rump : ios patch diffing
TRANSCRIPT
![Page 1: Rump : iOS patch diffing](https://reader031.vdocuments.site/reader031/viewer/2022021815/588167101a28ab80508b71ab/html5/thumbnails/1.jpg)
iOS patch diffing#cybsec16 rump session Julien Bachmann
@milkmix_
![Page 2: Rump : iOS patch diffing](https://reader031.vdocuments.site/reader031/viewer/2022021815/588167101a28ab80508b71ab/html5/thumbnails/2.jpg)
intro | pegasus
• Last August: information about new malware for iOS
• Better: infected device through a browser exploit !
• Looked like a good idea to finally start analysing iOS patches
![Page 3: Rump : iOS patch diffing](https://reader031.vdocuments.site/reader031/viewer/2022021815/588167101a28ab80508b71ab/html5/thumbnails/3.jpg)
patches | up to iOS 9• Updates
• rootfs is encrypted and decrypted only on device
• need keys but only available for devices before A6
• kernelcache is also encrypted
• OTA updates
• Initially only partial updates
• From around September 2015, full OTA updates made available
![Page 4: Rump : iOS patch diffing](https://reader031.vdocuments.site/reader031/viewer/2022021815/588167101a28ab80508b71ab/html5/thumbnails/4.jpg)
patches | up to iOS 9
![Page 5: Rump : iOS patch diffing](https://reader031.vdocuments.site/reader031/viewer/2022021815/588167101a28ab80508b71ab/html5/thumbnails/5.jpg)
patches | iOS 10
• Updates
• rootfs is no more encrypted
• kernelcache is encrypted (again…)
![Page 6: Rump : iOS patch diffing](https://reader031.vdocuments.site/reader031/viewer/2022021815/588167101a28ab80508b71ab/html5/thumbnails/6.jpg)
patches | extracting rootfs$ mkdir rootfs
$ unzip 2f3a0cb8c741f31b19576656765fad3616ecbfef.zip
$ pbzx AssetData/payloadv2/payload > rootfs/pb.xz && cd rootfs
$ xz --decompress pb.xz
$ otaa -e '*' ./pb
![Page 7: Rump : iOS patch diffing](https://reader031.vdocuments.site/reader031/viewer/2022021815/588167101a28ab80508b71ab/html5/thumbnails/7.jpg)
patches | finding modified files• Using partial update
![Page 8: Rump : iOS patch diffing](https://reader031.vdocuments.site/reader031/viewer/2022021815/588167101a28ab80508b71ab/html5/thumbnails/8.jpg)
patches | extracting frameworks
• On iOS all frameworks are bundled into cache file
• dyld_shared_cache_arm64
• Possible to extract specific frameworks using jtool
$ jtool -extract JavaScriptCore /tmp/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64
![Page 9: Rump : iOS patch diffing](https://reader031.vdocuments.site/reader031/viewer/2022021815/588167101a28ab80508b71ab/html5/thumbnails/9.jpg)
diffing | diaphora
![Page 10: Rump : iOS patch diffing](https://reader031.vdocuments.site/reader031/viewer/2022021815/588167101a28ab80508b71ab/html5/thumbnails/10.jpg)
diffing | diaphora
![Page 11: Rump : iOS patch diffing](https://reader031.vdocuments.site/reader031/viewer/2022021815/588167101a28ab80508b71ab/html5/thumbnails/11.jpg)
finding the vuln | analysis
• Last browser exploit I did was 10 years ago on ActiveX applets
• heap spray all the things
• Was expecting for the exploit to be released and then trace using debugger starting from slowAppend
![Page 12: Rump : iOS patch diffing](https://reader031.vdocuments.site/reader031/viewer/2022021815/588167101a28ab80508b71ab/html5/thumbnails/12.jpg)
finding the vuln | analysis
• All that to say…
![Page 13: Rump : iOS patch diffing](https://reader031.vdocuments.site/reader031/viewer/2022021815/588167101a28ab80508b71ab/html5/thumbnails/13.jpg)
finding the vuln | analysis• Use Slack, use Github