2019年苹果FaceTime中远程代码执行漏洞的发现.pdf

1、Towards Discovering Remote Code Execution Vulnerabilities in Apple FaceTimeAbout usTao HuangSenior researcher at Pangu LabFocusing on iOS/macOS vulnerability discoveryTielei WangPhD,co-founder of Team Pangu,organizer of MOSECLeading iOS/macOS security research at Pangu LabRegularly present research

2、at BlackHat,POC,etcMotivationMessaging apps are becoming a hot security research targetGoogle Project 0 released a series of blog posts about fuzzing messagingapps,including WhatsApp,FaceTimeWe decided to take a look at FaceTimeThis talk will coverCode execution flows while making a FaceTime callAtt

3、ack surfaces and vulnerabilities along with the code execution flowsThis talk will NOT coverFaceTime protocol families(e.g.,SIP,STUN,RTP/SRTP,etc)Stream encryption,decryption,and storagehttps:/ of the talkOutlineReverse-engineering FaceTimeAttack surface and vulnerabilities analysisConclusionFaceTim

4、e0 0 0InputAllMissedxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxFaceTime is not a single applicationFaceTime0 0 0InputAllMissedxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxFaceTimeFaceTime.AppFaceTime.app providesthe basi

5、c UI frameworkFaceTime0 0 0InputAllMissedxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxcallservicesdManage the call status of FaceTimeRespond to UI triggered eventsCommunication bridge between avconferenced and identityservicesdFaceTime0 0 0InputAllMissedxxx-xxx

6、-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxxxx-xxx-xxxxavconferenced(macOS)mediaserverd(iOS)Produce and handle FaceTime video/audio streamscallservicesdFaceTime0 0 0avconferenced(macOS)mediaserverd(iOS)We can consider that FaceTime consists of the three major componentsFaceTime