[CB18] Crashing to root: How to escape the iOS sandbox using abort() by Brandon Azad

Apple has greatly improved iOS security in recent years, but many attack surfaces remain largely ignored. For example: is it possible to elevate privileges by crashing maliciously? I decided to investigate how crash handling is implemented in iOS and whether it poses a viable attack vector. What began as a seemingly absurd question ended with control over every userspace process on the phone.

In this talk, I will share how I reverse engineered a system service to find a critical Mach port replacement vulnerability, how to bypass protections in order to trigger the bug, and how to exploit the bug to escape the application sandbox and execute code with full system privileges. I'll also explain a recently disclosed mitigation bypass and a technique I discovered to obtain the coveted task_for_pid-allow entitlement, which grants control over any userspace process. This technique bypasses recent defenses designed to stop even unsandboxed root processes from taking control of other processes.

The talk will assume basic familiarity with iOS but I'll briefly cover the concepts we'll need (codesigning, sandboxing, Mach ports, launchd) before diving into the core of the vulnerability. The complete exploit code and documentation is available online.