Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox

Explore a comprehensive analysis of iOS security vulnerabilities in this Black Hat conference talk. Delve into the intricacies of remotely compromising iOS devices via Wi-Fi and escaping the sandbox. Learn about the changing landscape of iOS security, the mechanics of Captive Portal, and the step-by-step process of creating a malicious Wi-Fi network. Examine various usermode bugs, including CVE-2016-7630, and their implications on sandbox profiles, WebSheet entitlements, and managed configurations. Witness a live demonstration and gain insights into kernel bug case studies, with a focus on 9.3.x kernel bugs. Enhance your understanding of iOS security challenges and potential attack vectors in this 38-minute presentation by Marco Grassi from Tencent Keen Security Lab.

Syllabus

Intro
About Tencent Keen Security Lab
Rules changed
WiFi on iOS, Captive Portal
Captive Portal on iOS: How does it work?
Plan of attack
Create a Malicious Wi-Fi Network
Serving a Webkit Exploit
Where we gained code execution?
Usermode bugs
CVE-2016-7630 - Sandbox Profile
CVE-2016-7630 - WebSheet entitlements
CVE-2016-7630 - Managed configuration
CVE-2016-7630- How to create a configuration profile
Offtopic, is jumping through webviews new?
DEMO
Comparisons and thoughts
Kernel bug case study
9.3.x kernel bugs
Conclusions