Explore the vulnerabilities of the iPhone XS Max in this Black Hat conference talk. Delve into Apple's Pointer Authentication Code (PAC) implementation and uncover an ancient bug in the XNU kernel that affects even the latest iOS releases. Learn how to exploit this vulnerability to bypass PAC and gain arbitrary kernel read/write access. Examine topics such as Unix Domain Socket, race conditions, use-after-free (UAF) vulnerabilities, and unprotected control flow transfer points. Discover the process of adding trust caches and gaining SSH access on the iPhone XS Max. Gain valuable insights into mobile device security and penetration testing techniques from speakers Tielei Wang and Hao Xu.
Overview
Syllabus
Intro
Outline
Unix Domain Socket
Race Condition
The fix
The pattern
UAF, let's look at the USE
Binary version may be better
PAC (Pointer Authentication Code)
UAF, let's look at the second USE
Got troubles while adding trust caches
tfpo's write capability for kernel image
Look for unprotected control flow transfer points
What can we do
Got ssh on iPhone XS Max
Black Hat Sound Bytes
Taught by
Black Hat
