iOS privilege escalation via crashing
Among the vulnerabilities fixed in iOS 11.4.1 and macOS 10.13.6 is CVE-2018-4280, a Mach port replacement issue in launchd that was very similar to CVE-2018-4206. This vulnerability could be exploited to impersonate system services, at which point it is possible to escape the sandbox and elevate privileges.
I developed an exploit called blanket for this vulnerability earlier this year. The exploit achieves code execution inside of ReportCrash, which is a highly privileged process, and then uses these new privileges to disable codesigning and spawn a bind shell. All of this is achieved without compromising the kernel in any way. (Sometimes the easiest way to win is not to play.) Even though the vulnerability was only fixed in iOS 11.4.1, the exploit is specific to iOS 11.2.6 and will need adjustment to work on later versions.
I presented “Crashing to root: How to escape the iOS sandbox using abort()” about the vulnerability at the beVX security conference in Hong Kong on September 21, 2018. You can find the slides here or in my presentations repository on GitHub. I also published the source code of blanket, and you can find a writeup in the repository’s README.
I will be talking about this exploit in greater detail (including the steps involved in post-exploitation) at CODE BLUE in Tokyo, and I’ll also discuss the macOS variant at Objective by the Sea in Maui.