01 |
02 |
03 |
04 |
05 |
06 |
07 |
08 |
09 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
6-Jul-2015 [11:40] -- IOKit fuzzing, sMethods and IDA
I was scanning through the BlackHat 2015 talks and found an
IOKit fuzzing one. Nice! From the description it sounds they are doing something similar to some research I did in 2014: IOKit fuzzing and vulnerability research.
IOKit fuzzing is not as trivial as it sounds. A vulnerability researcher cannot simply send raw data and expect results. There are constrains such as input buffer size and output buffer size for each Method exposed by a UserClient instance. The kernel will simply reject any request with invalid sizes.
The only fuzzing way I have seen is a MiTM approach but that does not give you 100% coverage leaving a lot of bugs undiscovered.
The approach I take (part of a bigger project I someday will release *or not*) uses an IDA script to find those UserClient derived vtables and with some reverse engineering the exposed methods and the input/output buffer sizes. Since we do not have symbols it is not as straightforward as it seams so I used some heuristics to detect the vtables.
My script looks for references of a function that is highly unlikely to be overriden from an UserClient. This function is IOUserClient::getNotificationSemaphore(). Finding all references means we have found mainly all UserClient derived vtables. This still does not give us much since we do not know what functionality this UserClient exposes and the constrains to reach it.
Then, my approach is to see if IOUserClient::externalMethod() or IOUserClient::getTargetAndMethodForIndex() got overriden. If it happened the UserClient is exposing functionality and being more specific what we are looking for: sMethod table which describes functions, sizes, etc...
Now we know what to reverse and where to find sMethods. Some reversing can be automated since most of these overriden functions are very similar following Apple's guidelines... but some not.
As an example, here is Apple's way of
exposing sMethods via getTargetAndMethodForIndex() and
via externalMethod() table.
My IDA script can be found
here.
And the output:
IOUserClient::getNotificationSemaphore at 8009c614
com.apple.iokit.IOStreamAudioFamily - IOUserClient::getTargetAndMethodFromIndex overriden (80418d58 - sub_80418D58)
com.apple.driver.DiskImages - IOUserClient::getTargetAndMethodFromIndex overriden (8043e3e0 - sub_8043E3E0)
com.apple.driver.FairPlayIOKit - IOUserClient::getTargetAndMethodFromIndex overriden (8045345c - sub_8045345C)
com.apple.driver.LSKDIOKit - IOUserClient::getTargetAndMethodFromIndex overriden (804b7668 - sub_804B7668)
com.apple.iokit.IOReporting - IOUserClient::externalMethod overriden (804d4754 - sub_804D4754)
com.apple.driver.AppleARMPlatform - IOUserClient::externalMethod overriden (804df834 - sub_804DF834)
com.apple.driver.AppleVXD375 - IOUserClient::externalMethod overriden (8051bf18 - sub_8051BF18)
com.apple.iokit.IOAudio2Family - IOUserClient::externalMethod overriden (8056e984 - sub_8056E984) IOUserClient::getTargetAndMethodFromIndex overriden (8056ea4c - sub_8056EA4C)
[...]
com.apple.driver.AppleMobileFileIntegrity - IOUserClient::externalMethod overriden (807be4c0 - )
com.apple.iokit.IOUSBFamily -
com.apple.iokit.IOUSBFamily - IOUserClient::externalMethod overriden (807e3d40 - sub_807E3D40)
com.apple.iokit.IOUSBFamily - IOUserClient::externalMethod overriden (807e6f0c - sub_807E6F0C)
com.apple.iokit.IOSurface - IOUserClient::externalMethod overriden (808239dc - sub_808239DC)
com.apple.iokit.IOSurface - IOUserClient::getTargetAndMethodFromIndex overriden (80824600 - sub_80824600)
com.apple.iokit.IOMobileGraphicsFamily - IOUserClient::externalMethod overriden (8082d670 - ) IOUserClient::getTargetAndMethodFromIndex overriden (8082caac - )
com.apple.driver.IODARTFamily - IOUserClient::externalMethod overriden (8083fdd0 - sub_8083FDD0)
com.apple.driver.AppleM2ScalerCSC - IOUserClient::getTargetAndMethodFromIndex overriden (8084c2c4 - sub_8084C2C4)
Fermin J. Serna - @fjserna
Comments (0)