Synopsis

A few weeks ago I came upon a vulnerability in the iOS kernel, and this morning was able to achieve arbitrary, whatever-I-want code execution on iOS 12 with this and multiple other exploit chains. However, because this is hack for good, when wrapped up with this app I wrote, the kernel exploit allows us to execute arbitrary code developed and built outside of Apple’s ecosystem. In effect, we just turned your iPhone into a totally programmable, hyper-fast Arduino, in essence - an environment you can develop on without deep pockets for developer creds and beefy computers.

In essence, KTP0 uses a combination of Azure containers, Google Cloud, and AWS - to which you can push your code - to side load arbitrary binaries onto the phone wirelessly at runtime. This is hugely convenient, and because we’re executing arbitrary code at the very base level with a low level exploit, the option for kernel-layer execution can run faster than normal iPhone code and offers a competitive experience at no cost.

The opportunity is endless.

The Exploit

KTP0 can be run with multiple exploits. One exploits an incorrectly implemented MiG routine, that doesn't follow proper semantics and exposes a significant reference counting bug. The other exploits a dangling pointer extensively in the iOS TCP stack to gain kernel task port 0, functional on iOS versions up to 12.4.

Once kernel access is gained, KTP0 unsandboxes itself, gains root, and compromises code signing on the phone, allowing for arbitrary code execution. At the same time, the filesystem is maintained in its read-only state to prevent potential malicious action, with an explicit trust routine called for every binary executed. These are pulled from web storage at runtime and can be trusted on the fly.

What we're proud of

An SSH server on an iPhone, developed totally without Xcode tools! Also, a fully functional kernel exploit that allows us to install .app files to the Springboard, allowing for testing completely without macOS infrastructure involved.

What we learned

The power of a UAF vulnerability....null your pointers kids!

What's next for KTPZ

KTPZ not only can run binaries, but is also able to package full .IPA and .APP files for normal runtime. We'd love to expand upon this further, and would like to test this functionality in the coming weeks.

Thanks for everything!

Built With

Share this project:

Updates