Attacking the XNU Kernel For Fun And Profit – Part 2

This blog post is part of a series of posts in which I will discuss several techniques to own XNU, the kernel used by Apple’s OS X and iOS. My focus will be on heap-based attacks, such as heap overflows, double frees, use-after-frees and zone confusion.

In the previous blog post, I outlined some very important details on how the kernel heap works on both iOS and OS X. In this one, I’ll outline several kernel hardening features Apple has added over the years to stop kernel exploitation. A basic knowledge of the impact of these measures is required in other to further perform any additional exploit. I will begin the tale of the exploitation of a real-world exploit, CVE-2015-1140, a textbook heap overflow present up to Mac OS X 10.10.2 (included) which allowed escalation to Ring 0 from an unprivileged user. I will be describing the techniques involved in this exploit. In the next blog post, I will be showing code to pull these techniques off with CVE-2015-1140.

1) iOS Only – Kernel/User Address Space Isolation
Can be enabled on OS X with no_shared_cr3, but impacts performance.
Impact: Kernel will not be able to read userland data without special routines being used. In the future, SMAP will provide the same protection with no performance impact(?).

2) x86_64 Only – SMEP
Impact: You won’t be able to execute from userland address space when in Ring 0. This still allows read and write to the userland address space. If no_shared_cr3 is used, SMEP becomes useless since kernel/user address space isolation already prevents userland address space access (incl. execution).

3) Kernel W^X
Impact: Executable pages are not writeable. Writeable pages are not executable. This is quite an hassle when combined with SMEP or AS Isolation, because without these instead of jumping to kernel address space you can jump to userland address space mapped as r-x and ring0 will happily run it.

4) KASLR – Kernel Address Space Layout Randomisation
Impact: The obvious way to go around 1, 2 and 3 is to do data-reuse or code-reuse attacks, such as ROP. But you need to be able to locate the data you want to use in memory, by sliding everything randomly on each boot this becomes theoretically impossible.

5) Allocator Hardening / Safe Unlinking
Impact: Prevents the allocator from being exploited. This stops generic heap attacks from working.

Note: There are other “hardening” features all around the kernel, but I’ll be focusing on these since these are the ones that will pretty much always get into your way when writing a kernel exploit.

The Vulnerability

After a couple of days looking around the source code of the open-source kernel extensions installed by default on Mac OS X, I spotted a strange file inside IOHIDFamily, IOHIDSecurePromptClient.cpp.
It became obvious that whoever coded that was high on drugs at the time, since out of 13 functions it exposes to any unprivileged user, one is a “null terminator”, which shouldn’t be an exposed method but it is, due to an off-by-one bug, three are methods that do an unrestricted write-what-where (but the where is limited to a 32 bits wide pointer), and as of 10.10.1 were so broken that they could not possibly be used without crashing the kernel, one is an heap overflow, and generally speaking I do not get the point of this IOUserClient. I am not sure what it is usually used for, but I guess it’s used for nothing at all since half of it’s functions are broken. This class was removed in it’s entirety on 10.10.3, and two methods were removed in 10.10.2.

The heap overflow is fairly simple; the 12th selector (10th after 10.10.2) will take some data from userland and copy it into a fixed-size buffer. There is some form of “sanity checking”, but it’s ridiculously stupid since the cap on the user-passed data’s length is 4095, and the buffer is 256 bytes in size.

We also note that the 256-byte buffer we’ll overflow from is allocated once you request the creation of a new IOHIDSecurePromptClient, so we can perform the allocation from userland at will.

We can fully control the data of any 256 byte allocation adjacent to our buffer, as long as our buffer isn’t the last allocation in a page because our overflow would be writing in an unmapped area. Since a page is 4096 bytes, 16 256-byte allocations fit in a page, and the chance of being the last allocation is 1/16th. This means the exploit will fail around 1/16th if we cannot guess the heap address of our buffer.

Controlling the Heap

In my previous blog post I described some details on how the kernel heap allocator works. In this blog post I’ll make use of “adjacent objects”. Remember, there are different “heaps”, each with a fixed allocation size. When you request an allocation, the last-free’d memory chunks in your size’s “heap” is returned. When no more free memory is available, a new page is mapped and divided in new free memory chunks. So, to allocate adjacent objects what you have to do is fill the interested heap, so a new page is taken. Once a new page is used for allocations, since you know in what order the free memory chunks are used, you can easily allocate adjacent objects. This technique is described with great detail in many papers, and is commonly called “Heap Feng Shui”.

Gaining Code Execution

Due to allocator hardening, trying to perform a generic attack is a waste of time, and since there is no metadata in allocated chunks (just in free ones), after writing the 256th byte we will be directly controlling the values of an allocated chunk. Since the XNU kernel makes use of C++ and the creation/destruction of C++ objects can be controlled from userland, overwriting the vtable pointer of such a C++ object gives us control over the instruction pointer. But what do we use as vtable pointer? An userland pointer would be okay on OS X, but it is not okay today on iOS and won’t be okay anymore sometime in the future on OS X due to Kernel/User Address Space Isolation coming to x86_64 as SMAP. Another important question is: what will we execute? Userland address space can not be executed due to SMEP and we don’t know the kernel address space layout due to KASLR, so we’re at a dead end. We need to work some more.

Breaking KASLR

On XNU, Kernel Address Space Layout Randomisation is pretty simple. A byte is generated randomly at boot. From there, a “kernel slide” is derived. This kernel slide is then added to the base address of kernel extensions as well as the kernel itself. The kernel slide is the same for every kernel address, so leaking a pointer to kernel or kernel extension text or data will always break KASLR, since you can calculate the pointer from userland and subtract the leaked value from the calculated value to find out the value of the slide. Once the slide is known, you are free to use data/code-reuse attacks.

[…]

Backtrace (CPU 0), xxx : Return Address
xxx : 0xffffff800792bda1
xxx : 0xffffff8007e5c436
[…]

Kernel slide: 0x0000000007600000
Kernel text base: 0xffffff8007800000

[…]

— Kernel Panic on KASLR-enabled Mac OS X Machine

Controlling Data In Kernel Address Space

To do this is by finding some kernel function that allows user-land to pass data to be stored in a kernel buffer, and then leak this buffer’s address.
A way to do this is by using pipe() and write(). The data you will write() is copied into a kalloc’d buffer with no metadata. Metadata about your pipe (such as data length) is stored in a fixed-size allocation and is not stored with your data. This is useful if you need to control every byte of a kalloc allocation.

Another way is by sending OOL data via a mach message. This OOL data will be copied into the kernel AS via vm_map_copyin, which will allocate enough bytes to hold your data + 0x58 (on recent x86_64 XNU). Metadata is stored inline. When vm_map_copyout is used, this data is copied back into userland address space.
This is useful since metadata holds your data’s length, and corruption of the length will make vm_map_copyout read out-of-bounds. Furthermore, a pointer called “kdata” will point to the data that will be copied, thus controlling this pointer allows you to read anywhere in kernel memory, useful to find gadgets without having to access the file system to read the kernel. Placing two of these vm_map_copy structs next to another, then corrupting the first one’s size to read the second one’s header allows you to leak the kdata pointer, which will be pointing to the user-controlled data stored in kernel heap. You can then use this pointer to do anything you wish, and it’ll point to your user-controlled data!

struct vm_map_copy {
	int			type;
#define VM_MAP_COPY_KERNEL_BUFFER	3
	vm_object_offset_t	offset;
	vm_map_size_t		size;
	union { 
            [...]
	    struct {				
		void			*kdata;
		vm_size_t		kalloc_size;
	    } c_k; /* KERNEL_BUFFER */
	} c_u;
};
#define cpy_kdata		c_u.c_k.kdata
#define cpy_kalloc_size		c_u.c_k.kalloc_size
kern_return_t
vm_map_copyout(
	vm_map_t		dst_map,
	vm_map_address_t	*dst_addr,	/* OUT */
	vm_map_copy_t		copy)
{
        if (copy->type == VM_MAP_COPY_KERNEL_BUFFER)
                return vm_map_copyout_kernel_buffer(dst_map, dst_addr, copy, FALSE, consume_on_success);
static kern_return_t
vm_map_copyout_kernel_buffer(
	vm_map_t		map,
	vm_map_address_t	*addr,	/* IN/OUT */
	vm_map_copy_t		copy,
	boolean_t		overwrite,
	boolean_t		consume_on_success)
{
        [...]
        copyout(copy->cpy_kdata, *addr, (vm_size_t) copy->size);
        [...]
        kfree(copy, copy->cpy_kalloc_size);
        [...]
}

 

Breaking KASLR – Again

You’ll have to pay attention to some details.
From the previous part of “Breaking KASLR”:

The kernel slide is the same for every kernel address, so leaking a pointer to kernel or kernel extension text or data will always break KASLR, since you can calculate the pointer from userland and subtract the leaked value from the calculated value to find out the value of the slide.

Now, from “Gaining Code Execution”:

Since the XNU kernel makes use of C++ and the creation/destruction of C++ objects can be controlled from userland, overwriting the vtable pointer of such a C++ object gives us control over the instruction pointer.

Then, from “Controlling Data In Kernel Space”:

Placing two of these vm_map_copy structs next to another, then corrupting the first one’s size to read the second one’s header allows you to leak the kdata pointer.

What if instead of placing two vm_map_copy structures one next to the other I place first a vm_map_copy and then a C++ object, then corrupt the vm_map_copy’s header to read into the C++ object? Whoo, I see. I leak the vtable pointer to userland. And where is the vtable located? In kernel/kernel extension text. Can you calculate this from userland? Sure you can!
Subtract the calculated value from the leaked value. What’s the result? If we ran this just before crashing to get kernel panic log shown in the first part of “Breaking KASLR”, the result would be 0x0000000007600000.

Gaining Code Execution – Again

Okay. Here we go again. We now have knowledge of two things we didn’t have before. The first is a pointer to user-controlled data in kernel address space, and the second is the kernel slide. Again, we use our heap overflow to corrupt the vtable pointer of a C++ object. Since we can store arbitrary data in the kernel address space and we know the pointer of this data, we can simply store a fake vtable and use it’s pointer. One question still stands: what will we execute? Due to kernel w^x you cannot just put the shellcode just next to the vtable, since the kernel heap is not executable. We need to do some more.

Bypassing Kernel W^X

This can be achieved fairly simply now that we have knowledge of the KASLR slide. All we need to do is to find some code that when executed will corrupt the stack pointer register to the address of our user-controlled data in kernel heap, execute that code, and once the stack corruption is done, it will return. By returning, it will take a value from the stack and set the instruction pointer to that value. By crafting what is called a ROP chain, you’ll be able to execute repeatedly small amounts of code, and with enough work you’ll be able to make this ROP chain do something useful to you. Since the ROP chain only uses code already inside the kernel, you do not need to be able to write your shellcode in an executable page. Just use what is already there, sitting in R-X page.

From a theoretical point of view, the kernel is now completely owned. All the security “features” we talked about at the beginning of this post have now been completely bypassed. It’s time to party like it’s 1990s 2011 again, with no exploit mitigations standing between us and privilege-escalated code execution in ring0.
The next blog post will contain code that implements the techniques described in this blog post.

NOTE: These techniques are not new. They have been used multiple times by different people, including myself. I’m simply trying to document them. Credit goes to whoever introduced these first, I suppose. Since I have no clue who did so, I’ll refrain from giving credit to anyone in particular. This also means that I take no credit for anything on this blog post.

42 thoughts on “Attacking the XNU Kernel For Fun And Profit – Part 2

  1. hi!,I really like your writing very a lot! percentage we keep in touch more approximately your post on AOL? I need a specialist in this space to resolve my problem. May be that’s you! Looking forward to see you.

  2. Thanks a lot for sharing this with all of us you really recognize what you are speaking approximately! Bookmarked. Kindly additionally visit my site =). We will have a link trade contract among us!

  3. Nice post. I was checking continuously this blog and I’m impressed! Very helpful information particularly the last part 🙂 I care for such info a lot. I was looking for this certain information for a long time. Thank you and good luck.

  4. I precisely needed to thank you so much yet again. I am not sure the things I might have gone through in the absence of the actual pointers contributed by you directly on such a question. This has been the troublesome case in my position, however , seeing this professional manner you managed it took me to leap with delight. Extremely thankful for this guidance and even believe you comprehend what an amazing job you were getting into educating people using your webpage. I am sure you’ve never met all of us.

  5. It¡¦s truly a great and useful piece of information. I am satisfied that you just shared this helpful information with us. Please stay us up to date like this. Thank you for sharing.

  6. Excellent blog right here! Also your website rather a lot up very fast! What host are you the usage of? Can I get your affiliate link for your host? I desire my website loaded up as fast as yours lol

  7. you’re in reality a just right webmaster. The web site loading speed is incredible. It seems that you are doing any unique trick. Furthermore, The contents are masterpiece. you have done a great process on this subject!

  8. Thank you for any other informative website. Where else may just I get that kind of information written in such an ideal approach?
    I have a project that I’m simply now working on, and I’ve been at the glance out for such information.

  9. In 1995, Mr. Rameshwar Dhayal started his construction business known as Jaipur Realty company worked on small, residential home building projects at first but soon began building larger homes. Jaipur Realty a civil construction and interior / exterior development company our expertise lies in : House / Building construction, All type Renovation work (Residential, Commercial, Industrial). We also take work for Masonry, Plastring, POP, false ceiling, Flooring, wooden work, steel fabrication work, wall painting, wooden polishing and many more other services related to interior/exterior work.We have high experience and skilled manpower, we only use superior quality material from genuine vendors. All the work and vision is managed by a staff having the experience of renovation more than 20 years and has been well supported by the well established systems

  10. We welcome you at Used Parts Jaipur.com! Here you can find the directory of Used Automobile parts which are efficient, reliable and compatible in their own terms. We have tied up with Jaipur’s most acknowledged and well established Automobile Dealers on which you can trust completely. At Used Parts Jaipur.com you can search for a reliable Auto Recycler with ease and can deal with used parts you are looking for. So begin a journey of used auto parts purchasing and selling with us.Used Parts is a online portal where a customer can find used parts for his vichele e.g. cars, trucks, jcb, jeep, buses, crane, motor parts, mechanical parts etc. located at jaipur city in India. We sell used parts to consumers looking for an inexpensive way to rebuild their vehicle. Visit our online website usedpartsjaipur.com today and start saving. We purchase used vehicles from insurance companies, private parties, and auctions. We acquire parts daily- thus our inventory is always changing- and odds are we can find the used auto part you are looking for

  11. Thanks a bunch for sharing this with all people you really recognise what you are talking approximately! Bookmarked. Please additionally visit my website =). We may have a hyperlink exchange contract among us!

  12. Final week’s publication of a bit by the English-language
    web site offered a peek at a modern legal enchancment in India
    that has opened the best way for all types of card video games
    to be played for actual cash on the planet’s second most populous nation, with on-line
    poker amongst several such games most likely receiving a
    lift in consequence. However the story would not end here, we being coolest on-line Indian poker web site,
    redeem your free chips as real cash. If you wish to have
    fun while studying extra about human nature, poker is the way
    to go! The PSL can have 12 groups, each consisting of 9 gamers and a prize cash of a whopping ₹3.36 crore.
    Though the PSL web site has not released the schedule for the qualification games,
    the deadline to apply as a participant is coming to an end and
    a few of the poker groups have already been bought to outstanding businesspersons.
    Charles has been an avid poker participant for
    quite a lot of years, each live and online.

    Now there are pretty properly-known gaming websites
    which even declare lakhs of on-line poker gamers. The India Poker Championship (IPC) is the premier vacation spot for tournament poker
    in India. We as poker lovers know what a player desires from a
    basic gaming web site and we are a customer-oriented web site.
    Judging by the sample the place Indian gamers passionately rush to play poker online in large numbers
    to play exciting poker video games on-line. We try and deliver out the joys for fascinating on-line video games and just remember to are on a safe and
    safe platform while having fun with your video games. But most of all, showcasing the world what an superior poker player
    I am is what I am trying forward too.

    And as gamers speak about tells” and tics,” they seem
    satisfied that poker is about understanding each approach and temperament.
    Globally, economists, statisticians and chess grandmasters, together with Garry Kasparov and Steven Levitt, swear by the truth that poker entails great talent and is perhaps even more challenging than chess.
    A gaming enthusiast who need to enjoy and enhance his skills isn’t barred from playing poker.
    Essentially the most luxurious casino in India previously
    referred to as On line casino Royale is
    owned by Delta Company Restricted. Vishaal: I beloved Rounders with
    Matt Damon and Edward Norton-very sturdy strong and nice storyline regarding the ups and down inside the life of a poker participant.

    Indian Poker has seen an enormous change in the latest
    past, among the most notable faces from the business sat down to discuss the evolution of Indian poker
    and its future as witnessed by them first hand.
    There is an unnecesary print of denominations on the chips which is
    complicated in customising the denominations Additionally
    the tin field was delivered broken with multiple dents. Since October 2013, when the Karnataka High Court docket passed the
    judgment declaring poker as a game of ability, poker rooms have been blooming
    in the Backyard Metropolis. It signed a deal with the World Poker Tour
    (WPT) in April this yr as part of its expanded marketing
    technique.

    Nevertheless, if the legal guidelines of India are
    breached during such online presence both the cyber
    regulation of India and other applicable state laws could also be attracted.

    And so it was… with a total of 109 players participating
    in this weekend kickoff match. The Foreign Change Management Act (FEMA) 1999 was introduced to India in 1999 to control the alternate of foreign currency.
    The net poker web sites are additionally required to make sure that their
    fee gateways are duly accredited by the Reserve Financial institution of India
    (RBI). Enroll or sign up to PokerTube and add your poker site username, to
    start incomes PokerTube points.

    The approval of the Nagaland bill is anticipated to lead to extra regulated online poker in India.

    The arrival of online poker web sites in India has majorly contributed to its swift growth.

    Day 2’s turnout was expected to be fairly good given the
    massive variety of players that had attended the opening event of the weekend.

    It is extremely vital to analysis all the choices accessible
    to you prior to deciding on a particular room to play actual cash
    poker online. We have satellite tv for pc tournaments where you
    may pay much less, win more and enjoy poker on-line with actual cash in India.
    This failed regardless of India being essentially the most sought out country for online playing.

    Aditya, who has been playing on PokerStars since 2014,
    hopes that he will inspire more folks in India to play and
    revel in poker. The thing was, players from India had been always current on worldwide web
    sites, if not in great numbers. The craze caught up in India a number of years later, as non-resident Indians and college students getting back
    from America began hosting poker video games at properties.
    Kqpoker buyer support group works around the clock daily solving every issues faced by our players.
    I see rich enterprise people go through 1 or 2 Lakh of
    Rupee very quickly and not care so there is plenty of straightforward cash.

    These 108 gamers for 12 groups would be chosen by way of 70+ rounds which might occur
    over a period of 3 months starting February subsequent 12 months.
    The scholars properly sought a authorized interpretation of India statutes pertaining to Web wagering prior to investing in and starting the venture.
    We provide help to to study all the facets of the sport like poker guidelines, tutorials, poker methods and professional strategies We additionally current you the latest poker
    information and updates on the Indian and global pokerwala industry.
    India’s largest online poker room, Adda52 has a reported
    800,000 registered players. Whether or not your favor sport is Texas Hold’em or Omaha you will discover all the latest knowledge on the market here.

    Thus, a sport which is mere playing can never be a sport as
    a result of it involves no talent. Bear in mind nonetheless that cheques usually are not issued in Indian Rupees and gamers might run into difficulties when attempting to lodge them in a neighborhood Indian financial institution. That is necessary as a result of it circumvents authorized points that will have arisen about International Change
    law. Secondly, even if online poker, on-line rummy, on-line card video games,
    and so forth are presumed to be video games of expertise, nonetheless they are required to comply with techno authorized requirements.
    Trust us, with such thrilling games, you may even begin getting cash
    by playing online poker for money in no time!

    Players should check with the local tax authorities for details and
    specifics concerning the proper option to file taxes and the correct quantity to pay.
    Though all gambling practices are banned in India under the Public Gambling Act 1867, it was left to the state governments to formulate their very own laws and
    rules regarding gambling. The court docket dominated that taking part in skill video games like
    poker in recreational golf equipment is permitted and no licence is
    required for a similar”, stated KN Suresh, secretary of The Indian Poker Association. Texas Holdem, Omaha, Blaze Poker, Sit & Go, all fashionable online poker games are current through single table and multi desk tournaments.

    The Central Authorities and Reserve Financial establishment of India (RBI) have the powers to subject monetary establishment notes and cash respectively. Leisureplay is the world’s first Gaming Technology Firm to build its utility on the newest groundbreaking HTML5 Technology from the bottom up. Leisureplay’s Poker Software program affords the users a seamless experience across all devices together with mobiles, Iphones, Ipads, and all web browsers. Gaussian Networks was based by Anuj Gupta and consists of numerous online web sites comparable to , and offering the Indian market a variety of on-line games resembling poker, rummy, scrabble, chess, pool and golf. http://www.Trapworld.com/groups/pokerstars-potential-to-pull-out-of-australia-says-amaya-nevertheless-india-beckons/

  13. This does not automatically mean that every single dwelling at every
    revenue degree in each metropolis throughout all 50-odd international locations is strictly the
    same, but it’s all worthwhile stuff to mention, as a result of it’s
    all stuff that can catch you off guard.

  14. Aw, this was an extremely nice post. Taking the time and
    actual effort to produce a good article… but what can I say…
    I put things off a whole lot and never seem to get anything done.

  15. For latestnewestmost recentmost up-to-datehottest newsinformation you have to visitgo to seepay a visitpay a quick visit internetwebworld wide webworld-wide-webthe web and on internetwebworld-wide-webthe web I found this websiteweb sitesiteweb page as a bestmost excellentfinest websiteweb sitesiteweb page for latestnewestmost recentmost up-to-datehottest updates.

  16. I loved as much as you’ll receive carried out right here. The sketch is attractive, your authored subject matter stylish. nonetheless, you command get got an shakiness over that you wish be delivering the following. unwell unquestionably come more formerly again since exactly the same nearly very often inside case you shield this increase.

  17. Wow! This can be one particular of the most beneficial blogs We’ve ever arrive across on this subject. Actually Great. I’m also a specialist in this topic therefore I can understand your effort.

  18. Unquestionably believe that which you said. Your favorite justification appeared to be on the net the easiest thing to be aware of. I say to you, I definitely get irked while people think about worries that they plainly don’t know about. You managed to hit the nail upon the top and defined out the whole thing without having side effect , people could take a signal. Will likely be back to get more. Thanks

  19. Thank you for the sensible critique. Me & my neighbor were just preparing to do some research on this. We got a grab a book from our area library but I think I learned more clear from this post. I am very glad to see such great info being shared freely out there.

  20. Thanks for sharing superb informations. Your website is very cool. I’m impressed by the details that you have on this web site. It reveals how nicely you perceive this subject. Bookmarked this website page, will come back for extra articles. You, my friend, ROCK! I found simply the information I already searched all over the place and just couldn’t come across. What a great web site.

  21. Lenvo proѵides gіven the Vibe T1 Lite а 13 MP surveillance camera աith ɑn y/2.2 aperture, phase
    recognition autofocus ɑnd a dual LED display. Ӏt can shoot 1,080p video аt 30 fгames
    ⲣeг second and features encounter recognition, HDR аnd breathtawking shooting.
    Τɦe front-facing surveilance camera iѕ 8 MP with an n/2.2 aperture аnd LED
    flash.

Leave a Reply

Your email address will not be published. Required fields are marked *