffffff8011f89a69kernel.development`kfree(data=0xffffff80403ae070,size=248)

frame#7:0xffffff8012601739kernel.development`::IOFree(inAddress=<unavailable>,size=248)

frame#8:0xffffff7f94ebf90eIOBluetoothFamily`IOBluetoothHCIUserClient::SimpleDispatchWL+1676frame#9:0xffffff801263eb58kernel.development`IOCommandGate::runActionat

IOCommandGate.cpp:217:11[opt]

frame#10:0xffffff7f94ebf266IOBluetoothFamily`IOBluetoothHCIUserClient::externalMethod+228

......

Summaryofcase#2andcase#3

1.VulnerabilitieslikeCVE-2020-9928havebeenhiddeninplainsightforalongtimeandaffectallmacOSBluetoothHCIhandlers.

2.Sometraditionalfuzzingmethodsaredifficulttofindthistypeofvulnerability.

3.SecurityUpdate2020-002canbebypassed.

Didyoupushyourlimits?

Part2-AsasoftwareengineerCase#4:CVE-2020-10013

Case#5:CVE-2020-9833

Case#6:CVE-2022-26762

Case#4-CVE-2020-10013

CVE-2020-10013

AppleBCMWLANCoreDbgArbitraryMemoryWriteVulnerability

AboutthesecuritycontentofiOS14.0andiPadOS14.0

/en-us/HT211850

AboutthesecuritycontentofmacOSCatalina10.15.7,

SecurityUpdate2020-005HighSierra,SecurityUpdate2020-005Mojave

/en-us/HT211849

Boundarychecking

Aweirdkernel-spaceboundaryconditioncausedthisvulnerability.

CasestudyofCVE-2020-10013

Process1stopped

*thread#1,stopreason=signalSIGSTOP

frame#0:0xffffff8000398082kernel`bcopy+18

kernel`bcopy:

->0xffffff8000398082<+18>:rep

0xffffff8000398083<+19>:movsb(%rsi),%es:(%rdi)0xffffff8000398084<+20>:retq

(lldb)registerread

GeneralPurposeRegisters:

rcx=0x0000000000000011rsi=0xffffff81b1d5e000

rdi=0xffffff80deadbeef

(lldb)bt

*thread#1,stopreason=signalSIGSTOP

*frame#0:0xffffff8000398082kernel`bcopy+18

frame#1:0xffffff800063abd4kernel`memmove+20

frame#2:0xffffff7f828e1a64AppleBCMWLANCore`AppleBCMWLANUserPrint+260......

Summaryofcase#4-CVE-2020-10013

1.CVE-2020-10013isanarbitrarymemorywritevulnerabilitycausedbyboundarycheckingerror.

2.Thevaluetobewritteniscontrollableorpredictable.

3.Combinedwithkernelinformationdisclosurevulnerabilities,acompletelocalEoPexploitchaincanbeformed.ThewriteprimitiveisstableanddoesnotrequireheapFengShuimanipulation.

4.ThisvulnerabilityaffectshundredsofAppleBCMWLANCoreDbghandlers!

AcompleteLPEchain

Combinedwithkernelinformationdisclosurevulnerabilities,acompletelocalEoPexploitchaincanbeformed.

AgoodinformationdisclosureexampleisCVE-2020-9833.

Case#5-CVE-2020-9833

CVE-2020-9833:

AppleBCMWLANBusInterfacePCIe::loadChipImage/

AppleBCMWLANBusInterfacePCIe::copyTrapInfoBlobKernelInformationDisclosureVulnerability

PatchedviaSecurityUpdate2020-003

/en-us/HT211170

Reverseengineeringandbinaryauditing

Step1.AllocationStep2.Initialization

butnotinitialized

AppleBCMWLANBusInterfacePCIe::handleFWTrapreverseengineering

Step3.Firmwaretrapinfoextraction

AppleBCMWLANBusInterfacePCIe::loadChipImagereverseengineering

AppleBCMWLANBusInterfacePCIe::copyTrapInfoBlob

reverseengineering

BypasstheAppleBCMWLANBusInterfacePCIe::handleFWTrap

TheexpectedexecutionorderisStep1,2andthen3.

Isitpossibletoextractinformationinthetrapbufferbeforeitisinitialized?

Isitpossibleto"race"theexecutionorderfromStep1,2and3toStep1,3,(2)?

Yes,Itispossible

Theleakedheapdatacanexceed0x200bytes.

Including,kernelobjects,functionpointers,etc.

DefeatKASLR

Case#6-CVE-2022-26762

CVE-2022-26762

IO80211Family`getRxRateArbitraryMemoryWriteVulnerability

AboutthesecuritycontentofiOS15.5andiPadOS15.5

/en-us/HT213258

AboutthesecuritycontentofmacOSMonterey12.4

/en-us/HT213257

Userinputsanitization

Thevulnerablefunctionforgetstosanitizeuser-modepointer.

macOS/iOS/FreeBSDkernel'scopyinandcopyout:

/documentation/kernel/1441036-copyin

/documentation/kernel/1441088-copyout

Linuxkernel's__copy_from_userand__copy_to_user:

/doc/htmldocs/kernel-api/API---copy-from-user.html

/doc/htmldocs/kernel-api/API---copy-to-user.html

Windowskernel'sProbeForReadandProbeForWrite:

/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-probeforread

/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-probeforwrite

CasestudyofCVE-2022-26762

Process1stopped

*thread#1,stopreason=signalSIGSTOP

frame#0:0xffffff8008b23ed7IO80211Family`getRxRate(IO80211Controller*,IO80211Interface*,IO80211VirtualInterface*,IO80211InfraInterface*,apple80211req*,bool)+166

IO80211Family`getRxRate:

->0xffffff8008b23ed7<+166>:movl%eax,(%rbx)0xffffff8008b23ed9<+168>:xorl%eax,%eax

0xffffff8008b23edb<+170>:movq0xca256(%rip),%rcx

0xffffff8008b23ee2<+177>:movq(%rcx),%rcx

(lldb)registerread

GeneralPurposeRegisters:

rax=0x0000000000000258

rbx=0xdeadbeefdeadcafe

rdi=0xffffff90345b4dc0

rsi=0xffffff8008203ee0

rbp=0xffffffd079bcba40

rsp=0xffffffd079bcba10

rip=0xffffff8008b23ed7IO80211Family`getRxRate+166

......

Summaryofcase#6-CVE-2022-26762

1.ComparedwithCVE-2020-10013,therootcauseofCVE-2022-26762issimpler:thevulnerablefunctionforgetstosanitizeuser-modepointer.Thesesimpleandstable

kernelvulnerabilitiesarepowerful,theyareperfectforPwn2Own.

2.Thevaluetobewrittenisfixed.

3.Kernelvulnerabilitiescausedbycopyin/copyout,copy_from_user/copy_to_user,ProbeForRead/ProbeForWriteareverycommon.Kerneldevelopersshouldcarefullycheckallinputparameters.

Didyoupushyourlimits?

Part3-AsaqualityassurancespecialistCase#7:OE089712553931

Case#8:CVE-2025-24257

Case#7-OE089712553931

The0x3F2branchof

AppleBCMWLANCore::handleCardSpecificonmacOSSonoma

Data-onlymodification

PiercedthroughallSDLworkflows

Butthisdata-onlymodificationforgotthemostimportantthing,the0x3F2branchhashardcodedthe"-"detectioncode.Thismeansthattherestoftheloopisremoved,

whichdirectlyleadstoout-of-boundsread/writetothekernelarray.

Summaryofcase#7-OE089712553931

Case#8-CVE-2025-24257

CVE-2025-24257

IOGPUResource::newResourceGroupKernelOut-of-boundsReadandWriteVulnerability

AboutthesecuritycontentofiOS18.4andiPadOS18.4

/en-us/122371

AboutthesecuritycontentofmacOSSequoia15.4

/en-us/122373

Boundarychecking

Patchbypass

Bypassingthepatchonthe

macOSTahoe26.0Beta(25A5279m)

Didyoupushyourlimits?

Part4-AsaparticipantinthesoftwaredevelopmentlifecycleCase#9:CVE-2024-44199

Case#10:CVE-2024-44197

IsitstillpossibletofindnewIOMFBkernelvulnerabilities?

CVE-2024-44199

IOMFB::PBTBlockHandlerGeneric::get_map_buf_descs

KernelOut-of-boundsVulnerabilitycausedbyComparisonbetweenUnsignedand

SignedIntegers

AboutthesecuritycontentofmacOSSonoma14.6

/en-us/120911

Everybodygetsfreekernelaccessin2024

Thepatches

Case#10–CVE-2024-44197

CVE-2024-44197

IOGPUDeviceUserClient::s_create_notificationqueue/

IOGPUDeviceUserClient::s_destroy_notificationqueue

NotificationQueueOut-of-boundsAccessVulnerability

AboutthesecuritycontentofmacOSSequoia15.1

/en-us/121564

PatchforCVE-2024-44197

Thepatchforthevulnerabilityisstraightforward.

Theconfusingsecurityadvisory

HistoryofNULLPointerDereferencesonmacOS

/history-of-null-pointer-dereferences-on-macos/

CaseStudy:IOMobileFramebufferNULLPointerDereference

/case-study-iomobileframebuffer-null-pointer-dereference/

ResponsefromApple'sproductsecurityteam

IhavealsodiscussedthisissuewithAppleSRCteam,andtheyhavepromisedtomodifythedescriptionforCVE-2024-44197/OE098860881902.

Didyoupushyourlimits?

Part5-Asasecurityresearcher

Abadcasefrommyself

AcasefromUdiYavo,CTOatenSilo

AcasefromSec

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

最新文檔

評(píng)論

0/150

提交評(píng)論