Apple's Predicament: NSPredicate Exploits on iOS and macOS

Security

Apple's Predicament: Uncovering iOS and macOS Vulnerabilities Through NSPredicate Exploits

Key takeaways
  • NSPredicates are powerful and can be used to create dynamic code execution, sidestepping ASLR and code signing restrictions.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to bypass security features such as PAC and ASLR, allowing for arbitrary code execution.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a virtual machine, allowing for arbitrary code execution and persistence.
  • Apple’s attempts to restrict NSPredicates have been limited to setting a single flag, which can be easily bypassed.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting all expression types to 0, allowing for untrusted predicates to be evaluated.
  • NSPredicates can be used to create a fake object in memory that, when deallocated, evaluates an array of objects.
  • The NSInvocation class was also included in the forbidden classes list, but can still be used to call methods on a remote object.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns them to an object.
  • The NSPredicate visitor can be bypassed by setting the internal release type to 3 before calling setDebugPredicate.
  • NSPredicates can be used to create a predicate that calls NSLog on iOS 16.3.
  • Apple’s attempts to restrict NSPredicates have been largely unsuccessful, with many techniques remaining exploitable.
  • NSPredicates can be used to create a script that makes two variables, standard and evil, and assigns

More talks

Highly Scalable Image Storage with AWS Serverless • Vadym Kazulkin & Firdaws Aboulaye • GOTO 2024

Shield your backend from outside attacks with API Managers by Bárbara Teruggi

Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla's x86-Based Seat Heater

Houston, We Have a Problem: Analyzing the Security of Low Earth Orbit Satellites

Better Privacy Through Offense: How To Build a Privacy Red Team

Interoperabilität: Was uns die Dinge sagen wollen, wenn sie anfangen, miteinander zu reden

Introducing Code Assist: Build Applications Faster with AI by Marc Gueury, John Karasoulos

The State of Server Side Java Webapps by Maarten Mulders