YoVDO

The Road to iOS Sandbox Escape

Offered By: Hack In The Box Security Conference via YouTube

Tags

Hack In The Box Security Conference Courses Mobile Security Courses iOS Security Courses Vulnerability Research Courses Arbitrary Code Execution Courses

Course Description

Overview

Explore the intricacies of iOS sandbox escape techniques in this HITB Security Conference talk. Delve into the world of mach message IPC and poorly designed daemons, uncovering vulnerabilities that allow arbitrary code execution outside the sandbox. Learn about research tools for analyzing mach message handlers and gain insights into exploiting vulnerabilities across various iOS daemons. Discover the potential for full chain exploitation and necessary gadgets. Understand the challenges of iOS research, explore IDA techniques, and witness demonstrations of sandbox escape methods. Examine specific vulnerabilities in Bluetooth functionality, including pair device retrieval and session token manipulation. Gain valuable knowledge about iOS security, jailbreaking, and cutting-edge mobile device exploitation techniques.

Syllabus

Introduction
Agenda
What is iOS
Design of iOS
Chart Cache
Mock Messages
Lunch
iOS research difficulties
IDA
Sandbox Escape
Sandbox Target
Map Cache
Message Handler
callbacks
coldframe
decompression session
serialization
Python Implementation
Demo
Results
iOS 11 Refactor
Bluetooth Deep
Get Pair Devices
CV4095
Bug Fix
Bluetooth Session Token
Brute Force
Blue2D Demo
Bug Fixes
Global Variables
Token Change
Jailbreak
Spark
References
Credits
Questions


Taught by

Hack In The Box Security Conference

Related Courses

Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack
Cyber Mentor via YouTube
Contextomy - Let's Debug Together
nullcon via YouTube
macOS Security Features Bypasses by Example
nullcon via YouTube
Exploiting Android Messengers with WebRTC
nullcon via YouTube
XNU Heap Exploitation - From Kernel Bug to Kernel Control
nullcon via YouTube