diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 561fe52fb9f..c1bba06434f 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -857,6 +857,7 @@ - [iOS Exploiting](binary-exploitation/ios-exploiting/README.md) - [ios CVE-2020-27950-mach_msg_trailer_t](binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.md) - [ios CVE-2021-30807-IOMobileFrameBuffer](binary-exploitation/ios-exploiting/CVE-2021-30807-IOMobileFrameBuffer.md) + - [Imessage Media Parser Zero Click Coreaudio Pac Bypass](binary-exploitation/ios-exploiting/imessage-media-parser-zero-click-coreaudio-pac-bypass.md) - [ios Corellium](binary-exploitation/ios-exploiting/ios-corellium.md) - [ios Heap Exploitation](binary-exploitation/ios-exploiting/ios-example-heap-exploit.md) - [ios Physical UAF - IOSurface](binary-exploitation/ios-exploiting/ios-physical-uaf-iosurface.md) diff --git a/src/binary-exploitation/ios-exploiting/README.md b/src/binary-exploitation/ios-exploiting/README.md index 1660cf15488..f34ec8d230d 100644 --- a/src/binary-exploitation/ios-exploiting/README.md +++ b/src/binary-exploitation/ios-exploiting/README.md @@ -28,7 +28,6 @@ From the screenshot: | `default.kalloc.32` | 32 bytes | Small structs, object headers. | | `default.kalloc.64` | 64 bytes | IPC messages, tiny kernel buffers. | | `default.kalloc.128` | 128 bytes | Medium objects like parts of `OSObject`. | -| `default.kalloc.256` | 256 bytes | Larger IPC messages, arrays, device structures. | | … | … | … | | `default.kalloc.1280`| 1280 bytes | Large structures, IOSurface/graphics metadata. | @@ -273,5 +272,10 @@ If you want to check for vulnerabilities in a specific version of iOS, you can c For example, the versions `15.1 RC`, `15.1` and `15.1.1` use the version `Darwin Kernel Version 21.1.0: Wed Oct 13 19:14:48 PDT 2021; root:xnu-8019.43.1~1/RELEASE_ARM64_T8006`. -{{#include ../../banners/hacktricks-training.md}} +### iMessage/Media Parser Zero-Click Chains + +{{#ref}} +imessage-media-parser-zero-click-coreaudio-pac-bypass.md +{{#endref}} +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/binary-exploitation/ios-exploiting/imessage-media-parser-zero-click-coreaudio-pac-bypass.md b/src/binary-exploitation/ios-exploiting/imessage-media-parser-zero-click-coreaudio-pac-bypass.md new file mode 100644 index 00000000000..41805f2a2cc --- /dev/null +++ b/src/binary-exploitation/ios-exploiting/imessage-media-parser-zero-click-coreaudio-pac-bypass.md @@ -0,0 +1,120 @@ +# iMessage Media Parser Zero-Click → CoreAudio RCE → PAC/RPAC → Kernel → CryptoTokenKit Abuse + +{{#include ../../banners/hacktricks-training.md}} + +This page summarizes a modern iOS zero-click attack surface and an observed end-to-end exploitation chain abusing iMessage automatic media parsing to compromise CoreAudio, bypass BlastDoor, defeat Pointer Authentication (PAC) via an RPAC path, escalate to kernel, and finally abuse CryptoTokenKit for unauthorized key uses. + +> Warning: This is an educational summary to help defenders, researchers, and red teams understand the techniques. Do not use offensively. + +## High-level chain + +- Delivery vector: a malicious audio attachment (e.g., .amr / MP4 AAC) sent via iMessage/SMS. +- Auto-ingestion: iOS auto-parses media for previews and conversions without user interaction. +- Parser bug: malformed structures hit CoreAudio’s AudioConverterService and corrupt heap memory. +- Code exec in media context: RCE inside the media parsing process; reported to bypass BlastDoor isolation in specific paths (e.g., “known sender” framing path). +- PAC/RPAC bypass: once arbitrary R/W is achieved, a PAC bypass in the RPAC path enables stable control flow under arm64e PAC. +- Kernel escalation: the chain converts userland exec into kernel exec (e.g., via wireless/AppleBCMWLAN code paths and AMPDU handling as seen in logs below). +- Post-exploitation: with kernel, abuse CryptoTokenKit to perform signing with Secure Enclave–backed keys, read sensitive data paths (Keychain contexts), intercept messages/2FA, silently authorize actions, and enable stealth surveillance (mic/camera/GPS) without prompts. + +## iMessage/BlastDoor attack surface notes + +BlastDoor is a hardened service designed to parse untrusted message content. However, observed logs indicate paths where protections may be bypassed when messages are framed from a “known sender” and when additional filters (e.g., Blackhole) are relaxed: + +```text +IDSDaemon BlastDoor: Disabled for framing messages +SpamFilter Blackhole disabled; user has disabled filtering unknown senders. +``` + +Takeaways: +- Auto-parsing still represents a remote, zero-click attack surface. +- Policy/context decisions (known sender, filtering state) can materially change the effective isolation. + +## CoreAudio: AudioConverterService heap corruption (userland RCE) + +Affected component: +- CoreAudio → AudioConverterService → AAC/AMR/MP4 parsing and conversion flows + +Observed parser touchpoint (logs): + +```text +AudioConverterService ACMP4AACBaseDecoder.cpp: inMagicCookie=0x0, inMagicCookieByteSize=39 +``` + +Technique summary: +- Malformed container/codec metadata (e.g., invalid/short/NULL magic cookie) causes a memory corruption during decode setup. +- Triggers in the iMessage media conversion path without taps by the user. +- Yields code execution in the media parsing process. The write-up claims this escapes BlastDoor in the observed delivery path, enabling the next stage. + +Practical tips: +- Fuzz AAC/AMR magic cookie and MP4 codec atoms when targeting AudioConverterService conversions. +- Focus on heap overflows/underflows, OOB reads/writes, and size/length confusion around decoder initialization. + +## PAC bypass via RPAC path (CVE-2025-31201) + +arm64e Pointer Authentication (PAC) impedes hijacking of return addresses and function pointers. The chain reports defeating PAC using an RPAC path once arbitrary read/write is available. + +Key idea: +- With arbitrary R/W, attackers can craft valid, re-signed pointers or pivot execution to PAC-tolerant paths. The so-called “RPAC path” enables control-flow under PAC constraints, turning a userland RCE into a reliable kernel exploit setup. + +Notes for researchers: +- Collect info leaks to defeat KASLR and stabilize ROP/JOP chains even under PAC. +- Target callsites that generate or authenticate PAC in controllable ways (e.g., signatures generated on attacker-controlled values, predictable context keys, or gadget sequences that re-sign pointers). +- Expect Apple hardening variance by SoC/OS; reliability hinges on leaks, entropy, and robust primitives. + +## Kernel escalation: wireless/AMPDU path example + +In the observed chain, once in userland with memory corruption and a PAC bypass primitive, kernel control was achieved via code paths in the Wi‑Fi stack (AppleBCMWLAN) under malformed AMPDU handling. Example logs: + +```text +IO80211ControllerMonitor::setAMPDUstat unhandled kAMPDUStat_ type 14 +IO80211ControllerMonitor::setAMPDUstat unhandled kAMPDUStat_ type 13 +``` + +General technique: +- Use userland primitives to build kernel R/W or controlled call paths. +- Abuse reachable kernel surfaces (IOKit, networking/AMPDU, media shared memory, Mach interfaces) to achieve kernel PC control or arbitrary memory. +- Stabilize by building read/write primitives and defeating PPL/SPTM constraints where applicable. + +## Post-exploitation: CryptoTokenKit and identity/signing abuse + +Once kernel is compromised, processes like identityservicesd can be impersonated and privileged cryptographic operations invoked via CryptoTokenKit without user prompts. Example logs: + +```text +CryptoTokenKit operation:2 algo:algid:sign:ECDSA:digest-X962:SHA256 +CryptoTokenKit parsed for identityservicesd +``` + +Impact: +- Use Secure Enclave–backed keys for unauthorized signing (tokens, messages, payments), breaking trust models even if keys are not exported. +- Intercept 2FA codes/messages silently; authorize payments/transfers; enable stealth mic/camera/GPS. + +Defensive angle: +- Treat post-kernel integrity breaks as catastrophic: enforce runtime attestation for CTK consumers; minimize ambient authority; verify entitlements at the point of use. + +## Reproduction and telemetry hints (lab only) + +- Delivery: send a crafted AMR/MP4-AAC audio to the target device via iMessage/SMS. +- Observe telemetry for the foregoing log lines around parsing and wireless stack reactions. +- Ensure devices are fully patched; only test in isolated lab setups. + +## Mitigations and hardening ideas + +- Patch level: iOS 18.4.1 reportedly fixes this chain; keep devices up to date. +- Parser hardening: strict validation for codec cookies/atoms and lengths; defensive decoding paths with bounds checks. +- iMessage isolation: avoid relaxing BlastDoor/Blackhole in “known sender” contexts for media parsing. +- PAC hardening: reduce PAC-gadget availability; ensure signatures are bound to unpredictable contexts; remove PAC-tolerant bypassable patterns. +- CryptoTokenKit: require post-kernel attestation and strong entitlements at call-time for key-bound operations. +- Kernel surfaces: harden wireless AMPDU/status handling; minimize attacker-controlled inputs from userland after compromise. + +## Affected versions (as reported) + +- iOS 18.x prior to iOS 18.4.1 (April 16, 2025). +- Primary: CoreAudio → AudioConverterService (media auto-parsing path via iMessage/SMS). +- Chained: PAC/RPAC path and kernel escalation via AppleBCMWLAN AMPDU handling. + +## References + +- [iOS Crypto Heist repo (README)](https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201) +- [Remote Crypto Attack Chain details](https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201/blob/main/Remote%20Crypto%20Attack%20Chain%20.md) + +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file