SHAtter Exploit Backstory

Discussion in 'Latest Tech News and Rumors' started by Stromos, Sep 29, 2010.

  1. Stromos

    Stromos Active Member

    Joined:
    Sep 23, 2008
    Messages:
    463
    Likes Received:
    114
    Device:
    iPhone 6
    p0sixninja has begun the process of adding SHAtter to the iPhone Wiki. So far the article is a backstory narrative on the process of finding the exploit. Due to high traffic a mirror of the story is available here, http://pastie.org/1189141.


    Credits

    vulnerability: posixninja (07/05/2010)
    research: posixninja, pod2g, also MuscleNerd
    exploit: pod2g (09/09/2010)

    Vulnerability

    In April 2010 pod2g wrote a USB fuzzer and tested every single USB control message possible on his iPod2,1. The fuzzer found 2 vulnerabilities: - a heap overflow caused by the A1,1 control message - a way to dump the bootrom using USB descriptors request

    The team tested both PoC on new generation devices (iPhone2,1, iPod3,1, iPad) and both were already fixed by Apple.

    posixninja continued the fuzzing on new gens and found that with a particular sequence of USB messages it was possible to dump the BSS+Heap+Stack (on new gens only). Having a memory dump is really helpful to make exploits and it was also the first time we had this kind of dump, previous bootrom exploits (ex: 24kpwn) were done blind!

    Also, his first attempts to dump the memory resulted in rebooting the device. Interesting! We'll see after that this reboot is the base of the SHAtter exploit.

    (details on the vulnerability itself soon to come)

    Research

    The research started and the main actor of this story is posixninja. He found why the device reboots and proposed different ideas to exploit this. posixninja also reversed tons of assembly code of the bootrom in this period, giving a support discussion to the team. We're not talking about days, but months of work. So, major props to posixninja: SHAtter would not have been possible without the clever vulnerability he found and the research he did on the bootrom.

    In the meanwhile, pod2g helped on the USB reversing side and found a way to have more control over the size of the USB packets sent. The finer-grained control of the packet sizes is the key of SHAtter.

    posixninja and pod2g worked on exploiting the vulnerability for days. Every attempt was a failure because the idea to attack the stack and bypass the img3 control routines was just impossible. It took them weeks to understand why they failed and why they couldn't exploit it this way.

    They both gave up in July and focused on other subjects.
  2. TREYisRAD

    TREYisRAD Member

    Joined:
    Jun 25, 2008
    Messages:
    729
    Likes Received:
    0
    Device:
    4G iPod touch
    Nice find, the page was blank yesterday. FP'd
  3. metaldood

    metaldood New Member

    Joined:
    Mar 12, 2010
    Messages:
    595
    Likes Received:
    0
    Device:
    3G iPod touch
    Thats really brilliant. I wonder why Apple is not hiring them

    Please Register or Log in to view images

    .... jk
  4. link07

    link07 Active Member

    Joined:
    Jun 15, 2010
    Messages:
    1,612
    Likes Received:
    3
    Device:
    4G iPod touch
    I wander does that mean they gave up on the exploit and didn't tell anyone ?????
  5. Lux2GS

    Lux2GS Well-Known Member

    Joined:
    Jul 1, 2010
    Messages:
    3,678
    Likes Received:
    138
    Device:
    iPhone 4S (Black)
    And again another brilliant conspiration theory by Mr. Link07 - No, the developement of SHAtter didn't stop at that point, else there wouldn't been a video of musclenerd and his JB iPt4 - See? Common Sense.
  6. TREYisRAD

    TREYisRAD Member

    Joined:
    Jun 25, 2008
    Messages:
    729
    Likes Received:
    0
    Device:
    4G iPod touch
    Not at all, it means that the exploit is finished*, and their ready to release the information on it. They still have a lot to fill in.

    *I'm assuming, based on recent rumors.
  7. link07

    link07 Active Member

    Joined:
    Jun 15, 2010
    Messages:
    1,612
    Likes Received:
    3
    Device:
    4G iPod touch
    just asking

    anyway I hope it is ready

    I need one for my ipod touch 4g!!
  8. Stromos

    Stromos Active Member

    Joined:
    Sep 23, 2008
    Messages:
    463
    Likes Received:
    114
    Device:
    iPhone 6
    Going by the way the exploit was presented when news first broke of it I believe that what happened was they did give up in July and began working on other things. Going back to the first announcements on Twitter I would say pod2g had the eureka moment right when 4.1 came out finding that missing piece they were looking for back then.

    EDIT: Going to rack my brain a bit to back when I was in my ITS security classes so correct me if I'm wrong with any terminology. To be more specific if you look at the dates in July the vulnerability itself was found. A vulnerability alone doesn't do anything you have to develop a means to exploit the vulnerability. It wasn't until September that pod2g found the exploit that took advantage of the vulnerability. The exploit is SHAtter.
  9. CarlosTheJackl

    CarlosTheJackl Member

    Joined:
    Oct 11, 2009
    Messages:
    497
    Likes Received:
    14
    props for the excellent post/thread.
    Most interesting front page news in a while.
  10. je1230

    je1230 Member

    Joined:
    Jun 19, 2010
    Messages:
    356
    Likes Received:
    0

    Please Register or Log in to view images


    This pleases me

    Off topic: wish greenphlem happy birthday today! And dont forget to get him some #pie!

Share This Page