Posted yesteryear Gal Beniamini,
In this weblog ship service we’ll continue our journey towards over-the-air exploitation of the iPhone, yesteryear way of Wi-Fi communication alone. This component of the enquiry volition focus on the firmware running on Broadcom’s Wi-Fi SoC nowadays on the iPhone 7.
We’ll start out yesteryear performing a deep dive into the firmware itself; discovering novel assault surfaces along the way. After auditing these assault surfaces, we’ll uncover several vulnerabilities. Finally, we’ll develop a fully functional exploit against ane of the aforementioned vulnerabilities, thereby gaining code execution on the iPhone 7’s Wi-Fi chip. In improver to gaining code execution, we’ll also develop a covert backdoor, allowing us to remotely command the chip over-the-air.
Along the way, we’ll come upwards across several novel security mechanisms developed yesteryear Broadcom. While these mechanisms bear the potential to brand exploitation harder, they remained rather ineffective inwards this particular case. By exploring the mechanisms themselves, nosotros were able to uncovering methods to bypass their intended protections. Nonetheless, nosotros stay hopeful that the issues highlighted inwards this weblog ship service volition assist inspire stronger mitigations inwards the future.
All the vulnerabilities presented inwards this weblog ship service (#1, #2, #3, #4, #5) were reported to Broadcom together with later fixed. I’d similar to give thank you lot Broadcom for beingness highly responsive together with for treatment the issues inwards a timely manner. While nosotros did non perform a total analysis on the breadth of these issues, a minimal analysis is available inwards the introduction to the previous weblog post.
And now, without farther ado, let’s larn to it!
Exploring The Firmware
Combining the extracted ROM ikon nosotros had precisely acquired with the resident RAM image, nosotros tin finally slice together the consummate firmware image. With that, all that remains is to charge the ikon into a disassembler together with start out exploring.
While the ROM ikon on the BCM4355C0 is slightly larger than that of previously analysed Android-resident Wi-Fi chips, it’s still rather small-scale (spanning only 896KB). Consequently, Broadcom has ane time over again employed the same tricks inwards social club to conserve equally much retentiveness equally possible; including compiling the mass of the code using the Thumb-2 education laid together with stripping away most of the symbols.
As for the ROM’s layout, it follows the same basic construction equally that of its Android counterparts; get-go with a code chunk, followed yesteryear a blob of constant information (including strings together with CRC polynomials), together with ending with “trampolines” into detection points inwards the Wi-Fi firmware’s RAM (and some to a greater extent than spare data).
The same cannot endure said of the RAM image; spell some similarities be betwixt the electrical flow ikon together with the previously analysed ones, their internal layouts are substantially different. Whereas Android-resident firmwares contained interspersed heap chunks betwixt code together with information blobs, this quirk is no longer nowadays inwards the electrical flow RAM image. Instead, the heap chunks are by together with large placed inwards a linear fashion. One exception to this dominion is the initialisation code nowadays inwards the RAM -- ane time the firmware’s bootup procedure completes, this blob is reclaimed, together with is thereafter converted into an additional heap chunk.
Curiously, the stack is no longer located after the heap, but rather precedes it. This modification has the wages of preventing potential standardised zero-configuration service commonly used inside the Apple ecosystem).
Reverse-engineering the higher upwards fragments, nosotros come upwards to the realisation that it is a stripped-down version of mDNSResponder, by together with large responsible for performing wake on demand via mDNS (for networks that include a Bonjour Sleep Proxy). Consequently, it does non offering all the functionality provided yesteryear a fully-fledged mDNS client. Nonetheless, embedding code from complex libraries such equally mDNSResponder could bear undesired side effects.
For starters, mDNSResponder itself has been affected yesteryear several security issues inwards the past. More subtly, non-security bugs inwards libraries tin become security-relevant when migrating betwixt systems whose characteristics differ so widely from ane another. Concretely, on the Wi-Fi chip address null points to the firmware’s interrupt vectors -- a mapped, writable address. Being able to modify this address would allow attackers to gain code-execution on the chip, thereby converting a shape of “benign” bugs, such equally a null-pointer accesses, to RCEs.
Offloading Mechanisms
Since the Wi-Fi SoC’s ARM core is less power-hungry than the application processor, it stands to argue that some network related functionality endure relegated to the firmware, when possible. This concept is neither new, nor is it unique to the mobile settings; offloading to the NIC occurs inwards desktop environments equally well, primarily inwards the shape of TCP offloading (via TOE) .
Regardless, spell the advantages of offloading are clear, it’s of import to endure aware of the potential downsides equally well. For starters, equally we’ve mentioned before, the to a greater extent than features are added into the Wi-Fi firmware, the less auditable it becomes. Additionally, offloading features frequently require parsing of high-level protocols. Since the Wi-Fi firmware does non contain its ain TCP/IP stack, it must resort to parsing all layers inwards the stack manually, upwards to the layer at which the offloading occurs.
Inspecting the firmware reveals at to the lowest degree 2 features which allow offloading of high-level protocols to the Wi-Fi firmware: ICMPv6 offloading together with TCP KeepAlive offloading. Apple’s host-side drivers contain controls for enabling together with disabling these offloading features (see AppleBCMWLANCore), later handing over command over these packets to the Wi-Fi firmware rather than the host.
While beyond the compass of this weblog post, auditing both of the aforementioned offloading features revealed 2 security bugs allowing attackers to either leak constrained information from the firmware or to crash the firmware running on the Wi-Fi SoC (for to a greater extent than information consider the põrnikas tracker entries linked above).
Generic Attack Surfaces
While the aforementioned assault surfaces may endure interesting from an exploratory dot of view, each of the outlined features was rather constrained inwards scope. Perhaps, nosotros could uncovering a to a greater extent than fruitful assault surface inside the Wi-Fi firmware?
...This is where some familiarity with the Wi-Fi standards comes inwards handy!
Wi-Fi frames tin endure split upwards into 3 distinct categories. Each frame is assigned a category yesteryear inspecting the “type” together with “subtype” fields inwards its MAC header:
The categories are equally follows:
- Data Frames - Carry information (and QoS data) over the Wi-Fi network.
- Control Frames - Body-less frames assisting with the delivery of other frames (using ACKs, RTS/CTS, Block ACKs together with more).
- Management Frames - Perform complex operations, including connecting to a network, modifying the nation of private stations (STAs), authenticating together with more.
Let’s have got a 2nd to consider the categories higher upwards from a security PoV.
While information frames contain interesting assault surfaces (such equally frame aggregation via IEEE 802.11-2016 (9-47), total listing of activity frame categories is quite formidable:
To illustrate the amount of complexity encapsulated yesteryear activity frames, let’s render to the iPhone’s Wi-Fi firmware. Tracing our way through the RX-path, nosotros chop-chop make the role at which activity frames are handled inside the firmware (referred to equally “wlc_recv_mgmtact” inwards the ROM):
wlc_recv_mgmtact - 0x1A79F4
As nosotros tin see, the role performs some preliminary operations, before handing off processing to ane of the numerous handlers inside the firmware. Each activity frame category is delegated to a unmarried handler. Counting the activity frame handlers together with corresponding frame types supported yesteryear the iPhone’s firmware, nosotros uncovering 13 different supported categories, resulting inwards 34 different supported frame types. This is a substantial assault surface to explore!
To assess the handlers’ security, we’ll reverse-engineer each of the higher upwards functions. While this is a wearisome together with rather tedious process, recollect that each vulnerability flora inwards the higher upwards handlers implies a triggerable over-the-air vulnerability inwards the Wi-Fi chip.
Before attempting a manual audit, nosotros also “fuzzed” the activity frame handlers. To do so, nosotros developed an on-chip Wi-Fi fuzzer, allowing injection of frames straight into the aforementioned handler functions (without transmitting the frames over-the-air). While the fuzzer allowed for high-speed injection of frames (namely, thousands of frames per second), running it using a small-scale corpus of activity frames together with inducing bit-flips inwards them was unfruitful... One possible explanation for this approach’s failure is due to the strict construction mandated yesteryear many activity frames. Perhaps these results could endure improved yesteryear fuzzing based on a grammer derived from the Wi-Fi standard, or enforcing construction constraints on the fuzzed content.
Regardless, nosotros tin employ some tricks to speed upwards our manual exploration. Recall that Wi-Fi primarily relies on Information Elements (IEs), tagged bundles of data, to convey information. The same regulation applies to activity frames -- their payloads typically consist of multiple IEs, each encapsulating different pieces of information relating to the handled frame. As the IE tags are (mostly) unique inside the Wi-Fi standard, nosotros tin but lookup the tag value corresponding to each processed IE, allowing us to chop-chop familiarise ourselves with the surrounding code.
After going through the handlers outlined above, nosotros identified a number of vulnerabilities.
First, nosotros discovered a vulnerability inwards 802.11v Wireless Network Managements (WNM). WNM is a laid of standards allowing clients to configure themselves inside a wireless network together with to commutation information close the network’s topology. Within the WNM category, the “WNM Sleep Mode Response” frame serves to update the Group Temporal Key (GTK) when the laid of peers inwards the network changes. As it happens, reverse-engineering the WNM handler revealed that the corresponding role failed to verify the length of the encapsulated GTK, thereby triggering a controlled heap overflow (see the bug tracker for to a greater extent than information).
By cross-referencing the GTK treatment method, nosotros were able to seat a similar vulnerability inwards 802.11r Fast BSS Transition (FBT). Once again, the firmware failed to verify the GTK’s length, resulting inwards a heap overflow.
While both of the higher upwards vulnerabilities are interesting inwards their ain right, nosotros volition non verbalize over them whatever farther inwards this weblog post. Instead, we’ll focus on a different vulnerability altogether; ane with a weaker primitive. By demonstrating how fifty-fifty relatively “weak” primitives tin endure exploited on the Wi-Fi firmware, we’ll showcase the demand for stronger exploit mitigations.
To brand matters to a greater extent than interesting, we’ll build our entire exploit using nothing but activity frames. These frames are so feature-rich, that yesteryear leveraging them nosotros volition endure able to perform heap shaping, create allotment primitives, together with of course, trigger the vulnerability itself.
802.11k Radio Resource Management
802.11k is an amendment to the Wi-Fi criterion aiming to select Radio Resource Management (RRM) capabilities to Wi-Fi networks. RRM-capable stations inwards the network are able to perform radio measurements (and have them), allowing access points to cut the congestion together with improve traffic utilisation inwards the network. The concept itself is non novel inwards the mobile sphere; inwards fact, it’s been to a greater extent than or less inwards cellular networks for over 2 centuries.
Within the Wi-Fi ecosystem, RRM is commonly utilised inwards tandem with 802.11r FBT (or the proprietary CCKM) to enable seamless access dot assisted roaming. As stations determine to “handover” to different access points (based on their radio measurements), they tin consult the access points inside the network inwards social club to obtain a listing of potential neighbours with which they may reassociate.
To implement all of the above, a laid of activity frames (and a novel activity category) have got been added to the Wi-Fi standard. Consequently, clients tin perform radio together with link mensuration requests, have the corresponding reports, together with fifty-fifty procedure reports containing their neighbouring access points (should they determine to roam).
All of the higher upwards functionality is also nowadays inwards the Wi-Fi firmware on the iPhone:
Auditing the handlers above, nosotros come upwards across ane role of particular note; the handler for Neighbor Report Response frames.
The Vulnerability
Neighbor Report Response (NRREP) frames are reports delivered from the access dot to stations inwards the network, informing stations of neighbouring access points inwards their vicinity. Upon roaming, the stations may exercise these parameters to reassociate with the aforementioned neighbours. Providing this information spares the stations the demand to perform extensive scans on their ain -- a rather fourth dimension consuming operation. Instead, they may but rely on the report, informing it of the specific channels together with operating classes inhabited yesteryear each neighbour.
Like many activity frames, NRREPs also contain a “dialog token” (9.6.7.7). This 1-byte acre is used to correlate betwixt requests issued yesteryear a client, together with their corresponding responses. As their call implies, Neighbour Report Responses are typically transmitted inwards answer to a corresponding asking made yesteryear the customer before on (commonly equally a resultant of a radio mensuration indicating that a roam may endure imminent). As we’d expect, upon sending a Neighbor Report Request, the customer generates together with embeds a dialog token, which inwards later verified yesteryear it when processing the corresponding NRREP returned yesteryear the access point.
However, reading to a greater extent than carefully through the specification reveals some other interesting scenario! It appears that NRREPs may also endure alone unsolicited. In such a case, the dialog token is but laid to zero, indicating that no matching asking exists.
IEEE 802.11-2016, 9.6.7.7
Consequently, NRREPs may endure transmitted over the network to whatever customer at whatever time, so long equally it supports 802.11k RRM. Upon reception of such a study (with a zeroed dialog token), the customer volition but parse the asking together with grip the information therein.
Continuing to read through the standard, nosotros tin slice together the frame’s overall structure; starting from the activity frame header, all the way the encapsulated IE:
As nosotros tin consider above, the mass of the information inwards the NRREP frame is conveyed through the “Neighbour Report” IE. NRREPs may contain ane or to a greater extent than such IEs, each indicating the presence of a unmarried neighbour.
Now that nosotros have got a occupation solid agreement of the frame’s structure, let’s have got a appear at the firmware’s implementation of the functionality described above. Following along from the initial NRREP handler, nosotros chop-chop come upwards to a ROM role responsible for treatment the reports. Reverse-engineering the function, nosotros larn inwards at the next high-level logic:
1. int wlc_rrm_recv_nrrep(void* ctx, ..., uint8_t* body, uint32_t bodylen) {
2.
3. //Ensuring the asking is valid
3. if (bodylen <= 2 || !g_rrm_enabled || body[2] != stored_dialog_token)
4. ... //Handle error
5.
6. //Freeing all the previously stored reports
7. free_previous_nrreps(ctx, ...);
8.
9. //Stripping the activity Header
10 uint8_t* report_ie = body + 3;
11. bodylen -= 3;
12.
13. //Searching for the study IE
14. do {
15. ... //Verify the IE is valid
16. if (report_ie[0] == 52 && report_ie[1] > 0xC) //Tag, Length
17. break; //Found a matching IE!
18. } spell (report_ie = bcm_next_tlv(report_ie, &bodylen));
19. if (!report_ie)
20. ... //Handle error
21.
22. //Handle the report
23. uint8_t* nrrep_data = malloc(28);
24. if (!nrrep_data)
25. ... //Handle error
26.
27. memcpy(nrrep_data + 6, report_ie + 2, 6); //Copying the BSSID
28. ... //Copying other elements...
29. nrrep_data[16] = report_ie[12]; //Operational Class
30. nrrep_data[17] = report_ie[13]; //Channel Number
31.
32. //Processing the report
33. void* elem = wlc_rrm_regclass_neighbor_count(ctx, nrrep_data, ...);
34. ...
35. }
As nosotros tin consider above, the role begins yesteryear performing some cursory validation of the received request. Namely, it ensures that RRM is enabled inside the network, that the study is sufficiently long, together with that the received dialog token matches the stored ane (if a solicited asking was initiated yesteryear the client, otherwise the stored token is laid to zero).
After performing the necessary validations together with locating the study IE, the role proceeds to extract the encoded study information together with shop it inside a construction of its own. Finally, the newly created construction is passed on for processing inside wlc_rrm_regclass_neighbor_count. Let’s have got a closer look:
1. void* wlc_rrm_regclass_neighbor_count(void* ctx, uint8_t* nrrep_data, ...) {
2.
3. //Searching for previous stored elements with the same Operational
4. //Class together with Channel Number
5. if (find_nrrep_buffer_and_inc_channel_idx(ctx, nrrep_data, ...))
6. return NULL;
7.
8. //Creating a novel chemical component to concord the NRREP data
9. uint8_t* elem = zalloc(456);
10. if (!elem)
11. ... //Handle error
12. elem[4] = nrrep_data[16]; //Operational Class
13. ((uint16_t*)(elem + 6))[nrrep_data[17]]++; //Channel Number
14.
15. //Adding the chemical component to the linked listing of stored NRREPs
16. *((uint8_t**)elem) = ctx->previous_elem;
17. ctx->previous_elem = elem;
18. return elem;
19. }
As shown inwards the snippet above, the firmware keeps a linked listing of buffers, ane per “Operational Class”. Each buffer is 456 bytes long, together with contains the operational class, an array asset the number of neighbours per channel, together with a pointer to the next buffer inwards the list.
While non shown above, find_nrrep_buffer_and_inc_channel_idx performs a similar work - it goes over each chemical component inwards the list, looking for an entry matching the electrical flow operational class. Upon finding a matching element, it increments the vecino count at the index corresponding to the given channel number, together with returns 1, indicating success.
So why are these handlers interesting? Consider that valid 802.11 channel numbers make from 1-14 inwards the 2.4GHz spectrum, all the way upwards to 196 inwards the 5GHz spectrum. Since each vecino count acre inwards the array higher upwards is 16-bits wide, nosotros tin deduce that the vecino count array tin endure used to reference channel numbers upwards to 224 ((456 - 6)/sizeof(uint16_t) == 224).
However, looking a piddling closer it appears that the functions higher upwards make no attempt to validate the Channel Number field! Therefore, malicious attackers tin encode whatever value they want inwards that acre (up to 255). Encoding a value larger than 224 volition thus trigger a 16-bit increase to endure performed out-of-bounds (see line 13), thereby corrupting retentiveness after the NRREP buffer!
Understanding The Primitive
Before nosotros movement on, let’s have got a 2nd to sympathize the exploit primitive -- equally mentioned above, nosotros are able to perform 16-bit increments (which are also 16-bit aligned), spanning upwards to sixty bytes beyond our allocated buffer.
Oddly, spell the standards specify that each NRREP may contain several encoded reports (each of which should endure handled yesteryear the receiving station), it appears that the handler functions higher upwards only processes a unmarried IE at a time. Therefore, each NRREP nosotros ship volition endure able to trigger a single OOB increment.
9.6.7.7
This in conclusion fact ties inwards rather annoyingly with some other quirk inwards the firmware’s code -- namely, upon reception of each NRREP, the listing of stored NRREP elements is freed before proceeding to procedure the electrical flow chemical component (see line 7, where free_previous_nrreps is invoked). It remains unclear whether this is intended conduct or a bug, but the immediate outcome of this oddity is that next each OOB increment, the buffers are later freed, allowing other objects to have got their place.
Lastly, the reception of each NRREP triggers two allocations of distinct sizes; ane for the linked listing chemical component (456 bytes), together with some other to shop the report’s information (28 bytes). As a result, whatever heap shaping or preparation we’ll perform volition have got to have got both allocations into consideration.
Triggering The Vulnerability
Configuring The Network
To start out developing our exploit, we’ll exercise the same testify network environs nosotros described inwards the previous weblog post, using the next topology:
As we’re going to leverage NRREPs, it’s of import to laid upwards our testify network to back upwards vecino reports. Like many auxiliary Wi-Fi features, back upwards for NRREPs is indicated yesteryear setting the corresponding flake inwards the capability IEs broadcast inwards the network’s beacon. RRM-related functionality is encoded using the “RM Enabled Capabilities” information element.
Since we’re using hostapd to broadcast our network, we’ll enable the rrm_neighbor_report setting inwards our network’s configuration. Enabling this characteristic should laid the corresponding acre inwards the “RM Enabled Capabilities” IE to signal back upwards for vecino reports. Let’s inspect a beacon frame to brand sure:
Alright, seems similar our network configuration is valid! Next, we’ll want to build an interface allowing us to ship arbitrary vecino reports to peers inwards the network.
To do so, we’ll extend hostapd yesteryear adding novel commands to its command interface. Each novel command volition correspond to a unmarried frame type we’d similar to inject. After adding our code to hostapd, nosotros tin but connect to the command interface together with number the corresponding commands, thereby triggering the transmission of the requested frames from the access dot to the selected peer. You tin uncovering our patches to hostapd inwards the exploit package on the põrnikas tracker.
It should endure noted that this approach is non infallible. Since we’re utilising a SoftMAC dongle to transmit our internal network, the SoftMAC layer of the Linux Kernel is responsible for some of the MLME processing done on the host. Therefore, it’s possible that processing done yesteryear this layer volition interfere with the frames nosotros wishing to ship (or receive) during the exploit’s flow. To larn to a greater extent than or less this limitation, we’ve taken attention to build the frames inwards a mode that does non clash with Linux’s SoftMAC stack.
Sending NRREPs
After configuring together with broadcasting our network, nosotros tin finally travail to trigger the vulnerability itself. This brings us to a rather of import question; how volition nosotros know whether the vulnerability was triggered successfully or not? After all, a unmarried 16-bit increase may endure insufficient to campaign important corruption of the firmware’s memory. Therefore it’s alone possible that spell the OOB access volition occur, the firmware volition happily chug along without crashing, leaving no observable effects indicating the vulnerability was triggered.
Remembering our Wi-Fi debugger from the previous weblog post, ane course of education of activity similar a shot springs to heed -- why non but claw the NRREP processing role with our ain handler, together with consider whether our handler is invoked upon transmitting a malicious NRREP? This is easier said than done; it turns out most of the NRREP treatment functionality (especially the actual vulnerability trigger, which we’re interested in) is located inside the ROM, preventing us from inserting a hook.
As luck would have got it, a novel characteristic developed yesteryear Broadcom tin endure leveraged to solve this issue. To allow tracing different parts of the firmware’s logic, including the ROM, Broadcom have got introduced a laid of logging functions embedded throughout the firmware. Curiously, this machinery was non nowadays inwards the Android-resident firmwares nosotros had analysed inwards the past.
Reverse-engineering this mechanism, it appears to operate inwards the next manner: each line is assigned an identifier, ranging from 0x0 to 0x50. When a line is requested, the firmware inspects an internal array of the same size stored inwards the firmware’s RAM, to gage whether the line with the given identifier has been enabled or not. Each identifier has a corresponding 8-bit mask representing the types of traces enabled for it. As nosotros are able to access the firmware’s RAM, nosotros tin but enable whatever line nosotros similar yesteryear setting the corresponding bits inwards the line array. Subsequently, traces with the same ID volition endure outputted to the firmware’s console, allowing us to handily dump them using our Wi-Fi firmware debugger.
This functionality has also been incorporated into our Wi-Fi debugger, which exposes functions to read together with modify the log condition array equally good equally API to read out the firmware’s console.
Using the higher upwards API, nosotros tin at nowadays enable the traces referenced inwards the NRREP’s ROM handlers. Taking a closer appear at the NRREP treatment role inwards the firmware, nosotros come upwards across the next traces:
Alright, so we’ll demand to enable log identifier 0x16 to respect these traces. After enabling the trace, sending an NRREP together with reading out the firmware’s console, nosotros are greeted with the next result:
Great! Our traces are beingness hit, indicating that the NRREP is successfully received yesteryear the station. With that, let’s movement on to the next stair - devising an exploit strategy.
An Exploit Strategy
Understanding The Heap
Since the vulnerability inwards inquiry is a heap retentiveness corruption, it’s of import that nosotros have got a 2nd to familiarise ourselves with the allocator’s implementation. In short, it is a “best-fit” allocator, which performs forwards together with backward coalescing, together with keeps a singly linked listing of gratis chunks. When chunks are allocated, they are carved from the cease (highest address) of the best-fitting gratis chunk (smallest chunk that is large enough).
Free chunks consist of a 32-bit size acre together with a 32-bit “next” pointer, followed yesteryear the chunk’s contents. In-use chunks contain a unmarried 32-bit size field, of which the top thirty bits announce the chunk’s size, together with the bottom 2 bits signal condition bits. Putting it together, nosotros larn inwards at the next layout:
Sketching An Exploit Strategy
Before nosotros rush ahead, let’s start out yesteryear devising a strategy. We already know that our exploit primitive allows us to perform 16-bit increments, spanning upwards to sixty bytes beyond our allocated buffer.
It’s of import to banking concern complaint that the heap’s state, perhaps surprisingly, is incredibly stable -- piddling to no allocations are performed. What piddling allocations are made, are similar a shot freed thereafter. As for frames carrying traffic (received or transmitted); they are non carved from the heap, but rather drawn from a special “pool”. As such, the presence of traffic should non touching on the heap’s state.
The heap’s stability is a double-edged sword; on the ane hand, nosotros are guaranteed relative convenience when shaping together with modifying the heap’s state, equally no allocations other than our ain volition interfere with the heap’s structure. On the other hand, the laid of allocations that can endure made (and subsequently, targeted yesteryear us using the vulnerability primitive) is limited.
Indeed, going over the activity frame handlers together with searching for objects which may serve equally feasible targets for modification, nosotros come upwards up empty handed. The only information types that may endure allocated either shop their “interesting” information farther than 56 bytes away from their source (accounting for the in-use chunk’s header), or but do non contain “interesting” information for modification.
Perhaps, instead, nosotros could leverage the heap itself to hijack the command flow? If nosotros were able to hijack the “next” pointer of a gratis chunk together with later dot it at a location of our choosing, nosotros could overwrite the target address with a subsequent allocation’s contents. This prospect sounds rather alluring, so let’s attempt together with pursue this route.
Writing An Exploit
Hijacking Influenza A virus subtype H5N1 Free Chunk
To hijack a gratis chunk, we’ll demand to commandeer a chunk’s “next” pointer. Recall that our exploit primitive allows us some marking of command over neighbouring information structures. As such, let’s consider the next placement inwards which a gratis chunk is inside make of the NRREP buffer:
Leveraging our OOB increment, nosotros tin straight modify the chunk’s “next” pointer yesteryear sending an NRREP asking with the corresponding channel number. Naively, this would allow us to gain command over a gratis chunk inwards the heap, yesteryear but directing the “next” at a location of our choosing.
However, this approach turns out to endure infeasible.
In social club to direct the “next” pointer at a meaningful address, we’d have got to either know its value inwards advance (in social club to calculate the number of increments required to convert the pointer from its electrical flow value to the target value), or we’d have got to know the relative offset betwixt its electrical flow value together with the desired target.
As nosotros do non know the exact addresses of heap chunks (nor would nosotros want to resort to guessing them), the sometime alternative is ruled out. What close the latter approach? Recall that our primitive allows for 16-bit increments. Therefore, nosotros tin either increase the pointer’s value yesteryear 1 (by increase the bottom one-half word), or yesteryear 65536 (by incrementing the top one-half word).
Incrementing the pointer yesteryear 1 volition resultant inwards an unaligned chunk address inwards the freelist. Recall, however, that our vulnerability primitive triggers deallocations on every invocation. As it happens, the allocator’s “free” role validates that each chunk inwards the freelist is aligned. When an unaligned block inwards encountered, it generates a fault together with halts the firmware. Thus, an increase on of bottom half-word volition resultant inwards the firmware crashing.
Incrementing the top half-word similarly fails; since all the heap’s chunks are less than 65536 away from the RAM’s cease address, incrementing the top half-word volition resultant inwards the “free” role attempting to access retentiveness beyond the RAM, triggering an access violation together with halting the firmware.
So how tin nosotros commandeer a gratis chunk nevertheless?
To do so we’ll demand to exercise a to a greater extent than subtle approach - instead of modifying the gratis chunk’s contents directly, we’ll aim to accomplish a layout inwards which 2 gratis chunks overlap ane another, thereby causing allocations carved from ane chunk to overwrite the metadata of the other (leading to command over the latter’s “next” pointer).
Heap Shaping
Achieving a predictable heap layout is telephone commutation for a reliable exploit. As our electrical flow destination is to create a specific layout (namely, 2 overlapping heap chunks), nosotros require setting upwards the heap inwards a mode which would allow us to accomplish such a layout.
Classically, heap shaping is performed yesteryear leveraging primitives allowing for command either over an allocation’s lifetime, or optionally over the allocation’s size. Triggering allocations inside the heap without similar a shot freeing them, allows us to create total “holes” inwards the heap, leading to a to a greater extent than predictable layout.
The allocator used inwards the firmware is a “best-fit” allocator which allocates from high addresses to lower ones. Consequently, if all “holes” inwards the heap of a sure enough size are filled, subsequent allocations of the same size (or larger) would endure carved from the best-fitting chunk, proceeding from top to bottom, thus creating a linear allotment pattern.
To sympathize the Wi-Fi firmware’s heap layout, let’s have got a snapshot of the heap’s nation using our Wi-Fi debugger (repeating the procedure multiple times to occupation organisation human relationship for whatever variability inwards the state):
As nosotros tin see, several small-scale chunks are strewn across the heap, amongst a unmarried large chunk. From the construction above, nosotros tin deduce that inwards social club to create a predictable allotment blueprint for our NRREP buffer, we’d but demand a shaping primitive allowing us to create total all the “holes” whose sizes tally that of the NRREP buffer.
However, this is easier said than done. As we’ve mentioned before, piddling allocations occur during routine operations, together with those that do are similar a shot freed thereafter. Combing through all the activity frame handlers, nosotros neglect to uncovering fifty-fifty a unmarried instance of a retentiveness leak (i.e., an allotment with infinite lifetime), or fifty-fifty an allotment that persists beyond the compass of the handlers themselves. Be that equally it may, nosotros do know of ane mechanism, governed yesteryear activity frames, which could offering a solution.
Normally, each Wi-Fi frame received yesteryear a station is individually acknowledged yesteryear transmitting a corresponding acknowledgement frame inwards response. However, many use-cases be inwards which multiple frames are expected to endure sent at the same time; requiring an acknowledgement for each private frame inwards those cases would endure rather inefficient. Instead, the 802.11n criterion (expanding on 802.11e) introduced “Block Acknowledgements” (BA). Under the novel scheme, stations may admit multiple frames at once, yesteryear transmitting a unmarried BA frame.
To utilise BAs, a corresponding session must firstly endure constructed. This is done yesteryear transmitting an ADDBA Request (IEEE 802.11-2016, 9.6.5.2) from the originating peer to the responder, resulting inwards an ADDBA Response (9.6.5.3) beingness sent inwards the opposite direction, acknowledging a successful setup. Similarly, BAs tin endure torn downwardly yesteryear sending a DELBA frame, indicating the BA should no longer endure active. Each BA is identified yesteryear a unique Traffic Identifier (TID). While the criterion specifies upwards to xvi supported TIDs, the firmware only supports the firstly 8, restricting the number of BAs possible inwards firmware to the same limit.
Since the lifetime of BAs is explicitly controlled yesteryear the construction of the corresponding BA sessions, they may constitute practiced heap shaping candidates. Indeed, going over the corresponding activity frame handler inwards the firmware, it appears that every allocated BA results inwards a 164-byte allotment beingness made, asset the BA’s contents. The allotment persists until the corresponding DELBA is received, upon which the BA construction corresponding to the given TID is freed.
To exercise BAs inwards our network, we’ll add together a novel command to hostapd, allowing injection of both ADDBA together with DELBA requests with crafted TIDs. Furthermore, we’ll have got attention to compile hostapd with back upwards for 802.11n (CONFIG_IEEE80211N) together with to enable it inwards our network (ieee80211n).
Putting the higher upwards together, nosotros larn inwards at a pretty powerful heap shaping primitive! By sending ADDBA Requests, nosotros tin trigger the allotment of upwards to 8 distinct 164-byte allocations. Better yet, nosotros tin selectively delete the allocations corresponding to each BA yesteryear sending a DELBA frame with the corresponding TID.
Having said that, 2 immediate downsides also natural springtime to mind. First, the allotment size is fixed, thus nosotros cannot exercise the primitive to shape the heap for allocations smaller than 164 bytes. Secondly the contents of the BA buffers are uncontrolled yesteryear us (they by together with large contain bit-fields used for reordering frames inwards the BA).
Attempting Overlapping Chunks
Using our shiny novel shaping primitive, nosotros tin at nowadays proceed to shape the heap inwards a mode allowing the creation of overlapping chunks. To do so, let’s start out yesteryear allocating all the BAs, from 0 through 7. The firstly few allocations volition create total inwards whatever holes tin accommodate them inside the heap. Subsequently, the residuum of the allocations volition endure carved for the primary heap chunk, advancing linearly from high addresses to lower ones.
(Grey blocks signal gratis chunks)
Quite conveniently, equally the allotment primitive is much larger than the “small buffer” allocated during the NRREP request, it allows the smaller holes inwards the heap, those large plenty to concord the 28 byte allocation, to persist. Consequently, the “smaller buffer” is but carved from ane of the remaining holes, allowing us to safely ignore it.
Getting dorsum to the number at mitt - inwards social club to create an overlapping allocation, all we’d demand to do is exercise the vulnerability primitive to increase the size acre of ane of the BAs. After growing the size yesteryear whichever amount nosotros desire, nosotros tin proceed to delete the newly expanded BA, along with its neighbouring BAs, causing an overlapping allocation.
Unfortunately, running through the higher upwards scenario results inwards a resounding failure -- the firmware crashes upon whatever travail to gratis a block causing an overlapping allocation…
To larn downwardly to the bottom of this strange behaviour, we’ll demand to locate the source of the crash. Inspecting the AppleBCMWLANBusInterfacePCIe driver, it appears that whenever a trap is generated yesteryear the firmware, the driver but collects the aforementioned crash data, together with outputs it to the device’s syslog. Therefore, to inspect the crash report, we’ll but dump the syslog using idevicesyslog. After generating a crash nosotros are presenting with the next output:
Inspecting the source address of the crash inwards the firmware’s image, nosotros come upwards across an unfamiliar block of code inwards the “free” function, which was non nowadays inwards prior firmware versions. In fact, the entire role seems to have got many of these blocks… To sympathize this novel code, let’s dig a piddling deeper.
New Mitigations
Going over the allocator’s “free” function, nosotros uncovering that inwards improver to freeing the blocks themselves, the role at nowadays performs several additional verifications on the heap’s structure, meant to ensure that it is non corrupted inwards whatever way. If whatever violations are detected, the firmware calls an “abort” function, later causing the firmware to crash.
After reverse-engineering all the higher upwards validations, nosotros larn inwards at the next listing of mitigations:
- The chunk’s bounds are compared against a pre-populated listing of “allowed” regions.
- The chunk is compared against all other chunks inwards the freelist, searching for overlaps.
- The chunk is checked against a listing of “disallowed” regions.
- The chunk is ensured to endure 4-byte aligned.
If whatever violation is detected, the firmware triggers the “abort” function, thereby halting execution.
It appears that Broadcom has done some hardening on the allocator! This is smashing from a security perspective, but rather bleak tidings for our exploit, equally it appears that whatever travail to create an overlapping twain of chunks volition resultant inwards a crash. Perhaps we’re out of luck…
Bypassing Mitigation #1
...Or are we?
Instead of firstly increasing a heap block’s size, together with so freeing it to create overlapping chunks, let’s opt for different approach. We’ll suit for the next layout; first, we’ll create 2 gratis chunks, which are non similar a shot next to ane some other (to preclude the allocator from coalescing them). Then we’ll exercise the NRREP primitive to slow increase the size of ane block, until it overlaps the other.
However, equally the NRREP primitive only allows us to modify information extending upwards to sixty bytes after the buffer, together with each BA buffer is much larger inwards size (164 bytes), we’ll firstly demand to devise a innovation to larn our NRREP buffer closer to a gratis chunk, without it truly impeding on the chunk (and thereby coalescing with it).
We’ll do so yesteryear leveraging a piddling trick. After allocating all the BAs, we’ll proceed to slightly increase the in conclusion BA’s size using the vulnerability primitive. Once that chunk is freed, a gratis chunk is later created inwards its place, spanning the novel expanded size instead of the original allocation’s size. Since the novel gratis chunk extends into neighbouring BAs, the next BA allotment volition thus overlap a previously allocated BA. This allows us to effectively “sink” an allotment into neighbouring blocks, advancing the compass of influence of our NRREP buffer to previously unreachable objects!
As the allocator’s “malloc” role zeroes every chunk upon allocation, next the innovation higher upwards volition Pb to BA6’s size beingness laid to zero. However, there’s no demand to fret, nosotros tin but increase it using our NRREP primitive (as we’re at nowadays inside make of BA6).
Next, we’ll increase BA6’s size slightly until it nearly overlaps with BA5. Then, nosotros tin gratis both BAs, together with proceed to exercise the NRREP buffer to increase BA6’s gratis chunk until it overlaps with BA5’s. It’s of import to banking concern complaint that since both “holes” are much smaller than the NRREP buffer, it won’t endure placed inside them, leaving us to utilise them equally nosotros please.
Bypassing Mitigation #2
Having created a twain of overlapping free-chunks, our firstly instinct is to carve an allotment from the encompassing chunk, thereby overwriting the other chunk’s metadata. To do so, we’ll demand to uncovering an allotment primitive allowing for command over its contents.
Recall that nosotros have got already searched for (and failed to locate) allocations with a controlled lifetime. Therefore, whatever allotment primitive nosotros do uncovering would endure ane with a limited lifespan. But alas, freeing an allotment carved from whatever of the overlapping chunks volition Pb us ane time over again to the “free” function’s overlapping chunk mitigation, later halting the firmware (and thwarting our attempt). Let’s have got a closer appear at the mitigation together with consider whether nosotros tin uncovering a way to a greater extent than or less it.
Going through the code, it appears to have got the next high-level logic:
1. //Calculating the electrical flow chunk’s bounds
2. uint8_t* start = (uint8_t*)cur + sizeof(uint32_t);
3. uint8_t* end = start + (cur->size & 0xFFFFFFFC);
4.
5. //Checking for intersection betwixt the electrical flow chunk together with each free-chunk
6. for (freechunk_t* p = get_freelist_head(); p != NULL; p = p->next) {
7. uint8_t* p_start = (uint8_t*)p;
8. uint8_t* p_end = p_start + (p->size & 0xFFFFFFFC) + 2 * sizeof(uint32_t);
9. if (end > p_start && p_end > start)
10. CRASH();
11. }
As nosotros tin consider above, the code snippet higher upwards lacks checks for integer overflows! Therefore, yesteryear storing a sufficiently large size inwards a gratis chunk, the calculation of p_end volition resultant inwards an integer overflow, leading the value stored to cash inwards one's chips a depression address. Consequently, the facial expression at line nine volition ever evaluate to “false”, allowing us to bypass the mitigation.
Great, so all nosotros demand to do is ensure that when overwriting BA5’s gratis chunk, nosotros also laid its size to an exorbitantly large value. Moreover, equally we’re dealing with a “best-fit” allocator, such a chunk volition never endure the best plumbing equipment (as smaller chunks volition ever exist), thus there’s no demand to worry close the allocator using our malformed chunk inwards the interim.
Creating Overlapping Chunks
To proceed, we’ll demand to locate an allotment primitive allowing command over its contents, together with preferably also offering a controlled size. Using such a primitive, we’ll endure able to create an allotment for which BA6’s gratis chunk is the best fitting, later overwriting BA5’s free-chunk header.
Going through the activity frame handlers ane time again, nosotros uncovering a near-fit; Spectrum Measurement Requests (SPECMEAS). In short, SPECMEAS frames (9.6.2.2) are activity frames belonging to the Spectrum Management category. These requests are used yesteryear access points to learn stations to perform diverse measurements together with study the results dorsum to the network.
Broadcom’s Wi-Fi firmware supports 2 different types of measurements; a “basic” measurement, together with a “Clear Channel Assessment” (CCA) measurement. Upon receiving a SPECMEAS request, the firmware allocates a buffer inwards social club to shop the report’s data. For every “CCA” mensuration received, v bytes are added to the buffer’s size. However, for every “CCA” mensuration encountered, 17 bytes are added to the buffer, of which many contain attacker-controlled data!
Using this primitive nosotros tin thus trigger allocations of sizes that are linear combinations of v together with 17. For every 17-byte block corresponding to a “basic” measurement, nosotros tin command several of the embedded bytes (namely, those at indices [5,15], 2).
While non a perfect allotment primitive, it’ll have got to do. Since at that topographic point are to a greater extent than than 8 subsequent controlled bytes for each “basic” mensuration request, nosotros tin exercise them inwards social club to overwrite BA5’s gratis chunk header (the 32-bit size together with pointer fields). By using a linear combination of the sizes above, we’ll guarantee that the controlled bytes are aligned with BA5’s gratis chunk header. Lastly, the size of the allotment performed must also endure chosen so that BA6’s gratis chunk is the best plumbing equipment (therefore forcing the allotment to endure carved from it, rather than other gratis chunks). Putting it all together, nosotros larn inwards at the next layout:
Overwrite Candidates
Now that we’re able to commandeer gratis chunks, nosotros precisely demand to uncovering some overwrite candidates inwards social club to hijack the command flow.
Whereas inwards the previous firmware versions nosotros researched, in-use chunks contained the same fields equally a gratis chunks (namely, 32-bit size together with next fields), the electrical flow chunks’ formats brand them incompatible with gratis chunks. Therefore, in-use chunks normally do non constitute valid targets to impersonate gratis chunks.
Nonetheless, it is non alone impossible that such objects exists. For example, whatever in-use allotment starting with a 32-bit null discussion would endure a valid gratis chunk. Similarly, chunks could start out with 32-bit pointers to other information types, which themselves may constitute a valid chain of gratis chunks. Even ameliorate yet, whatever information construction inwards the firmware’s RAM (not only heap chunks) could conceivably masquerade equally a gratis chunk, so long equally it follows the higher upwards format.
To larn to the bottom of this, we’ve written a brusk script that goes over the firmware’s contents, searching for blocks that tally the aforementioned description. Each block nosotros uncovering constitutes a potential overwrite target yesteryear directing our simulated gratis chunk at it. Running the script on a RAM dump of the firmware, nosotros are greeted with the next result:
Great, at that topographic point appear to endure several candidates for overwrite!
In our previous exploration of the Wi-Fi firmware, nosotros identified a sure enough shape of objects that made practiced targets for hijacking command flow -- timers. These structures concord role pointers denoting periodically invoked timer functions. While many such timers be inwards the electrical flow firmware equally well, they are rather difficult to overwrite using the higher upwards primitive. First, they do non start with a 32-bit null acre (but rather with the magic value “MITA”). Second, each timer is a link inwards a doubly-linked list, whose contents are constantly manipulated. To overwrite a timer, we’d demand to insert a valid chemical component into the list.
Instead, going over the listing of candidates above, nosotros come upwards across a construction inside the “persist” segment, containing a block of role pointers. Using our firmware debugger, nosotros tin indeed verify that several of the role pointers inside this construction are periodically invoked. Therefore, yesteryear finding a gratis chunk candidate inside this block, nosotros should endure able to commandeer ane of the aforementioned role pointers, directing it at a location of our choice.
Unfortunately, attempting to do so results inwards a resounding failure.
Bypassing Mitigation #3
Each travail to allocate information on top of the aforementioned block of role pointers using SPECMEAS frames, similar a shot causes the firmware to halt. Inspecting the source of the crash leads us dorsum to ane of the mitigations nosotros mentioned before on; the “disallowed ranges” list.
Apparently, the entire “persist” block is contained inwards the listing of regions inside which “free” operations must non occur. Consequently, without bypassing this mitigation, nosotros volition non endure able to overwrite information inside the aforementioned range.
Thinking close this mitigation for a moment, nosotros come upwards up with an interesting proposition: perhaps nosotros could exercise our commandeered gratis chunk inwards social club to overwrite the “disallowed ranges” listing itself?
While the list’s contents lays inside ane of the disallowed zones, recollect that this validation is only performed yesteryear the “free” function, whereas “malloc” volition happily carve allocations at whatever address, without consulting the higher upwards list. Therefore, yesteryear pointing our gratis chunk to a location overlapping the “disallowed ranges” list, nosotros tin exercise a SPECMEAS frame to overwrite its contents (thereby nullifying its effect). While SPECMEAS frames are similar a shot freed after they are allocated, this is no longer a concern, equally yesteryear the fourth dimension the “free” occurs, the “disallowed ranges” volition have got already been overwritten!
Putting It All Together
Using the steps above, nosotros tin disable the “disallowed ranges” list, allowing us to later exercise the commandeered gratis chunk inwards social club to hijack ane of the role pointers inwards the persist block. Finally, nosotros but require a way of stashing some shellcode inwards a predictable location inside the firmware’s RAM. By doing so, nosotros volition endure able to direct the aforementioned role pointer at our shellcode, leading to arbitrary code execution.
Since the addresses inside the “persist” block are fixed, they brand for prime number candidates to shop our shellcode. Searching through the block, nosotros come upwards across several potential overwrite candidates, whatever of which tin endure hijacked with our “fake” gratis chunk.
However, there’s ane to a greater extent than hurdle to overcome -- the code we’re close to shop must non endure overwritten at whatever point. If the code is inadvertently overwritten, the firmware volition travail to execute a corrupted chunk of code, peradventure leading it to crash.
To larn to a greater extent than or less this limitation, we’ll exercise ane to a greater extent than activity frame: Radio Measurement Requests (RMREQ). These frames are component of the 802.11k RRM standard, together with allow for periodic measurements to endure performed (and reported) yesteryear the firmware. Similarly to SPECMEAS frames, their handler allocates several bytes of information for each mensuration IE encoded inwards the request.
Most importantly, RMREQ frames include a acre denoting the number of repetitions that stations should perform when receiving the scan request. Going through the specification reveals that this acre also has a “special” value, allowing scans to cash inwards one's chips along indefinitely:
IEEE 802.11-2016, 9.6.7.3
By encoding this value inwards an RMREQ frame, nosotros tin guarantee that the corresponding allocated buffer volition non endure later freed, thus allowing condom storage of our code.
Lastly, nosotros demand to consider the work of the shellcode’s internal structure. Unlike SPECMEAS frames which allowed us to command multiple bytes inwards each chunk of the allocated buffer, RMREQ frames only render command over 4 subsequent bytes out of every 20-bytes allocated. Luckily, equally Thumb is a dense education set, it allows us to cram 2 education into each 32-bit controlled word. Therefore, nosotros tin intermission upwards our shellcode using the next pattern: the firstly 16-bit discussion volition encode an education of our choosing, whereas the 2nd discussion volition contain a relative branch to the next controlled chunk. Formatting our shellcode inwards this mode allows us to build arbitrarily large chunks of shellcode:
Building a Backdoor
Combining all the primitives above, nosotros tin finally stash together with execute a chunk of shellcode on the Wi-Fi firmware!
To allow for easier exploration of the firmware, it’s worth taking a 2nd to convert this rudimentary shape of access to a to a greater extent than refined toolset. Otherwise, we’d have got to resort to encoding all the post-exploitation logic using segmented chunks of shellcode -- non an alluring prospect.
We’ll start out yesteryear using the shellcode higher upwards to write a small-scale “backdoor” into the firmware, which we’ll telephone band the “initial payload”. This payload constitutes the most minimal backdoor imaginable; it but intercepts the NRREP handler, together with reads 2 32-bit words from it, storing the value of ane discussion into the address denoted yesteryear the other. The initial payload thus allows us to perform arbitrary 32-bit writes to the firmware’s RAM, yesteryear sending crafted NRREP frames over-the-air.
Next, we’ll exercise the initial payload inwards social club to write a to a greater extent than sophisticated one, which we’ll refer to equally the “secondary payload”. This payload also intercepts the NRREP handler (replacing the previous hook), but allows for a far richer laid of commands, namely:
- Reading information from the firmware RAM
- Writing to the firmware’s RAM
- Executing a shellcode stub
- Performing a CRC32 calculation on a block of data
The capabilities higher upwards allow us to fully command the firmware’s over-the-air, from the security of a python script. Indeed, non different our enquiry platform, we’ve implemented the protocols for communicating with the backdoor inwards python, allowing for APIs implementing all of the functionality above.
In fact, the 2 are so similar, that several of the enquiry framework’s modules tin endure straight executed using the secondary payload, yesteryear but supervene upon the retentiveness access APIs inwards the enquiry framework with those offered yesteryear the secondary payload.
The Exploit
Summing upwards all the piece of work above, we’ve finally written a consummate exploit, allowing code execution on the Wi-Fi chip of the iPhone 7. You tin uncovering the consummate exploit here.
The exploit has been tested against the Wi-Fi firmware nowadays inwards iOS 10.2 (14C92). The vulnerability is nowadays inwards versions of iOS upwards to (and including) iOS 10.3.3. Researchers wishing to utilise the exploit on different iDevices or different versions, would endure required to adjust the necessary symbols used yesteryear the exploit (see “exploit/symbols.py”).
Note that the exploit continuously attempts to install the backdoor into the Wi-Fi firmware, until it is successful. For whatever unsuccessful attempt, the firmware but silently reboots, allowing the exploit to cash inwards one's chips along along. Moreover, due to a clever feat of engineering yesteryear Apple, rebooting the firmware does non interrupt ongoing connections; instead, they are continued equally the chip reboots, allowing for a rather stealthy attack.
Wrapping Up
Over the course of education of this weblog ship service nosotros performed a deep dive into the Wi-Fi firmware nowadays on the iPhone 7. Our exploration led us to uncovering novel assault surfaces, several added mitigations, together with multiple vulnerabilities.
By exploiting ane of the aforementioned vulnerabilities, nosotros were able to gain command over the Wi-Fi SoC, allowing us to gain a foothold on the device itself, straight over-the-air. In doing so, nosotros also bypassed several of the firmware’s exploit mitigations, demonstrating how they tin endure reinforced inwards futurity versions.
In the next weblog post, we’ll consummate our journeying towards total command over the target device, yesteryear devising a total exploit chain allowing us to leverage our newly acquired command over the Wi-Fi chip inwards social club to launch an assault against iOS itself. Ultimately, we’ll build an over-the-air exploit allowing consummate command over the iOS kernel.
Komentar
Posting Komentar