你盡力了嗎

—

25年后的

再

追問Agenda-Speaker

biography-

Didyou

pushyour

limits?Part

1

-Asa

system

architectPart2

-As

a

software

engineerPart

3

-Asaquality

assurance

specialistPart4

-Asa

participant

inthesoftware

development

lifecycle

Part

5

-Asa

security

researcher-TakeawaysAbout

meWangYuSecurity

researcher.Serialentrepreneur,

currentlyservingas

CEO/CTO

of

aleadingdata

securitycompany.Engineering

background.Consistentlydeliveringworld-class

researchachievementsbridgingindustry

andacademia.Didyou

pushyourlimits?Part

1

-Asa

system

architectCase#1:Thestory

behind

IOMobileFrameBufferandCVE-2024-44199Case#2andCase#3:CVE-2020-3905and

CVE-2020-9928Case#1

-Thestorybehind

IOMobileFrameBufferThestatisticaldataon

IOMobileFrameBuffervulnerabilities

indicatesthatthecompetition

betweentheoffensiveanddefensive

sides

once

reacheda

fever

pitch.Accordingto

publiclyavailable

records,atotalofsixteen

kernelvulnerabilities

inIOMobileFrameBuffer

have

been

reportedthroughout

its

history.Amongthem,fourwereactivelyexploited

byAPTgroups

(CVE-2021-30807,CVE-2021-30883,CVE-2021-

30983,CVE-2022-22587),twowere

leveragedfor

iOS

jailbreaktools

(JailbreakMe

3.0

-

CVE-2011-0227,

Pangu9

-CVE-2016-4654),andonewas

successfully

utilizedtowin

asecuritychallengecompetition

(TianfuCup

-CVE-2021-30983).The

historical

landscapeofkernelvulnerabilities2011-CVE-2011-0227(Comex,

JailbreakMe

3.0)2012

-

N/A2013

-

N/A2014

-

N/A2015-CVE-2015-1097(BarakGabai),CVE-2015-5843

(Filippo

Bigarella)2016

-CVE-2016-4654(TieleiWang

-Team

Pangu,

Pangu9)2017-CVE-2017-13879

(Apple)2018-CVE-2018-4335

(BrandonAzad)2019

-

N/A2020

-

N/AThe

historical

landscapeofkernelvulnerabilities

(cont)2021-CVE-2021-30807(ITWAPTattack/

SaarAmar),

CVE-2021-30883

(ITWAPT

attack

/TieleiWang

-Team

Pangu),CVE-2021-30983(TieleiWang

-Team

Pangu,

Tianfu

CupCompetition),CVE-2021-30985(TieleiWang

-Team

Pangu),CVE-2021-30991

(Tielei

Wang

-Team

Pangu),CVE-2021-30996(SaarAmar)2022-CVE-2022-22587(ITWAPTattack/

Meysam

Firouzi/

SiddharthAeri),

CVE-2022-

26768(AnAnonymous

Researcher,

Highly

likelyexploited

byan

ITWAPTattack),

CVE-2022-46690(JohnAakerblom),CVE-2022-46697(JohnAakerblom/AntonioZekic)2023

-

N/A2024

-Any

ideas?I

missedthat

era《IOMFB的一些陳芝麻》Pangu9

Internalshttps://www.blackhat.com/docs/us-16/materials/us-16-Wang-Pangu-9-Internals.pdfSelector0x53-

CVE-2021-30807WebContentto

EL1

LPE

-OOBR

inAppleCLCDand

IOMobileFrameBufferhttps://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/Selector0x4E

-CVE-2021-30883Bindiffand

PoCforthe

IOMFBVulnerability,

iOS

15.0.2https://saaramar.github.io/IOMFB_integer_overflow_poc/Theattacksurfaces

have

beenremovedCase#2and#3

-CVE-2020-3905andCVE-2020-9928CVE-2020-3905:IOBluetoothHCIUserClient::DispatchHCIWriteEncryptionMode

(OpCode0xC22)

KernelObject

RaceConditionVulnerabilityPatchedvia

Security

Update2020-002,butthis

patchcan

be

bypassed.https://support.apple.com/en-us/HT211100CVE-2020-9928:IOBluetoothFamily

KernelObject

RaceConditionVulnerabilityTriggered

by

Mixed

HCI

CommandsPatchedviaSecurity

Update

2020-004https://support.apple.com/en-us/HT211289IOBluetoothHCIUserClient::DispatchHCIChangeLocalNameHacking

IOBluetoothhttp://colemancda.github.io/2018/03/25/Hacking-IOBluetoothFollowthecalling

sequence

below:1.

DispatchHCIRequestCreate2.

DispatchHCIReadLocalName3.

DispatchHCIChangeLocalName4.

DispatchHCI......5.

DispatchHCIRequestDeleteIOBluetoothFamily

HCIgadgetsAcallstackfrom

"Hacking

IOBluetooth"

(selected)Thread0x2f5DispatchQueue

11001samples(1-1001)priority31-46

(base

31)

cputime

0.0228_xpc_connection_call_event_handler

+35

(libxpc.dylib

+44950)

[0x7fff96b4bf96]4???

(blued

+

551462)

[0x105f63a26]4???

(blued

+239559)

[0x105f177c7]4_NSSetCharValueAndNotify

+260(Foundation

+448025)

[0x7fff82baa619]4-[NSObject(NSKeyValueObservingPrivate)_changeValueForKey:key:key:usingBlock:]

+60(Foundation

+27629)

[0x7fff82b43bed]4-[NSObject(NSKeyValueObservingPrivate)_changeValueForKeys:count:maybeOldValuesDict:usingBlock:]+944

(Foundation

+

1579207)

[0x7fff82cbe8c7]4NSKeyValueDidChange

+486(Foundation

+274052)

[0x7fff82b7fe84]4NSKeyValueNotifyObserver

+350

(Foundation

+275949)

[0x7fff82b805ed]4???

(blued

+

112657)

[0x105ef8811]1???

(blued

+

117061)

[0x105ef9945]1-[BroadcomHostControllerBroadcomHCILEAddAdvancedMatchingRuleWithAddress:address:blob:mask:RSSIThreshold:packetType:matchingCapacity:matchingRemaining:]

+2001sendRawHCIRequest

+246(IOBluetooth

+344294)

[0x7fff830540e6]1IOConnectCallStructMethod

+

56

(IOKit

+29625)

[0x7fff830ab3b9]1IOConnectCallMethod

+336(IOKit

+

29170)

[0x7fff830ab1f2]1io_connect_method

+375(IOKit

+

531601)

[0x7fff83125c91]1mach_msg_trap

+

10

(libsystem_kernel.dylib

+74570)

[0x7fff96a1f34a]*1hndl_mach_scall64

+22(kernel

+

638390)

[0xffffff800029bdb6]*1mach_call_munger64

+456

(kernel

+2011608)

[0xffffff80003eb1d8]*1mach_msg_overwrite_trap

+327(kernel

+

919415)

[0xffffff80002e0777]*1ipc_kmsg_send

+225(kernel

+835505)

[0xffffff80002cbfb1]*1ipc_kobject_server

+412(kernel

+980924)

[0xffffff80002ef7bc]*1???

(kernel

+

1827576)

[0xffffff80003be2f8]*1is_io_connect_method

+497(kernel

+7259025)

[0xffffff80008ec391]*1IOBluetoothHCIUserClient::externalMethod(unsignedint,

IOExternalMethodArguments*,IOExternalMethodDispatch*,OSObject*,void*)

+

257*1IOCommandGate::runAction(int

(*)(OSObject*,void*,void*,void*,void*),void*,void*,void*,void*)

+314(kernel

+7068058)

[0xffffff80008bd99a]*1IOBluetoothHCIUserClient::SimpleDispatchWL(IOBluetoothHCIDispatchParams*)

+918(IOBluetoothFamily

+83308)

[0xffffff7f81eb856c]*1IOBluetoothHostController::SendRawHCICommand(unsignedint,char*,unsigned

int,

unsignedchar*,

unsigned

int)

+

2423

(IOBluetoothFamily

+

327391)

[0xffffff7f81ef3edf]*1IOBluetoothHCIRequest::Start()

+

515(IOBluetoothFamily

+

114737)

[0xffffff7f81ec0031]*1IOEventSource::sleepGate(void*,unsignedlong

long,

unsigned

int)

+

83

(kernel

+

7062579)

[0xffffff80008bc433]*1IOWorkLoop::sleepGate(void*,

unsignedlonglong,unsigned

int)

+

126

(kernel

+

7057470)

[0xffffff80008bb03e]*1lck_mtx_sleep_deadline

+

147(kernel

+

1019715)

[0xffffff80002f8f43]*1thread_block_reason

+222(kernel

+

1061566)

[0xffffff80003032be]*1???

(kernel

+

1066139)

[0xffffff800030449b]*1machine_switch_context

+

206Whatcan

bereadfrom

the

call

stackThis

isacompletecallstackfor

sending

rawvendor-specific

command.Theentryandexitof

macOS

IOBluetoothFamily

HCI

are

routinesIOBluetoothHCIUserClient::SimpleDispatchWL

and

IOBluetoothHCIRequest::Start.Howtoensurethat

Bluetooth-related

datastructures

aresafe

in

a

multithreaded

environment?IOCommandGate

mechanismClass

IOCommandGateSingle-threadedwork-loopclient

request

mechanism.https://dev/documentation/kernel/iocommandgateRoutine

IOCommandGate::runActionSinglethreadacalltoan

action

with

the

target

work-loop.Routine

IOCommandGate::commandSleepPutathreadthat

iscurrently

holdingthe

command

gateto

sleep.Yes,youcansleep

for

awhileRoutine

IOCommandGate::commandSleepPutathreadtosleepwaitingfor

an

event

but

release

the

gate

first.Atthistime,the

HCI

request

is

NOTcompleted

bythe

Bluetooth

controller.Soagain,

howtoensurethe

Bluetooth-related

datastructures

are

safe

in

this

window?Unfortunately,this

issue

has

not

beenconsidered.IOBluetoothFamily

HCI

requestflowRaceconditionwindowDataandstate

inconsistencyRecalltheWin32Kuser

modecallbackmechanismWin32kcannot

holdthe

lockwhencalling

backto

user

mode.

Releasingthe

lock

means

thatthere

isawindow

inwhichthe

kerneldata

structures

are

not

protected.Reference

countingandobject

lifecycle

managementarevery

important.A

NewCVE-2015-0057

ExploitTechnology/docs/asia-16/materials/asia-16-Wang-A-New-CVE-2015-

0057-Exploit-Technology-wp.pdfnt!KeUserModeCallbackandnt!NtCallbackReturnCasestudyofCVE-2020-9928(lldb)

register

read

rdx

rsiGeneral

Purpose

Registers:rdx

=0xffffff801270fcfa""Element%p

from

zone

%s

caught

being

freed

towrong

zone

%s\n"

@/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu/xnu-4570.61.1/osfmk/kern/zalloc.c:3528"rsi

=0xffffff8012749a40

"panic"(lldb)

btthread#1,stop

reason

=signal

SIGSTOPframe#0:0xffffff8011f7c8ea

kernel.development`panic_trap_to_debugger

[inlined]current_cpu_datapframe#1:0xffffff8011f7c8ea

kernel.development`panic_trap_to_debugger

[inlined]current_processorframe#2:0xffffff8011f7c8ea

kernel.development`panic_trap_to_debugger

[inlined]

DebuggerTrapWithStateframe#3:0xffffff8011f7c8ba

kernel.development`panic_trap_to_debuggerframe#4:0xffffff8011f7c6bc

kernel.development`panic(str=<unavailable>)atdebug.c:611:2

[opt]frame#5:0xffffff8011fd5f09

kernel.development`zfree(zone=0xffffff80128c10d0,

addr=0xffffff80403ae070)frame#6:0xffffff8011f89a69

kernel.development`kfree(data=0xffffff80403ae070,size=248)frame#7:0xffffff8012601739

kernel.development`::IOFree(inAddress=<unavailable>,size=248)frame#8:0xffffff7f94ebf90e

IOBluetoothFamily`IOBluetoothHCIUserClient::SimpleDispatchWL

+

1676frame#9:0xffffff801263eb58

kernel.development`IOCommandGate::runActionatIOCommandGate.cpp:217:11

[opt]frame#10:0xffffff7f94ebf266

IOBluetoothFamily`IOBluetoothHCIUserClient::externalMethod

+228......Summaryofcase#2

and

case#31.Vulnerabilities

likeCVE-2020-9928

have

been

hidden

in

plainsightfora

longtime

andaffectall

macOS

Bluetooth

HCI

handlers.2.Sometraditionalfuzzing

methodsaredifficultto

find

this

type

ofvulnerability.3.Security

Update2020-002

can

be

bypassed.Didyou

pushyourlimits?Part2

-As

a

software

engineerCase#4:CVE-2020-10013Case#5:CVE-2020-9833Case#6:CVE-2022-26762Case#4

-CVE-2020-10013CVE-2020-10013AppleBCMWLANCoreDbgArbitrary

MemoryWriteVulnerabilityAboutthesecuritycontent

of

iOS

14.0and

iPadOS

14.0https://support.apple.com/en-us/HT211850Aboutthesecuritycontent

of

macOSCatalina

10.15.7,Security

Update2020-005

HighSierra,Security

Update2020-005

Mojavehttps://support.apple.com/en-us/HT211849BoundarycheckingAweird

kernel-space

boundaryconditioncausedthisvulnerability.CasestudyofCVE-2020-10013Process

1stopped*thread#1,stop

reason

=

signal

SIGSTOPframe#0:0xffffff8000398082

kernel`bcopy

+

18kernel`bcopy:-

>0xffffff8000398082

<+18>:

rep0xffffff8000398083

<+19>:

movsb(%rsi),%es:(%rdi)0xffffff8000398084

<+20>:

retq(lldb)

register

readGeneral

Purpose

Registers:rcx

=0x0000000000000011rsi

=0xffffff81b1d5e000rdi

=0xffffff80deadbeef(lldb)

bt*thread#1,stop

reason

=

signal

SIGSTOP*frame#0:0xffffff8000398082

kernel`bcopy

+

18frame#1:0xffffff800063abd4

kernel`memmove

+20frame#2:0xffffff7f828e1a64AppleBCMWLANCore`AppleBCMWLANUserPrint

+260......Summaryofcase#4

-CVE-2020-100131.CVE-2020-10013isanarbitrary

memorywritevulnerability

caused

by

boundary

checkingerror.2.Thevalueto

bewritten

iscontrollableor

predictable.3.Combinedwith

kernel

informationdisclosurevulnerabilities,acomplete

local

EoP

exploitchaincan

beformed.Thewrite

primitive

isstable

and

does

not

require

heap

Feng

Shui

manipulation.4.Thisvulnerabilityaffects

hundredsofAppleBCMWLANCoreDbg

handlers!Acomplete

LPEchainCombinedwith

kernel

informationdisclosurevulnerabilities,acomplete

local

EoP

exploitchaincan

be

formed.Agood

informationdisclosureexample

isCVE-2020-9833.Case#5

-CVE-2020-9833CVE-2020-9833:AppleBCMWLANBusInterfacePCIe::loadChipImage/AppleBCMWLANBusInterfacePCIe::copyTrapInfoBlobKernel

Information

DisclosureVulnerabilityPatchedviaSecurity

Update

2020-003https://support.apple.com/en-us/HT211170AppleBCMWLANBusInterfacePCIe::handleFWTrap

reverseengineeringStep

3.

Firmwaretrap

infoextractionAppleBCMWLANBusInterfacePCIe::loadChipImagereverseengineeringReverseengineeringand

binaryauditingStep

1.AllocationStep2.

Initializationbut

not

initializedAppleBCMWLANBusInterfacePCIe::copyTrapInfoBlobreverseengineeringBypasstheAppleBCMWLANBusInterfacePCIe::handleFWTrapTheexpectedexecutionorder

is

Step

1,

2

and

then

3.Is

it

possibletoextract

information

inthetrap

buffer

before

it

is

initialized?Is

it

possibleto

"race"theexecution

orderfrom

Step

1,2

and

3

to

Step

1,

3,

(2)?The

leaked

heapdatacan

exceed

0x200

bytes.Including,

kernelobjects,function

pointers,etc.Yes,

Itis

possibleDefeat

KASLRCase#6

-CVE-2022-26762CVE-2022-26762IO80211Family`getRxRateArbitrary

MemoryWriteVulnerabilityAboutthesecuritycontent

of

iOS

15.5and

iPadOS

15.5https://support.apple.com/en-us/HT213258Aboutthesecuritycontent

of

macOS

Monterey

12.4https://support.apple.com/en-us/HT213257Userinput

sanitizationThevulnerablefunctionforgetstosanitize

user-mode

pointer.macOS/iOS/FreeBSD

kernel'scopyinandcopyout:https://develo/documentation/kernel/1441036-copyinhttps://deve/documentation/kernel/1441088-copyoutLinux

kernel's__copy_from_user

and__copy_to_user:/doc/htmldocs/kernel-api/API---copy-from-user.html/doc/htmldocs/kernel-api/API---copy-to-user.htmlWindows

kernel's

ProbeForRead

and

ProbeForWrite:/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-probeforread

/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-probeforwriteCasestudyofCVE-2022-26762Process

1stopped*thread#1,stop

reason

=

signal

SIGSTOPframe#0:0xffffff8008b23ed7

IO80211Family`getRxRate(IO80211Controller*,

IO80211Interface*,

IO80211VirtualInterface*,

IO80211InfraInterface*,apple80211req*,

bool)

+

166IO80211Family`getRxRate:-

>0xffffff8008b23ed7

<+166>:

movl%eax,

(%rbx)0xffffff8008b23ed9

<+168>:xorl%eax,%eax0xffffff8008b23edb

<+170>:

movq0xca256(%rip),%rcx0xffffff8008b23ee2

<+177>:

movq(%rcx),%rcx(lldb)

register

readGeneral

Purpose

Registers:rax

=0x0000000000000258rbx

=0xdeadbeefdeadcaferdi

=0xffffff90345b4dc0rsi

=0xffffff8008203ee0rbp

=0xffffffd079bcba40rsp

=0xffffffd079bcba10rip

=0xffffff8008b23ed7IO80211Family`getRxRate

+

166......Summaryofcase#6

-CVE-2022-267621.ComparedwithCVE-2020-10013,the

rootcauseof

CVE-2022-26762

is

simpler:

the

vulnerablefunctionforgetstosanitize

user-mode

pointer.These

simpleand

stablekernelvulnerabilitiesare

powerful,theyare

perfectfor

Pwn2Own.2.Thevalueto

bewritten

isfixed.3.

Kernelvulnerabilitiescaused

bycopyin/copyout,

copy_from_user/copy_to_user,ProbeForRead/ProbeForWrite

areverycommon.

Kerneldevelopersshouldcarefully

checkall

input

parameters.Didyou

pushyourlimits?Part

3

-Asaquality

assurance

specialistCase#7:OE089712553931Case#8:CVE-2025-24257The0x3F2

branch

ofAppleBCMWLANCore::handleCardSpecific

on

macOSSonomaCase#7

-OE089712553931Data-only

modificationPiercedthroughallSDLworkflowsButthisdata-only

modificationforgotthe

most

importantthing,the

0x3F2

branch

has

hardcodedthe

"-"detectioncode.This

means

that

the

rest

of

the

loop

is

removed,whichdirectly

leadstoout-of-bounds

read/writetothe

kernel

array.Summaryofcase#7

-OE089712553931Case#8

-CVE-2025-24257CVE-2025-24257IOGPUResource::newResourceGroup

KernelOut-of-bounds

ReadandWriteVulnerabilityAboutthesecuritycontent

of

iOS

18.4and

iPadOS

18.4https://support.app/en-us/122371Aboutthesecuritycontent

of

macOS

Sequoia

15.4https://support.app/en-us/122373BoundarycheckingPatch

bypassBypassingthepatch

on

themacOSTahoe26.0

Beta

(25A5279m)Didyou

pushyourlimits?Part4

-Asa

participant

inthesoftware

development

lifecycleCase#9:CVE-2024-44199Case#10:CVE-2024-44197Isitstillpossibletofind

new

IOMFB

kernelvulnerabilities?CVE-2024-44199IOMFB::PBTBlockHandlerGeneric::get_map_buf_descsKernelOut-of-boundsVulnerabilitycaused

byComparison

between

UnsignedandSigned

IntegersAboutthesecuritycontent

of

macOS

Sonoma

14.6https://support.app/en-us/120911Everybodygetsfree

kernelaccessin

2024The

patchesCase#10–CVE-2024-44197CVE-2024-44197IOGPUDeviceUserClient::s_create_notificationqueue/IOGPUDeviceUserClient::s_destroy_notificationqueueNotificationQueueOut-of-boundsAccessVulnerabilityAboutthesecuritycontent

of

macOS

Sequoia

15.1https://support.app/en-us/121564PatchforCVE-2024-44197The

patchforthevulnerability

isstraightforward.Historyof

NULL

Pointer

Dereferences

on

macOShttps://af/history-of-null-pointer-dereferences-on-macos/Case

Study:

IOMobileFramebuffer

NULL

Pointer

Dereferencehttps://afine.com/case-study-iomobileframebuffer-null-pointer-dereference/TheconfusingsecurityadvisoryResponsefromApple'sproductsecurityteamI

havealsodiscussedthis

issuewithAppleSRC

team,

and

they

have

promised

to

modifythedescriptionforCVE-2024-44197/OE098860881902.Didyou

pushyourlimits?Part

5

-Asa

security

researcherA

badcase

from

myselfAc