Pangu 9, the first (and only) untethered jailbreak tool for iOS 9, exploited a sequence of vulnerabilities in the iOS userland to achieve final arbitrary code execution in the kernel and persistent code signing bypass. Although these vulnerabilities were fixed in iOS 9.2, there are no details disclosed. This talk will reveal the internals of Pangu 9. Specifically, this talk will first present a logical error in a system service that is exploitable by any container app through XPC communication to gain arbitrary file read/write as mobile. Next, this talk will explain how Pangu 9 gains arbitrary code execution outside the sandbox through the system debugging feature. This talk will then elaborate a vulnerability in the process of loading the dyld_shared_cache file that enables Pangu 9 to achieve persistent code signing bypass. Finally, this talk will present a vulnerability in the backup-restore process that allows apps signed by a revoked enterprise certificate to execute without the need of the user's explicit approval of the certificate.
Tielei Wang is a member of Team Pangu. He was a research scientist at theGeorgia Institute of Technology from 2012 to 2014 and received his Ph.D.degree in 2011. His research interests include system security, softwaresecurity, and mobile security. He discovered a number of zero-dayvulnerabilities and won the Secunia Most Valued Contributor Award in 2011. Hehas published many papers in top research conferences including IEEE Securityand Privacy, USENIX Security, ACM CCS, and NDSS, and gave severalpresentations at BlackHat USA, CanSecWest, POC, and RUXCON.
Hao Xu is a member of Team Pangu. He has been involved in information securityfor over 10 years. His research interests range from OSX/iOS/Windows kernelsecurity, rootkit and malware analysis, hardware virtualization technology,and reverse engineering. He is a regular speaker at Syscan 360, POC, Xcon.
Xiaobo Chen is a member of Team Pangu. He used to work as a Sr. researchscientist at FireEye and McAfee. He participated in network security fieldsince 2000, and have over 15 years experience in network security industry,and now he mainly focuses innovative research on software vulnerability,exploitation for Microsoft and Apple system.