Today I remembered about a iOS bug I had in
containermanagerd, and I tought to check if it still was present in
iOS 10 beta.
containermanagerd is a privileged daemon on iOS that manages application containers and stuff.
XPC is a OS X/iOS IPC higher level mechanism compared to mach messages or MIG…
You may want to also check some research on
XPC, such as
Pangu presentations, and
Ian Beer Project Zero bugs, PoCs and presentation.
If you want to follow along, you can also do it thanks to the “Apple leak” on
iOS 10, where they forgot to encrypt a bunch of stuff in the
ipsw of several models, including the
root filesystem (so you can get the
containermanagerd binary and drop it in
IDA Pro) and
As you can imagine since I’m writing this post, the bug has been fixed in
The post will be fairly short, just dropping the trigger
The bug is fairly simple, we control a index used with an “array of commands”, in which a command is a string and a function pointer (huh?), so we can make the program grab a “command” from a wrong location, possibly executing arbitrary code.
If you want to see more details about the bug, just drop a unpatched version of
containermanagerd in IDA.
The red box is the new added check in iOS 10 on the array index, which comes from the input with
xpc_dictionary_get_uint64 with “Command” key (wrongly shown in IDA decompilation).
Later after this index is used to access the array I mentioned.
This is how the code looks like in iOS 9.2
- All input that comes via IPC should be treated as untrusted.