Apple's Predicament: NSPredicate Exploits on iOS and macOS

Security

Apple's Predicament: Uncovering iOS and macOS Vulnerabilities Through NSPredicate Exploits

Key takeaways
  • NSPredicates are powerful and can be used to create dynamic code execution, sidestepping ASLR and code signing restrictions.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to bypass security features such as PAC and ASLR, allowing for arbitrary code execution.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a virtual machine, allowing for arbitrary code execution and persistence.
  • Apple’s attempts to restrict NSPredicates have been limited to setting a single flag, which can be easily bypassed.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns

More talks

Sequoia PGP: A not quite new implementation of OpenPGP

Dora Militaru - Zen and the art of edge authentication

The Young Generation in Tech - How Are They Embracing AI and What Do They Value?

SAINTCON 2023 - Ian Briley - Getting the Most Out of Your Web Application Pentest

Shifting from Syntax to Secure Software Development Processes • Laura Bell Main • YOW! 2023

The Digital Self, Community, Society and Beyond - Ahad Shams, JS GameDev Summit 2022

Edmondo Orlotti | Supporting the AI Journey through 2030 | Rise of AI Conference 2022

Lessons From Billions of Breached Records • Troy Hunt • GOTO 2022