Over the past several years, zone corruption vulnerabilities have been frequently leveraged by attackers in exploiting the iOS and OS X kernel. In response to their prevalence and gained popularity, iOS 6 and OS X Mountain Lion introduced numerous mitigations and hardening measures in order to increase the security and robustness of the zone allocator. In particular, these enhancements seek to prevent an attacker from leveraging well-known exploitation primitives such as the free list pointer overwrite. In iOS 7 and OS X Mavericks, further improvements have been made to the zone allocator, primary aimed at improving its efficiency. Notably, these improvements have caused significant changes to zone page management and have introduced a new zone page metadata structure. In this blog post, we revisit the zone allocator and detail the updates made by Apple in iOS 7 and OS X Mavericks. We then show how these changes yet again may allow an attacker to generically exploit zone corruption vulnerabilities.
Read more ยปLabels: Exploitation, iOS, Kernel, OS X, Vulnerabilities
