This course teaches how to exploit an ancient bug in XNU to bypass Pointer Authentication Code (PAC) on iPhone XS Max, allowing for arbitrary kernel read/write access. The skills taught include understanding Unix Domain Socket, race conditions, and exploiting use-after-free vulnerabilities. The teaching method involves discussing the bug, demonstrating exploitation techniques, and exploring unprotected control flow transfer points. This course is intended for cybersecurity professionals interested in iOS security research and exploitation.
Overview
Syllabus
Intro
Outline
Unix Domain Socket
Race Condition
The fix
The pattern
UAF, let's look at the USE
Binary version may be better
PAC (Pointer Authentication Code)
UAF, let's look at the second USE
Got troubles while adding trust caches
tfpo's write capability for kernel image
Look for unprotected control flow transfer points
What can we do
Got ssh on iPhone XS Max
Black Hat Sound Bytes
Taught by
Black Hat
