Apple's Predicament: NSPredicate Exploits on iOS and macOS

Security

Apple's Predicament: Uncovering iOS and macOS Vulnerabilities Through NSPredicate Exploits

Key takeaways

NSPredicates are powerful and can be used to create dynamic code execution, sidestepping ASLR and code signing restrictions.
Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
NSPredicates can be used to bypass security features such as PAC and ASLR, allowing for arbitrary code execution.
The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
NSPredicates can be used to create a virtual machine, allowing for arbitrary code execution and persistence.
Apple’s attempts to restrict NSPredicates have been limited to setting a single flag, which can be easily bypassed.
NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns

Apple's Predicament: NSPredicate Exploits on iOS and macOS

More talks