Apple graphics, both the userland and the kernel components, are reachable from most of the sandboxed applications, including browsers, where an attack can be launched first remotely and then escalated to obtain root privileges. On OS X, the userland graphics component is running under the WindowServer process, while the kernel component includes IOKit user clients created by IOAccelerator IOService. Similar components do exist on iOS system as well. It is the counterpart of "Win32k.sys" on Windows. In the past few years, lots of interfaces have been neglected by security researchers because some of them are not explicitly defined in the sandbox profile, yet our research reveals not only that they can be opened from a restrictive sandboxed context, but several of them are not designed to be called, exposing a large attack surface to an adversary. On the other hand, due to its complexity and various factors (such as being mainly closed source), Apple graphics internals are not well documented by neither Apple nor the security community. This leads to large pieces of code not well analyzed, including large pieces of functionality behind hidden interfaces with no necessary check in place even in fundamental components. Furthermore, there are specific exploitation techniques in Apple graphics that enable you complete the full exploit chain from inside the sandbox to gain unrestricted access. We named it "graphic-style" exploitation.
In the first part of the talk, we introduce the userland Apple graphics component WindowServer. We start from an overview of WindowServer internals, its MIG interfaces as well as "hello world" sample code. After that, we explain three bugs representing three typical security flaws: - Design related logic issue CVE-2014-1314, which we used at Pwn2Own 2014 - Logic vulnerability within hidden interfaces - The memory corruption issue we used at Pwn2Own 2016 Last but not least we talk about the "graphic-style" approach to exploit a single memory corruption bug and elevate from windowserver to root context.
The second part covers the kernel attack surface. We will show vulnerabilities residing in closed-source core graphics pipeline components of all Apple graphic drivers including the newest chipsets, analyze the root cause and explain how to use our "graphic-style" exploitation technique to obtain root on OS X El Capitan at Pwn2Own 2016. This part of code, mostly related to rendering algorithm, by its nature lies deeply in driver's core stack and requires much graphical programming background to understand and audit, and is overlooked by security researchers. As it's the fundamental of Apple's rendering engine, it hasn't been changed for years and similar issues do exist in this blue ocean. We'll also come up with a new way of kernel heap spraying, with less side-effect and more controllable content than any other previous known methods. The talk is concluded by showing two live demos of remote gaining root through a chain of exploits on OS X El Capitan. Our first demo is done by exploiting userland graphics and the second by exploiting kernel graphics.
Liang Chen is a senior security researcher at KeenLab of Tencent (former knownas Keen Team). Liang has a strong research experience on softwarevulnerability exploitation and vulnerability discovery. During these years,Liang's major research area was browser exploitation including Safari, Chrome,Internet Explorer, etc on both PC and mobile platform. Also Liang researchessandbox escape technology on various platforms. Liang led Tencent SecurityTeam Sniper to win "Master of Pwn" in Pwn2own 2016. Liang is also the winnerof iPhone Safari category in Mobile Pwn2own 2013 and Mavericks Safari categoryin Pwn2Own 2014. Liang has spoken at several security conferences includingXCON 2013, BlackHat Europe 2014, CanSecWest 2015/2016, POC 2015, etc.
Qidan He (a.k.a Edward Flanker) is a security researcher focusing on mobilesecurity at KeenLab of Tencent (former known as Keen Team). His majorexperience includes Android/iOS/OS X security and program analysis. He hasreported several vulnerabilities in Android system core components and OSXKernel, which were confirmed and credited in multiple advisories. He is thewinner of Pwn2Own 2016 OS X Category and member of Master of Pwn Championteam. He has spoken at conferences like Recon, CanSecWest, HITCON and QCON.
Marco Grassi is currently a Senior Security Researcher of the KEEN Lab ofTencent (previously known as KEEN Team). He was one of the main contributorsat Pwn2Own 2016 for the Safari target with sandbox escape to root. He is amember of the team who won the title of "Master Of Pwn" at Pwn2Own 2016.Formerly he was a member of NowSecure R&D; Team, where he researchedsolutions for mobile security products and performed reverse engineering,pentesting and vulnerability research in mobile OS applications and devices.When he's not poking around mobile devices, he enjoys developing embedded andelectronic systems. He has spoken at several international securityconferences such as ZeroNights, Black Hat, Codegate, HITB and cansecwest. Youcan find him on Twitter at @marcograss.
After several years research in the field of iOS/OS X security and linuxkernel, currently, Yubin Fu(Qoobee @fuyubin1993) is now an intern securityresearcher. As a member of Blue-lotus CTF team, he participated in DEF CON 23Final in Las Vegas and Codegate 2015 Final in Seoul. In the same year, hepartnered to develop PingPong Root, and co-authored a paper about Android Rootwhich is now published at USENIX WOOT. In 2016, Yubin took part in Pwn2Own andclinched the victory of Pwn2Own 2016 Safari target. He is also a member of"Master of Pwn" team. Now he works in KeenLab of Tencent(previously known asKeen Team), lives in Shanghai, China.