Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Exploiting Userland Vulnerabilities to Get Rogue App Installed Remotely on iOS 11

Recon Conference via YouTube

Overview

Explore advanced iOS exploitation techniques in this 55-minute Recon Conference talk. Delve into the strategies used to remotely pwn iOS 11 systems, breaking Apple's sandbox and installing persistent rogue applications without kernel exploits. Learn about the double free vulnerability (CVE-2017-7162) in the IOKit framework, advanced exploit techniques for 100% reliable exploitation, and methods for bypassing code signing requirements. Gain insights into sandbox escape technology, browser exploitation, and the challenges of chaining vulnerabilities to defeat iOS defenses. Witness a live demonstration of these techniques and compare them to Android exploitation. Examine the Pegasus APT case study and discuss iOS 12 sandbox hardening measures.

Syllabus

Intro
Agenda
Typical exploit chain (mobile Pwn20wn) 1/2
Why not a kernel bug to escape the sandbox?
iOS sandbox overview
Our strategy on sandbox bypass
General approach to exploit double free
Problem 1: fill in object B
Problem 2: stable race to fill
CF object fill into vm_allocate
The strategy doesn't work
Android Comparison
Pegasus APT
Initial Step: Setting up the required files
Final step, showing the app
Examining the roadblocks
iOS 12 sandbox hardening

Taught by

Recon Conference

Reviews

Start your review of Exploiting Userland Vulnerabilities to Get Rogue App Installed Remotely on iOS 11

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.