XNU Heap Exploitation - From Kernel Bug to Kernel Control

Explore XNU heap exploitation techniques in this conference talk from NULLCON Goa 2020. Dive into the intricacies of exploiting kernel bugs CVE-2018-4344 and CVE-2019-6225 through three kernel exploits: treadm1ll, v1ntex, and v3ntex. Begin with an introduction to XNU internals, focusing on Mach ports and heap allocators zalloc and kalloc. Learn how to progress from a proof of concept to a full kernel exploit, with emphasis on identifying non-obvious exploitation primitives and effective heap manipulation strategies. Examine the impact of version changes between iOS 11 and iOS 12 on exploitation techniques, and understand how small modifications can significantly affect exploit functionality. Gain insights from an experienced iOS hacker who has contributed to various jailbreaks and created tools for research and downgrading across multiple Apple devices.

Intro
Topics
Goal
General idea
Disclaimer
Mac ports
Task ports
Send right
Zones
Catalog
Exploit treadmill
liolistio
kernel panic
mock messages
different types of messages
heap zones
heap in memory
reallocate heap
kcall
pan
pan bypass
block360ccn
vultureswap
mick
zuguza
thepark
Screenshot
Code
Expectations
Wintex exploit
gc vouchers
target voucher
allocation
voucher allocation
assumptions
garbage collection
time
control
memory pressure
readback
pointer leak
dangling voucher
iprequest
kread
fake port
k read
vortex leak
kernel leak
ref mitigations
pipes
nonblocking pipe
heap pointer to port
fake ports
kernel read
kernel zone map
vortex cell
conclusion
QA