SlideShare a Scribd company logo

SyScan 2015 - iOS 678 Security - A Study in Fail

Stefan Esser
Stefan Esser

Talk from SyScan 2015 about Apple Security failing to patch vulnerabilities over and over again, because they have apparently no QA at all on security patches.

Technology
1 of 76
Download to read offline
iOS 678 Security
 —== A Study in Fail ==— Stefan Esser <stefan.esser@sektioneins.de> http://www.sektioneins.de
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Who am I? Stefan Esser • from Cologne / Germany • in information security since 1998 • invested in PHP security from 2001 to 20xx • since 2010 focused on iPhone security (ASLR/jailbreak) • founder of SektionEins GmbH 2
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Lots of Fail, but this talk is not about … • Apple releasing an iOS 8.0.1 update that would kill cell service on iPhone 6/6p • Apple adding unsecured double linked lists as meta-data to the iOS 7 kernel heap that made kernel heap exploitation easy (safe unlink in iOS 8) • Apple “improving” their iOS 7 early random number generator so that Tarjei Mandt would totally rip it apart and calculate all past and future numbers • Apple having a double “goto fail” in their SSL for iOS 6 - iOS 7.0.5 that broke it completely • … so yes I am skipping a lot of fail but what I cover is already too much for 45 minutes 3
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  So what is it about? this talk is about iOS jailbreaks and Apple fixing the bugs within 4
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fixing Bugs … 5
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  BUT APPLE SECURITY AIN’T NO JEDI 6 BUT APPLE SECURITY AIN’T NO JEDI
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  So actually … this talk is about iOS jailbreaks and Apple not fixing the bugs within 7
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Before we start … what are the ingredients of an iOS jailbreak? 8
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Ingredients Initial Injection Vector Persistency 9
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Not talking about that Initial Injection Vector but apparently Apple had to issue several updates to fix those bugs, too 10
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Concentrating on Jailbreak Persistency 11
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak Persistency (I) • why concentrate on persistency? • attack surface for injection is just extremely = huge no chance of win • injection vectors for iOS can be easily exchanged • USB, mobile safari, malicious apps • some injections would require more powerful kernel bugs than public jailbreaks, but those do exist and are traded in the underground 12
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak Persistency (II) • attack surface for jailbreak persistency is in comparison extremely small • could be made even smaller and smaller if Apple would do it right • i just want the public to pressure Apple into changing • PUBLIC PERSISTENCE EXPLOITS CAN BE EASILY REUSED IN STATE SPONSORED ATTACKS = LOT CHEAPER + NOT WASTE BUGS 13
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  AMFI trickery 14
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  AMFI Trickery • whole story starts with the exploit chain evad3rs “invented” for iOS 6 • for signature verification • kernel asks AMFI driver • AMFI driver asks AMFID user space daemon • AMFID uses libmis.dylib • Attack: 
 inject a malicious library into AMFID that makes libmis.dylib return “true” 15
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Injecting a malicious dylib AMFI attack • injecting malicious dylib / replacing libmis.dylib not as easy at it sounds • need to trick dynamic linker into attempting to do it • need to trick dynamic linker into accepting a not signed library • Idea: 
 use launch daemon config + DYLD_INSERT_LIBRARIES for first part
 use incomplete codesigning bypass for second part 16
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Putting the full chain together 17
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple “trying” to fix evasi0n • launchd.conf no longer loaded • __restrict in AMFID stops DYLD_INSERT_LIBRARIES • apply patch to fix incomplete code signing bypass (patient ALPHA) • fix kernel info leak and memory corruption 18
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  evad3rs needed new tricks • patch of incomplete code signing trick (patient ALPHA) required new incomplete code signing trick ➡ evad3rs unnecessarily burned a new vulnerability some gave to them • __restrict in AMFID required new way to replace/inject library ➡ just use dyld feature enable-dylibs-to-override-cache
 (makes dyld load a replacement library instead of original one) 19
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  evad3rs needed new tricks (II) • removal of launchd.conf required trick to inject launch daemons beside launch daemon codesigning • just use previous two also load a malicious xpcd_cache.dylib • kernel bugs required to be replaced • they just used some new bugs (because there are plenty) 20
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  New chain for evasi0n 7 21
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple fixing evasi0n7 *LESS AGGRESSIVE* • new incomplete codesigning bypass trick fixed • kernel bugs are fixed • rest of chain is left completely untouched 22
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Pangu7 Jailbreak • Pangu realised that original bug Patient ALPHA was fixed incorrectly • used new kernel bugs 23 DejaVu
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple “trying to fix” Pangu7 • they try to fix their broken fix for the codesigning • kernel bugs are claimed fixed • rest of chain is still completely untouched 24 DejaVu
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Pangu8 Jailbreak • Pangu realised that fix for fix for Patient ALPHA is still incorrect • also their kernel bugs were apparently not patched correctly 25 DejaVu
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple “trying to fix” Pangu8 • they try to fix their broken fix for the broken fix for the codesigning • kernel bugs are claimed fixed again • rest of chain is still completely untouched 26 DejaVu
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  TaiG Jailbreak • Pangu TaiG realised that fix for fix for fix for Patient ALPHA is still incorrect • used other kernel bugs 27 DejaVu
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache 28
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache • a flag file in /System/Library/Caches/com.apple.dyld • when present libraries on disk will be loaded instead of a cached copy • used by jailbreaks to trick dyld into loading • malicious libmis.dylib into AMFID • malicious list of launchd daemons xpcd_cache.dylib into launchctl 29
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache • see how enable-dylibs-to-override-cache is in center of everything? • without this element the whole chain would have been destroyed 30
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache • first abused in iOS 7.0 jailbreak by evad3rs (December 2013) • without it the whole exploit chains of all jailbreaks since then would have fallen apart • after 14 months still unfixed • from a strategic standpoint it is unbelievable that Apple did not fix this • by not fixing this for 14 months Apple made persistence on device easier • fixing this bug would have made iOS far more secure than the 
 security by obscurity patches that Apple implemented to stop
 the root filesystem from being writable or the team identifier hack 31
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Patient Alpha (incomplete codesigning) 32
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Incomplete Codesigning • simplified: • if a page is not executable a missing code sig is not a problem • if a page is executable there must be a code sig on first access • prior to iOS 5 therefore jailbreaks would use ALL DATA dylibs to exploit dyld via various meta-data structures • around the end of iOS 4 Apple added checks to dyld to enforce load commands are in an executable segment • therefore while header parsing (first access) code sig is required 33
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach-o dynamic library loading • mach-o dynamic libraries loaded by dyld • load commands describe i.a. layout of segments in memory • virtual address and 
 virtual size of segments • file position and 
 file size of segment 34
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Ohhh really? • actually it is not that simple • mach-o header is first loaded into stack • initial LC parse is performed to collect info • this info is used to map the file into memory • segments are touched to enforce code sig • another LC parse is performed to make dyld use the mach-o header from paged memory • more and more parsing 35
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  evad3rs come along • and then the evad3rs came along • for evasi0n (iOS 6) they used a 
 TOCTOU trick to bypass the checks • attack logic between sniffLoadCommands and crashIfInvalidCodesignature • just trick mapSegments 36
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mapSegments • mapSegments uses mmap() • mmap allows to override previous mappings • just have two mappings at same virtual address • 1st contains LC and is R+X • 2nd contains fake LC and is R / RW • therefore at time of later access to page it will not require a code signature 37
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s first fix • Apple added a detection for 
 overlapping segments • code tests LC segment against all others so that it does not get overlapped by other segment • test uses virtual address and virtual size 38
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Problem with Apple’s first fix • the security check by Apple did not account for integer wraps • a segment with vmaddr at end of address space and wrapping around is not detected as overlapping • in reality the mapping is not wrapping around the address space due to being slid for ASLR 39
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s second fix • Apple added a detection for LC segment wrapping around • such a setup will be detected and disallowed 40
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Problem with Apple’s second fix • the integer wrap check was only done on the 
 LC segment • just doing the same trick again but letting the other segment wrap around would still do the trick • what was Apple thinking? 41
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s third fix • Apple added a detection for other segments wrapping around • such a setup will now also be detected and disallowed 42
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Problem with Apple’s third fix • all these battles by Apple security with Chinese jailbreakers were for nothing • the security checks by Apple all did detect overlaps by checking vmaddr + vmsize • however mapSegments never used vmsize • mapping into memory uses filesize • filesize could be a lot larger than vmsize • overlapping would never be detected 43
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s fourth fix • Apple now detects when filesize is bigger than vmsize • such segments are now forbidden • they now added a number of other checks that also killed another bypass by accident (will be disclosed in my blog) • it took Apple only 2 years to realise this ;-) 44 • DISCLAIMER: I am absolutely NOT claiming that this is the end
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject 45
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject • debugging Mach API call • returns kobject associated with a mach port • kobject filled with different values depending on type of port • IOKit object ports: a kernel heap address containing a function table • Host ports: address of realhost variable in kernel • other ports: something else • SECURITY PROBLEM: leaked addresses very useful for exploitation 46 *typep = (unsigned int) ip_kotype(port); kaddr = (mach_vm_address_t)port->ip_kobject; ip_unlock(port); if (0 != kaddr && is_ipc_kobject(*typep)) *addrp = kaddr; else *addrp = 0;
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fix 1 47
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject in iOS 6.0 • Apple added kernel address obfuscation • random 32 / 64 bit secret vm_kernel_addrperm • added to all returned addresses • should stop leakage of valid kernel pointers 48 *typep = (unsigned int) ip_kotype(port); kaddr = (mach_vm_address_t)port->ip_kobject; ip_unlock(port); if (0 != kaddr && is_ipc_kobject(*typep)) *addrp = VM_KERNEL_ADDRPERM(VM_KERNEL_UNSLIDE(kaddr)); else *addrp = 0;
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Weakness of ADD Obfuscation • all returned addresses are obfuscated with the same secret summand • ADDR + SECRET = OBFUSCATED_ADDR • a single pair of ADDR and its OBFUSCATED_ADDR break the security • if SECRET is known all obfuscated addresses can be easily decrypted 49
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Houston we have a problem … • Remember this? • kobject filled with different values depending on type of port • IOKit object ports: a kernel heap address containing a function table • Host ports: address of realhost variable in kernel • other ports: something else • SECURITY PROBLEM: 
 we know realhost’s address and can break obfuscation 50 we know plain address of this variable therefore we can break obfuscation
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fix 2 51
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject in iOS 8.0 • Apple now detects pointers inside kernel and does not obfuscate • stops attack via e.g. host ports 52 *typep = (unsigned int) ip_kotype(port); kaddr = (mach_vm_address_t)port->ip_kobject; ip_unlock(port); if (0 != kaddr && is_ipc_kobject(*typep)) *addrp = VM_KERNEL_UNSLIDE_OR_PERM(kaddr); else *addrp = 0;
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Houston we have a problem … • Remember this? • kobject filled with different values depending on type of port • IOKit object ports: a kernel heap address containing a function table • Host ports: address of realhost variable in kernel • other ports: something else • master ports: the value of kobject is 1 • SECURITY PROBLEM:
 Obfuscation secret is mach_port_kobject(master)-1 53
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fun Fact • master port attack was taught to Pangu in SektionEins’ iOS training • Pangu used it in their jailbreak in June 2014 • This means this attack was used in public 3 MONTHS before iOS 8.0 release* • TaiG reused this trick in November 2014 for their jailbreak 54 * this means when fix 2 was released to public this was already known to be insufficient
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fix 3 55
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject in iOS 8.1.3 • Apple released iOS 8.1.3 at end of January • they fixed the problem the Apple’s wayTM • they just removed the function altogether • removing the function took them ONLY 7 MONTHS • This bug was assigned CVE-2014-4496 and Apple wrongly credits TaiG for it 56
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request 57
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() • Mach API call • allows applications to request information about kernel modules • active operations are locked down (load, unload, start, stop, …) • passive operations partially working from even within the sandbox • Apple fixed it to unslide load addresses to protect against KASLR leaks 58
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() - Get Loaded Kext Info • of special interest is a sub request called • Get Loaded Kext Info • returns a serialised dictionary with information about all loaded Kext • information contained includes the mach-o headers • Apple even modifies those headers to protect KASLR 59
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() - Get Loaded Kext Info 60 mach_msg_type_number_t reqlen, resplen = 0, loglen = 0; char *request, *response = NULL, *log = NULL; kern_return_t kr; request = "<dict><key>Kext Request Predicate</key><string>Get Loaded Kext Info</string></dict>"; reqlen = strlen(request) + 1; kext_request(mach_host_self(), 0, request, reqlen, &response, &resplen, &log, &loglen, &kr);
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() - iPhone 6plus / iOS 8.0.2 61 <dict ID="0"><key>__kernel__</key><dict ID="1"><key>OSBundleMachOHeaders</key><data ID="2">z/rt/gwAAAEAAAAAAgAAAA 8AAABACwAAAQAgAAAAAAAZAAAAOAEAAF9fVEVYVAAAAAAAAAAAAAAAIAACgP///wAgSAAAAAAAAAAAAAAAAAAAIEgAAAAAAAUAAAAFA AAAAwAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAAAAwAAKA////rCJCAAAAAAAAEAAADAAAAAAAAAAAAAAAAAQAgAAAAAA AAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwFJCAoD///9oYAIAAAAAAMAyQgAFAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAX19jc3RyaW5nAAAAAAAAAF9fVEVYVAAAAAAAAAAAAAAos0QCgP///2h +AwAAAAAAKJNEAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAZAAAAyAIAAF9fREFUQQAAAAAAAAAAAAAAQEgCgP/// wBACwAAAAAAACBIAAAAAAAAwAQAAAAAAAMAAAADAAAACAAAAAAAAABfX21vZF9pbml0X2Z1bmMAX19EQVRBAAAAAAAAAAAAAABASAKA//// CAIAAAAAAAAAIEgAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAF9fbW9kX3Rlcm1fZnVuYwBfX0RBVEEAAAAAAAAAAAAACEJIAoD/// 8AAgAAAAAAAAgiSAADAAAAAAAAAAAAAAAKAAAAAAAAAAAAAAAAAAAAX19jb25zdAAAAAAAAAAAAF9fREFUQQAAAAAAAAAAAAAQREgCgP/// yCWAQAAAAAAECRIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2RhdGEAAAAAAAAAAAAAX19EQVRBAAAAAAAAAAAAAAAASgKA//// aNICAAAAAAAA4EkADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fc2ZpX2NsYXNzX3JlZwBfX0RBVEEAAAAAAAAAAAAAaNJMAoD/// 8AAgAAAAAAAGiyTAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX19zeXNjdGxfc2V0AAAAAF9fREFUQQAAAAAAAAAAAABo1EwCgP/// 3AcAAAAAAAAaLRMAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2JzcwAAAAAAAAAAAAAAX19EQVRBAAAAAAAAAAAAAAAATQKA//// kF8GAAAAAAAAAAAADAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAF9fY29tbW9uAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAAGBTAoD/// 8YEQAAAAAAAAAAAAAMAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAGQAAACgCAABfX0tMRAAAAAAAAAAAAAAAAIBTAoD/// 8AIAAAAAAAAADwTAAAAAAAACAAAAAAAAADAAAAAwAAAAYAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9fS0xEAAAAAAAAAAAAAAAAgFMCgP/// 1ASAAAAAAAAAPBMAAIAAAAAAAAAAAAAAAAEAIAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19LTEQAAAAAAAAAAAAAAFCSUwKA//// CAcAAAAAAABQAk0AAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX0tMRAAAAAAAAAAAAAAAWJlTAoD/// 9oAAAAAAAAAFgJTQADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX19tb2RfaW5pdF9mdW5jAF9fS0xEAAAAAAAAAAAAAADAmVMCgP/// wgAAAAAAAAAwAlNAAMAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAAABfX21vZF90ZXJtX2Z1bmMAX19LTEQAAAAAAAAAAAAAAMiZUwKA//// CAAAAAAAAADICU0AAwAAAAAAAAAAAAAACgAAAAAAAAAAAAAAAAAAAF9fYnNzAAAAAAAAAAAAAABfX0tMRAAAAAAAAAAAAAAA0JlTAoD/// 8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAGQAAAOgAAABfX0xBU1QAAAAAAAAAAAAAAKBTAoD/// 8AEAAAAAAAAAAQTQAAAAAAABAAAAAAAAADAAAAAwAAAAIAAAAAAAAAX19tb2RfaW5pdF9mdW5jAF9fTEFTVAAAAAAAAAAAAAAAoFMCgP/// wgAAAAAAAAAABBNAAMAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAAABfX2xhc3QAAAAAAAAAAAAAX19MQVNUAAAAAAAAAAAAAAig8xKA//// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABkAAACYAAAAX19QUkVMSU5LX1RFWFQAAAAwWQKA//// AJDTAAAAAAAAoFIAAAAAAACQ0wAAAAAAAwAAAAMAAAABAAAAAAAAAF9fdGV4dAAAAAAAAAAAAABfX1BSRUxJTktfVEVYVAAAADBZAoD/// 8AkNMAAAAAAACgUgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGQAAAOgAAABfX1BSRUxJTktfU1RBVEUAALDzEoD/// 8AAAAAAAAAAAAgTQAAAAAAAAAAAAAAAAADAAAAAwAAAAIAAAAAAAAAX19rZXJuZWwAAAAAAAAAAF9fUFJFTElOS19TVEFURQAAsPMSgP/// wAAAAAAAAAAACBNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2tleHRzAAAAAAAAAAAAX19QUkVMSU5LX1NUQVRFAACw8xKA//// AAAAAAAAAAAAIE0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABkAAACYAAAAX19QUkVMSU5LX0lORk8AAADAzBOA//// AFAIAAAAAAAAMCYBAAAAAPhPCAAAAAAAAwAAAAMAAAABAAAAAAAAAF9faW5mbwAAAAAAAAAAAABfX1BSRUxJTktfSU5GTwAAAMDME4D//// 4TwgAAAAAAAAwJgEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGQAAAEgAAABfX0xJTktFRElUAAAAAAAAALDzEoD/// 94eQUAAAAAAAAgTQAAAAAAeHkFAAAAAAABAAAAAQAAAAAAAAAAAAAAAgAAABgAAADwnU8AnhAAANCnUACo8QEACwAAAFAAAAAAAAAAAAAAAAAAAACeEAAAn hAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACBNAPVHAAAbAAAAGAAAAPke8gf2KzpJlbujQoICCjclAAAAEAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWIANAoD///8AAAAAAAAAACYAAAAQAAAAqF9PAEg+AAA= </data><key>OSBundleCPUType</key><integer size="32" ID="3">0x100000c</integer><key>OSBundleCPUSubtype</key><integer size="32" ID="4">0x0</ integer><key>CFBundleIdentifier</key><string ID="5">__kernel__</string><key>CFBundleVersion</key><string ID="6">14.0.0</string><key>OSBundleUUID</key><data ID="7">+R7yB/YrOkmVu6NCggIKNw==</data><key>OSKernelResource</ key><true/><key>OSBundleIsInterface</key><false/><key>OSBundlePrelinked</key><false/><key>OSBundleStarted</key><true/ ><key>OSBundleLoadTag</key><integer size="32" ID="8">0x0</integer><key>OSBundleLoadAddress</key><integer size="64" ID="9">0xffffff8002002000</integer><key>OSBundleLoadSize</key>
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() vs. Mark Dowd • so in October 2012 Mark Dowd disclosed that Apple forgot to unslide addresses in mach-o section defintion • Apple released a fix in iOS 6.0.1 • so KASLR was easy to defeat in iOS 6.0 • at this point everyone was auditing this function 62 I was informed by Mark Dowd that disclosure of bug was actually done by Tarjei Mandt. So I am sorry for crediting it to the wrong person :)
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  However … • however there were ADDITIONAL bugs • macro Apple used did only unslide main kernel and pre-loaded kernel extensions • but there are parts in the kernelcache that were in between and therefore not unslid • leaks KASLR slide once again => KASLR broken 63 #define VM_KERNEL_UNSLIDE(_v) ((VM_KERNEL_IS_SLID(_v) || VM_KERNEL_IS_KEXT(_v)) ? (vm_offset_t)(_v) - vm_kernel_slide : (vm_offset_t)(_v)) #define VM_KERNEL_IS_SLID(_o) (((vm_offset_t)(_o) >= vm_kernel_base) && ((vm_offset_t)(_o) < vm_kernel_top)) #define VM_KERNEL_IS_KEXT(_o) (((vm_offset_t)(_o) >= vm_kext_base) && ((vm_offset_t)(_o) < vm_kext_top))
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple Releases a Fix • end of January 2015 Apple releases iOS 8.1.3 to fix this • fixed it the Apple way: they remove the OSBundleMachOHeaders altogether • but they lie about it in the release announcement (claim it was fixed/not removed) • took them only more than 2 years to realize this 2nd vulnerability • and only 7 months from it being publicly used in a jailbreak • people in training saw this within 10 min when checking out fix for Dowd’s 2012 bug 64 Tarjei Mandt's
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  one more thing 65
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  one more thing • Of course all of these bugs also apply to OS X • so no surprise that Apple fixed kext_request() in OS X 10.10.2 • but for 10.10.2 they keep the OSBundleMachOHeaders and try to do it correctly 66
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  one more thing • at this point it might not surprise the audience anymore • kext_request KASLR info leak is still not fully fixed in Mac OS X 10.10.2 • the slide still leaks through the contained OSBundleMachOHeaders • reason is that they use < instead of <= in the code • therefore __LAST::__last (the last kernel symbol) is not unslid 67 #define VM_KERNEL_UNSLIDE(_v) ((VM_KERNEL_IS_SLID(_v) || VM_KERNEL_IS_KEXT(_v)) ? (vm_offset_t)(_v) - vm_kernel_slide : (vm_offset_t)(_v)) #define VM_KERNEL_IS_SLID(_o) (((vm_offset_t)(_o) >= vm_kernel_base) && ((vm_offset_t)(_o) < vm_kernel_top)) #define VM_KERNEL_IS_KEXT(_o) (((vm_offset_t)(_o) >= vm_kext_base) && ((vm_offset_t)(_o) < vm_kext_top))
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China 68
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China • there has been a change in guard • recent Jailbreaks are no longer developed by “Westeners” • now Chinese teams seem to rule the scene • but why? 69
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - Why? • “Western” Jailbreak developers • shared a lot of tools and techniques • now have to deal with exploit export control regulations • worked hard for nearly nothing (few donations) • while information security companies made millions of their work • on top of that had to deal with greedy JB community 70
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - Why? • “Chinese” Jailbreak developers • are paid by Chinese companies with app stores ( e.g. 1 Mio USD ) • use money to buy vulnerabilities / exploits ( from the west ) • use questionable methods like stolen enterprise certificates • use public & non public code ignoring software licenses / copyright 71 at the moment I have no permission to disclose identity of jailbreaker who wrote this if you can offer 100.000 USD for buying a vulnerability / exploit this means you must get a lot for the end product
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - and Apple • so far “Chinese” Jailbreakers • had a lucky time because of Apple security’s total lack of QA • have mostly relied on techniques invented by westerners • could reuse the same vulnerabilities over and over 72
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - Community • so far “Chinese” Jailbreakers have • not released any code to advance the iOS research community • instead have heavily obfuscated their jailbreaks • intentionally removed patches to hinder work of other researchers • have destructive kernel patches that overwrite part of kernel binary • they are in it for the money and don’t want competition 73
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Conclusion 74
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Conclusion • looking at how Apple security fails over and over again shows they are not taking it seriously and have no QA on their security fixes AT ALL. • Basically Apple Security’s failed patches made the Chinese jb possible • IMHO the fact that media is celebrating Jailbreaks instead of taking them as what they are: exploits for vulnerabilities is partly the reason why Apple does not take fixing them seriously • media should stress the fact that every unfixed jailbreak makes it CHEAP for state sponsored attackers to spy on people • actually it has been shown that several iOS surveillance tools fully rely on release of public jailbreaks 75
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Questions ? 76

Recommended

Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with KamailioFred Posner
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Redis Developer Day TLV - Redis Stack & RedisInsight
Redis Developer Day TLV - Redis Stack & RedisInsightRedis Developer Day TLV - Redis Stack & RedisInsight
Redis Developer Day TLV - Redis Stack & RedisInsightGuy Korland
 
[教材] 例外處理設計與重構實作班201309
[教材] 例外處理設計與重構實作班201309[教材] 例外處理設計與重構實作班201309
[教材] 例外處理設計與重構實作班201309teddysoft
 
Recon for Bug Bounty by Agnibha Dutta.pdf
Recon for Bug Bounty by Agnibha Dutta.pdfRecon for Bug Bounty by Agnibha Dutta.pdf
Recon for Bug Bounty by Agnibha Dutta.pdfnull - The Open Security Community
 
The Theory of Chains
The Theory of ChainsThe Theory of Chains
The Theory of ChainsScott Wlaschin
 
Designing with Capabilities
Designing with CapabilitiesDesigning with Capabilities
Designing with CapabilitiesScott Wlaschin
 
Intro to elixir and phoenix
Intro to elixir and phoenixIntro to elixir and phoenix
Intro to elixir and phoenixJared Smith
 

Recommended

Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with KamailioFred Posner
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Redis Developer Day TLV - Redis Stack & RedisInsight
Redis Developer Day TLV - Redis Stack & RedisInsightRedis Developer Day TLV - Redis Stack & RedisInsight
Redis Developer Day TLV - Redis Stack & RedisInsightGuy Korland
 
[教材] 例外處理設計與重構實作班201309
[教材] 例外處理設計與重構實作班201309[教材] 例外處理設計與重構實作班201309
[教材] 例外處理設計與重構實作班201309teddysoft
 
Recon for Bug Bounty by Agnibha Dutta.pdf
Recon for Bug Bounty by Agnibha Dutta.pdfRecon for Bug Bounty by Agnibha Dutta.pdf
Recon for Bug Bounty by Agnibha Dutta.pdfnull - The Open Security Community
 
The Theory of Chains
The Theory of ChainsThe Theory of Chains
The Theory of ChainsScott Wlaschin
 
Designing with Capabilities
Designing with CapabilitiesDesigning with Capabilities
Designing with CapabilitiesScott Wlaschin
 
Intro to elixir and phoenix
Intro to elixir and phoenixIntro to elixir and phoenix
Intro to elixir and phoenixJared Smith
 
What We Learned from Porting PiggyMetrics from Spring Boot to MicroProfile
What We Learned from Porting PiggyMetrics from Spring Boot to MicroProfileWhat We Learned from Porting PiggyMetrics from Spring Boot to MicroProfile
What We Learned from Porting PiggyMetrics from Spring Boot to MicroProfileEd Burns
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Functional Reactive Programming with RxJS
Functional Reactive Programming with RxJSFunctional Reactive Programming with RxJS
Functional Reactive Programming with RxJSstefanmayer13
 
Reflections on Trusting Trust
Reflections on Trusting TrustReflections on Trusting Trust
Reflections on Trusting Trustyeokm1
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Applicative Functor
Applicative FunctorApplicative Functor
Applicative FunctorPhilip Schwarz
 
The Double Ratchet Algorithm
The Double Ratchet AlgorithmThe Double Ratchet Algorithm
The Double Ratchet AlgorithmIndian Institute of Information Technology, Lucknow
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network AnalysisJoel W. King
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Trees In The Database - Advanced data structures
Trees In The Database - Advanced data structuresTrees In The Database - Advanced data structures
Trees In The Database - Advanced data structuresLorenzo Alberton
 
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDS
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDSAccelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDS
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDSCeph Community
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Community
 
Aynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileAynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileDaniel-Constantin Mierla
 
Free cad 0.19.2 and cfdof (Japanese Ver.)
Free cad 0.19.2 and cfdof (Japanese Ver.)Free cad 0.19.2 and cfdof (Japanese Ver.)
Free cad 0.19.2 and cfdof (Japanese Ver.)YohichiShiina
 
C# to python
C# to pythonC# to python
C# to pythonTess Ferrandez
 
Monad Laws Must be Checked
Monad Laws Must be CheckedMonad Laws Must be Checked
Monad Laws Must be CheckedPhilip Schwarz
 
20090622 Velocity
20090622 Velocity20090622 Velocity
20090622 VelocityJeff Hammerbacher
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelShakacon
 
Kleptography
KleptographyKleptography
KleptographyErfan Mallick
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreStefan Esser
 
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPSyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPStefan Esser
 

More Related Content

What's hot

What We Learned from Porting PiggyMetrics from Spring Boot to MicroProfile
What We Learned from Porting PiggyMetrics from Spring Boot to MicroProfileWhat We Learned from Porting PiggyMetrics from Spring Boot to MicroProfile
What We Learned from Porting PiggyMetrics from Spring Boot to MicroProfileEd Burns
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Functional Reactive Programming with RxJS
Functional Reactive Programming with RxJSFunctional Reactive Programming with RxJS
Functional Reactive Programming with RxJSstefanmayer13
 
Reflections on Trusting Trust
Reflections on Trusting TrustReflections on Trusting Trust
Reflections on Trusting Trustyeokm1
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network AnalysisJoel W. King
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Trees In The Database - Advanced data structures
Trees In The Database - Advanced data structuresTrees In The Database - Advanced data structures
Trees In The Database - Advanced data structuresLorenzo Alberton
 
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDS
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDSAccelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDS
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDSCeph Community
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Community
 
Aynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileAynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileDaniel-Constantin Mierla
 
Free cad 0.19.2 and cfdof (Japanese Ver.)
Free cad 0.19.2 and cfdof (Japanese Ver.)Free cad 0.19.2 and cfdof (Japanese Ver.)
Free cad 0.19.2 and cfdof (Japanese Ver.)YohichiShiina
 
Monad Laws Must be Checked
Monad Laws Must be CheckedMonad Laws Must be Checked
Monad Laws Must be CheckedPhilip Schwarz
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelShakacon
 

What's hot (20)

What We Learned from Porting PiggyMetrics from Spring Boot to MicroProfile
What We Learned from Porting PiggyMetrics from Spring Boot to MicroProfileWhat We Learned from Porting PiggyMetrics from Spring Boot to MicroProfile
What We Learned from Porting PiggyMetrics from Spring Boot to MicroProfile
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Functional Reactive Programming with RxJS
Functional Reactive Programming with RxJSFunctional Reactive Programming with RxJS
Functional Reactive Programming with RxJS
 
Reflections on Trusting Trust
Reflections on Trusting TrustReflections on Trusting Trust
Reflections on Trusting Trust
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 
Applicative Functor
Applicative FunctorApplicative Functor
Applicative Functor
 
The Double Ratchet Algorithm
The Double Ratchet AlgorithmThe Double Ratchet Algorithm
The Double Ratchet Algorithm
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network Analysis
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
 
Trees In The Database - Advanced data structures
Trees In The Database - Advanced data structuresTrees In The Database - Advanced data structures
Trees In The Database - Advanced data structures
 
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDS
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDSAccelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDS
Accelerating Cassandra Workloads on Ceph with All-Flash PCIE SSDS
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph
 
Aynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileAynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration File
 
Free cad 0.19.2 and cfdof (Japanese Ver.)
Free cad 0.19.2 and cfdof (Japanese Ver.)Free cad 0.19.2 and cfdof (Japanese Ver.)
Free cad 0.19.2 and cfdof (Japanese Ver.)
 
C# to python
C# to pythonC# to python
C# to python
 
Monad Laws Must be Checked
Monad Laws Must be CheckedMonad Laws Must be Checked
Monad Laws Must be Checked
 
20090622 Velocity
20090622 Velocity20090622 Velocity
20090622 Velocity
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
 
Kleptography
KleptographyKleptography
Kleptography
 

Viewers also liked

CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreStefan Esser
 
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPSyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPStefan Esser
 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsRuxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
 
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trickSyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trickStefan Esser
 
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator FunWhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator FunStefan Esser
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
 

Viewers also liked (6)

CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS Core
 
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPSyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsRuxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
 
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trickSyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
 
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator FunWhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
WhiskeyCon 2017 - 5 Minutes of MacOS/iOS Zone Allocator Fun
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
 

Similar to SyScan 2015 - iOS 678 Security - A Study in Fail

iOS 6 Exploitation 280 days later
iOS 6 Exploitation 280 days lateriOS 6 Exploitation 280 days later
iOS 6 Exploitation 280 days laterWang Hao Lee
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSSeguridad Apple
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Targeting the iOS kernel
Targeting the iOS kernelTargeting the iOS kernel
Targeting the iOS kernelSeguridad Apple
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelStefan Esser
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?Reality Net System Solutions
 
Toorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for ThatToorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for ThatEric Monti
 
iOS and BlackBerry Forensics
iOS and BlackBerry ForensicsiOS and BlackBerry Forensics
iOS and BlackBerry ForensicsAndrey Belenko
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsKoan-Sin Tan
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
iOS Ecosystem @ Fiera del Radioamatore Pordenone
iOS Ecosystem @ Fiera del Radioamatore PordenoneiOS Ecosystem @ Fiera del Radioamatore Pordenone
iOS Ecosystem @ Fiera del Radioamatore PordenoneKlaus Lanzarini
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxdeepikakumari643428
 
Webhooks with Azure Functions - Live 360 Conference
Webhooks with Azure Functions - Live 360 ConferenceWebhooks with Azure Functions - Live 360 Conference
Webhooks with Azure Functions - Live 360 ConferenceSparkPost
 

Similar to SyScan 2015 - iOS 678 Security - A Study in Fail (20)

iOS 6 Exploitation 280 days later
iOS 6 Exploitation 280 days lateriOS 6 Exploitation 280 days later
iOS 6 Exploitation 280 days later
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOS
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
Targeting the iOS kernel
Targeting the iOS kernelTargeting the iOS kernel
Targeting the iOS kernel
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
 
Toorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for ThatToorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for That
 
iOS and BlackBerry Forensics
iOS and BlackBerry ForensicsiOS and BlackBerry Forensics
iOS and BlackBerry Forensics
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
iOS Ecosystem @ Fiera del Radioamatore Pordenone
iOS Ecosystem @ Fiera del Radioamatore PordenoneiOS Ecosystem @ Fiera del Radioamatore Pordenone
iOS Ecosystem @ Fiera del Radioamatore Pordenone
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
 
Webhooks with Azure Functions - Live 360 Conference
Webhooks with Azure Functions - Live 360 ConferenceWebhooks with Azure Functions - Live 360 Conference
Webhooks with Azure Functions - Live 360 Conference
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

SyScan 2015 - iOS 678 Security - A Study in Fail

  • 1. iOS 678 Security
 —== A Study in Fail ==— Stefan Esser <stefan.esser@sektioneins.de> http://www.sektioneins.de
  • 2. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Who am I? Stefan Esser • from Cologne / Germany • in information security since 1998 • invested in PHP security from 2001 to 20xx • since 2010 focused on iPhone security (ASLR/jailbreak) • founder of SektionEins GmbH 2
  • 3. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Lots of Fail, but this talk is not about … • Apple releasing an iOS 8.0.1 update that would kill cell service on iPhone 6/6p • Apple adding unsecured double linked lists as meta-data to the iOS 7 kernel heap that made kernel heap exploitation easy (safe unlink in iOS 8) • Apple “improving” their iOS 7 early random number generator so that Tarjei Mandt would totally rip it apart and calculate all past and future numbers • Apple having a double “goto fail” in their SSL for iOS 6 - iOS 7.0.5 that broke it completely • … so yes I am skipping a lot of fail but what I cover is already too much for 45 minutes 3
  • 4. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  So what is it about? this talk is about iOS jailbreaks and Apple fixing the bugs within 4
  • 5. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fixing Bugs … 5
  • 6. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  BUT APPLE SECURITY AIN’T NO JEDI 6 BUT APPLE SECURITY AIN’T NO JEDI
  • 7. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  So actually … this talk is about iOS jailbreaks and Apple not fixing the bugs within 7
  • 8. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Before we start … what are the ingredients of an iOS jailbreak? 8
  • 9. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Ingredients Initial Injection Vector Persistency 9
  • 10. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Not talking about that Initial Injection Vector but apparently Apple had to issue several updates to fix those bugs, too 10
  • 11. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Concentrating on Jailbreak Persistency 11
  • 12. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak Persistency (I) • why concentrate on persistency? • attack surface for injection is just extremely = huge no chance of win • injection vectors for iOS can be easily exchanged • USB, mobile safari, malicious apps • some injections would require more powerful kernel bugs than public jailbreaks, but those do exist and are traded in the underground 12
  • 13. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak Persistency (II) • attack surface for jailbreak persistency is in comparison extremely small • could be made even smaller and smaller if Apple would do it right • i just want the public to pressure Apple into changing • PUBLIC PERSISTENCE EXPLOITS CAN BE EASILY REUSED IN STATE SPONSORED ATTACKS = LOT CHEAPER + NOT WASTE BUGS 13
  • 14. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  AMFI trickery 14
  • 15. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  AMFI Trickery • whole story starts with the exploit chain evad3rs “invented” for iOS 6 • for signature verification • kernel asks AMFI driver • AMFI driver asks AMFID user space daemon • AMFID uses libmis.dylib • Attack: 
 inject a malicious library into AMFID that makes libmis.dylib return “true” 15
  • 16. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Injecting a malicious dylib AMFI attack • injecting malicious dylib / replacing libmis.dylib not as easy at it sounds • need to trick dynamic linker into attempting to do it • need to trick dynamic linker into accepting a not signed library • Idea: 
 use launch daemon config + DYLD_INSERT_LIBRARIES for first part
 use incomplete codesigning bypass for second part 16
  • 17. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Putting the full chain together 17
  • 18. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple “trying” to fix evasi0n • launchd.conf no longer loaded • __restrict in AMFID stops DYLD_INSERT_LIBRARIES • apply patch to fix incomplete code signing bypass (patient ALPHA) • fix kernel info leak and memory corruption 18
  • 19. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  evad3rs needed new tricks • patch of incomplete code signing trick (patient ALPHA) required new incomplete code signing trick ➡ evad3rs unnecessarily burned a new vulnerability some gave to them • __restrict in AMFID required new way to replace/inject library ➡ just use dyld feature enable-dylibs-to-override-cache
 (makes dyld load a replacement library instead of original one) 19
  • 20. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  evad3rs needed new tricks (II) • removal of launchd.conf required trick to inject launch daemons beside launch daemon codesigning • just use previous two also load a malicious xpcd_cache.dylib • kernel bugs required to be replaced • they just used some new bugs (because there are plenty) 20
  • 21. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  New chain for evasi0n 7 21
  • 22. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple fixing evasi0n7 *LESS AGGRESSIVE* • new incomplete codesigning bypass trick fixed • kernel bugs are fixed • rest of chain is left completely untouched 22
  • 23. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Pangu7 Jailbreak • Pangu realised that original bug Patient ALPHA was fixed incorrectly • used new kernel bugs 23 DejaVu
  • 24. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple “trying to fix” Pangu7 • they try to fix their broken fix for the codesigning • kernel bugs are claimed fixed • rest of chain is still completely untouched 24 DejaVu
  • 25. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Pangu8 Jailbreak • Pangu realised that fix for fix for Patient ALPHA is still incorrect • also their kernel bugs were apparently not patched correctly 25 DejaVu
  • 26. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple “trying to fix” Pangu8 • they try to fix their broken fix for the broken fix for the codesigning • kernel bugs are claimed fixed again • rest of chain is still completely untouched 26 DejaVu
  • 27. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  TaiG Jailbreak • Pangu TaiG realised that fix for fix for fix for Patient ALPHA is still incorrect • used other kernel bugs 27 DejaVu
  • 28. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache 28
  • 29. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache • a flag file in /System/Library/Caches/com.apple.dyld • when present libraries on disk will be loaded instead of a cached copy • used by jailbreaks to trick dyld into loading • malicious libmis.dylib into AMFID • malicious list of launchd daemons xpcd_cache.dylib into launchctl 29
  • 30. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache • see how enable-dylibs-to-override-cache is in center of everything? • without this element the whole chain would have been destroyed 30
  • 31. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache • first abused in iOS 7.0 jailbreak by evad3rs (December 2013) • without it the whole exploit chains of all jailbreaks since then would have fallen apart • after 14 months still unfixed • from a strategic standpoint it is unbelievable that Apple did not fix this • by not fixing this for 14 months Apple made persistence on device easier • fixing this bug would have made iOS far more secure than the 
 security by obscurity patches that Apple implemented to stop
 the root filesystem from being writable or the team identifier hack 31
  • 32. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Patient Alpha (incomplete codesigning) 32
  • 33. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Incomplete Codesigning • simplified: • if a page is not executable a missing code sig is not a problem • if a page is executable there must be a code sig on first access • prior to iOS 5 therefore jailbreaks would use ALL DATA dylibs to exploit dyld via various meta-data structures • around the end of iOS 4 Apple added checks to dyld to enforce load commands are in an executable segment • therefore while header parsing (first access) code sig is required 33
  • 34. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach-o dynamic library loading • mach-o dynamic libraries loaded by dyld • load commands describe i.a. layout of segments in memory • virtual address and 
 virtual size of segments • file position and 
 file size of segment 34
  • 35. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Ohhh really? • actually it is not that simple • mach-o header is first loaded into stack • initial LC parse is performed to collect info • this info is used to map the file into memory • segments are touched to enforce code sig • another LC parse is performed to make dyld use the mach-o header from paged memory • more and more parsing 35
  • 36. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  evad3rs come along • and then the evad3rs came along • for evasi0n (iOS 6) they used a 
 TOCTOU trick to bypass the checks • attack logic between sniffLoadCommands and crashIfInvalidCodesignature • just trick mapSegments 36
  • 37. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mapSegments • mapSegments uses mmap() • mmap allows to override previous mappings • just have two mappings at same virtual address • 1st contains LC and is R+X • 2nd contains fake LC and is R / RW • therefore at time of later access to page it will not require a code signature 37
  • 38. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s first fix • Apple added a detection for 
 overlapping segments • code tests LC segment against all others so that it does not get overlapped by other segment • test uses virtual address and virtual size 38
  • 39. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Problem with Apple’s first fix • the security check by Apple did not account for integer wraps • a segment with vmaddr at end of address space and wrapping around is not detected as overlapping • in reality the mapping is not wrapping around the address space due to being slid for ASLR 39
  • 40. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s second fix • Apple added a detection for LC segment wrapping around • such a setup will be detected and disallowed 40
  • 41. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Problem with Apple’s second fix • the integer wrap check was only done on the 
 LC segment • just doing the same trick again but letting the other segment wrap around would still do the trick • what was Apple thinking? 41
  • 42. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s third fix • Apple added a detection for other segments wrapping around • such a setup will now also be detected and disallowed 42
  • 43. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Problem with Apple’s third fix • all these battles by Apple security with Chinese jailbreakers were for nothing • the security checks by Apple all did detect overlaps by checking vmaddr + vmsize • however mapSegments never used vmsize • mapping into memory uses filesize • filesize could be a lot larger than vmsize • overlapping would never be detected 43
  • 44. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s fourth fix • Apple now detects when filesize is bigger than vmsize • such segments are now forbidden • they now added a number of other checks that also killed another bypass by accident (will be disclosed in my blog) • it took Apple only 2 years to realise this ;-) 44 • DISCLAIMER: I am absolutely NOT claiming that this is the end
  • 45. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject 45
  • 46. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject • debugging Mach API call • returns kobject associated with a mach port • kobject filled with different values depending on type of port • IOKit object ports: a kernel heap address containing a function table • Host ports: address of realhost variable in kernel • other ports: something else • SECURITY PROBLEM: leaked addresses very useful for exploitation 46 *typep = (unsigned int) ip_kotype(port); kaddr = (mach_vm_address_t)port->ip_kobject; ip_unlock(port); if (0 != kaddr && is_ipc_kobject(*typep)) *addrp = kaddr; else *addrp = 0;
  • 47. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fix 1 47
  • 48. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject in iOS 6.0 • Apple added kernel address obfuscation • random 32 / 64 bit secret vm_kernel_addrperm • added to all returned addresses • should stop leakage of valid kernel pointers 48 *typep = (unsigned int) ip_kotype(port); kaddr = (mach_vm_address_t)port->ip_kobject; ip_unlock(port); if (0 != kaddr && is_ipc_kobject(*typep)) *addrp = VM_KERNEL_ADDRPERM(VM_KERNEL_UNSLIDE(kaddr)); else *addrp = 0;
  • 49. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Weakness of ADD Obfuscation • all returned addresses are obfuscated with the same secret summand • ADDR + SECRET = OBFUSCATED_ADDR • a single pair of ADDR and its OBFUSCATED_ADDR break the security • if SECRET is known all obfuscated addresses can be easily decrypted 49
  • 50. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Houston we have a problem … • Remember this? • kobject filled with different values depending on type of port • IOKit object ports: a kernel heap address containing a function table • Host ports: address of realhost variable in kernel • other ports: something else • SECURITY PROBLEM: 
 we know realhost’s address and can break obfuscation 50 we know plain address of this variable therefore we can break obfuscation
  • 51. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fix 2 51
  • 52. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject in iOS 8.0 • Apple now detects pointers inside kernel and does not obfuscate • stops attack via e.g. host ports 52 *typep = (unsigned int) ip_kotype(port); kaddr = (mach_vm_address_t)port->ip_kobject; ip_unlock(port); if (0 != kaddr && is_ipc_kobject(*typep)) *addrp = VM_KERNEL_UNSLIDE_OR_PERM(kaddr); else *addrp = 0;
  • 53. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Houston we have a problem … • Remember this? • kobject filled with different values depending on type of port • IOKit object ports: a kernel heap address containing a function table • Host ports: address of realhost variable in kernel • other ports: something else • master ports: the value of kobject is 1 • SECURITY PROBLEM:
 Obfuscation secret is mach_port_kobject(master)-1 53
  • 54. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fun Fact • master port attack was taught to Pangu in SektionEins’ iOS training • Pangu used it in their jailbreak in June 2014 • This means this attack was used in public 3 MONTHS before iOS 8.0 release* • TaiG reused this trick in November 2014 for their jailbreak 54 * this means when fix 2 was released to public this was already known to be insufficient
  • 55. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fix 3 55
  • 56. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject in iOS 8.1.3 • Apple released iOS 8.1.3 at end of January • they fixed the problem the Apple’s wayTM • they just removed the function altogether • removing the function took them ONLY 7 MONTHS • This bug was assigned CVE-2014-4496 and Apple wrongly credits TaiG for it 56
  • 57. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request 57
  • 58. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() • Mach API call • allows applications to request information about kernel modules • active operations are locked down (load, unload, start, stop, …) • passive operations partially working from even within the sandbox • Apple fixed it to unslide load addresses to protect against KASLR leaks 58
  • 59. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() - Get Loaded Kext Info • of special interest is a sub request called • Get Loaded Kext Info • returns a serialised dictionary with information about all loaded Kext • information contained includes the mach-o headers • Apple even modifies those headers to protect KASLR 59
  • 60. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() - Get Loaded Kext Info 60 mach_msg_type_number_t reqlen, resplen = 0, loglen = 0; char *request, *response = NULL, *log = NULL; kern_return_t kr; request = "<dict><key>Kext Request Predicate</key><string>Get Loaded Kext Info</string></dict>"; reqlen = strlen(request) + 1; kext_request(mach_host_self(), 0, request, reqlen, &response, &resplen, &log, &loglen, &kr);
  • 61. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() - iPhone 6plus / iOS 8.0.2 61 <dict ID="0"><key>__kernel__</key><dict ID="1"><key>OSBundleMachOHeaders</key><data ID="2">z/rt/gwAAAEAAAAAAgAAAA 8AAABACwAAAQAgAAAAAAAZAAAAOAEAAF9fVEVYVAAAAAAAAAAAAAAAIAACgP///wAgSAAAAAAAAAAAAAAAAAAAIEgAAAAAAAUAAAAFA AAAAwAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAAAAwAAKA////rCJCAAAAAAAAEAAADAAAAAAAAAAAAAAAAAQAgAAAAAA AAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwFJCAoD///9oYAIAAAAAAMAyQgAFAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAX19jc3RyaW5nAAAAAAAAAF9fVEVYVAAAAAAAAAAAAAAos0QCgP///2h +AwAAAAAAKJNEAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAZAAAAyAIAAF9fREFUQQAAAAAAAAAAAAAAQEgCgP/// wBACwAAAAAAACBIAAAAAAAAwAQAAAAAAAMAAAADAAAACAAAAAAAAABfX21vZF9pbml0X2Z1bmMAX19EQVRBAAAAAAAAAAAAAABASAKA//// CAIAAAAAAAAAIEgAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAF9fbW9kX3Rlcm1fZnVuYwBfX0RBVEEAAAAAAAAAAAAACEJIAoD/// 8AAgAAAAAAAAgiSAADAAAAAAAAAAAAAAAKAAAAAAAAAAAAAAAAAAAAX19jb25zdAAAAAAAAAAAAF9fREFUQQAAAAAAAAAAAAAQREgCgP/// yCWAQAAAAAAECRIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2RhdGEAAAAAAAAAAAAAX19EQVRBAAAAAAAAAAAAAAAASgKA//// aNICAAAAAAAA4EkADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fc2ZpX2NsYXNzX3JlZwBfX0RBVEEAAAAAAAAAAAAAaNJMAoD/// 8AAgAAAAAAAGiyTAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX19zeXNjdGxfc2V0AAAAAF9fREFUQQAAAAAAAAAAAABo1EwCgP/// 3AcAAAAAAAAaLRMAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2JzcwAAAAAAAAAAAAAAX19EQVRBAAAAAAAAAAAAAAAATQKA//// kF8GAAAAAAAAAAAADAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAF9fY29tbW9uAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAAGBTAoD/// 8YEQAAAAAAAAAAAAAMAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAGQAAACgCAABfX0tMRAAAAAAAAAAAAAAAAIBTAoD/// 8AIAAAAAAAAADwTAAAAAAAACAAAAAAAAADAAAAAwAAAAYAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9fS0xEAAAAAAAAAAAAAAAAgFMCgP/// 1ASAAAAAAAAAPBMAAIAAAAAAAAAAAAAAAAEAIAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19LTEQAAAAAAAAAAAAAAFCSUwKA//// CAcAAAAAAABQAk0AAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX0tMRAAAAAAAAAAAAAAAWJlTAoD/// 9oAAAAAAAAAFgJTQADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX19tb2RfaW5pdF9mdW5jAF9fS0xEAAAAAAAAAAAAAADAmVMCgP/// wgAAAAAAAAAwAlNAAMAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAAABfX21vZF90ZXJtX2Z1bmMAX19LTEQAAAAAAAAAAAAAAMiZUwKA//// CAAAAAAAAADICU0AAwAAAAAAAAAAAAAACgAAAAAAAAAAAAAAAAAAAF9fYnNzAAAAAAAAAAAAAABfX0tMRAAAAAAAAAAAAAAA0JlTAoD/// 8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAGQAAAOgAAABfX0xBU1QAAAAAAAAAAAAAAKBTAoD/// 8AEAAAAAAAAAAQTQAAAAAAABAAAAAAAAADAAAAAwAAAAIAAAAAAAAAX19tb2RfaW5pdF9mdW5jAF9fTEFTVAAAAAAAAAAAAAAAoFMCgP/// wgAAAAAAAAAABBNAAMAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAAABfX2xhc3QAAAAAAAAAAAAAX19MQVNUAAAAAAAAAAAAAAig8xKA//// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABkAAACYAAAAX19QUkVMSU5LX1RFWFQAAAAwWQKA//// AJDTAAAAAAAAoFIAAAAAAACQ0wAAAAAAAwAAAAMAAAABAAAAAAAAAF9fdGV4dAAAAAAAAAAAAABfX1BSRUxJTktfVEVYVAAAADBZAoD/// 8AkNMAAAAAAACgUgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGQAAAOgAAABfX1BSRUxJTktfU1RBVEUAALDzEoD/// 8AAAAAAAAAAAAgTQAAAAAAAAAAAAAAAAADAAAAAwAAAAIAAAAAAAAAX19rZXJuZWwAAAAAAAAAAF9fUFJFTElOS19TVEFURQAAsPMSgP/// wAAAAAAAAAAACBNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2tleHRzAAAAAAAAAAAAX19QUkVMSU5LX1NUQVRFAACw8xKA//// AAAAAAAAAAAAIE0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABkAAACYAAAAX19QUkVMSU5LX0lORk8AAADAzBOA//// AFAIAAAAAAAAMCYBAAAAAPhPCAAAAAAAAwAAAAMAAAABAAAAAAAAAF9faW5mbwAAAAAAAAAAAABfX1BSRUxJTktfSU5GTwAAAMDME4D//// 4TwgAAAAAAAAwJgEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGQAAAEgAAABfX0xJTktFRElUAAAAAAAAALDzEoD/// 94eQUAAAAAAAAgTQAAAAAAeHkFAAAAAAABAAAAAQAAAAAAAAAAAAAAAgAAABgAAADwnU8AnhAAANCnUACo8QEACwAAAFAAAAAAAAAAAAAAAAAAAACeEAAAn hAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACBNAPVHAAAbAAAAGAAAAPke8gf2KzpJlbujQoICCjclAAAAEAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWIANAoD///8AAAAAAAAAACYAAAAQAAAAqF9PAEg+AAA= </data><key>OSBundleCPUType</key><integer size="32" ID="3">0x100000c</integer><key>OSBundleCPUSubtype</key><integer size="32" ID="4">0x0</ integer><key>CFBundleIdentifier</key><string ID="5">__kernel__</string><key>CFBundleVersion</key><string ID="6">14.0.0</string><key>OSBundleUUID</key><data ID="7">+R7yB/YrOkmVu6NCggIKNw==</data><key>OSKernelResource</ key><true/><key>OSBundleIsInterface</key><false/><key>OSBundlePrelinked</key><false/><key>OSBundleStarted</key><true/ ><key>OSBundleLoadTag</key><integer size="32" ID="8">0x0</integer><key>OSBundleLoadAddress</key><integer size="64" ID="9">0xffffff8002002000</integer><key>OSBundleLoadSize</key>
  • 62. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() vs. Mark Dowd • so in October 2012 Mark Dowd disclosed that Apple forgot to unslide addresses in mach-o section defintion • Apple released a fix in iOS 6.0.1 • so KASLR was easy to defeat in iOS 6.0 • at this point everyone was auditing this function 62 I was informed by Mark Dowd that disclosure of bug was actually done by Tarjei Mandt. So I am sorry for crediting it to the wrong person :)
  • 63. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  However … • however there were ADDITIONAL bugs • macro Apple used did only unslide main kernel and pre-loaded kernel extensions • but there are parts in the kernelcache that were in between and therefore not unslid • leaks KASLR slide once again => KASLR broken 63 #define VM_KERNEL_UNSLIDE(_v) ((VM_KERNEL_IS_SLID(_v) || VM_KERNEL_IS_KEXT(_v)) ? (vm_offset_t)(_v) - vm_kernel_slide : (vm_offset_t)(_v)) #define VM_KERNEL_IS_SLID(_o) (((vm_offset_t)(_o) >= vm_kernel_base) && ((vm_offset_t)(_o) < vm_kernel_top)) #define VM_KERNEL_IS_KEXT(_o) (((vm_offset_t)(_o) >= vm_kext_base) && ((vm_offset_t)(_o) < vm_kext_top))
  • 64. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple Releases a Fix • end of January 2015 Apple releases iOS 8.1.3 to fix this • fixed it the Apple way: they remove the OSBundleMachOHeaders altogether • but they lie about it in the release announcement (claim it was fixed/not removed) • took them only more than 2 years to realize this 2nd vulnerability • and only 7 months from it being publicly used in a jailbreak • people in training saw this within 10 min when checking out fix for Dowd’s 2012 bug 64 Tarjei Mandt's
  • 65. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  one more thing 65
  • 66. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  one more thing • Of course all of these bugs also apply to OS X • so no surprise that Apple fixed kext_request() in OS X 10.10.2 • but for 10.10.2 they keep the OSBundleMachOHeaders and try to do it correctly 66
  • 67. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  one more thing • at this point it might not surprise the audience anymore • kext_request KASLR info leak is still not fully fixed in Mac OS X 10.10.2 • the slide still leaks through the contained OSBundleMachOHeaders • reason is that they use < instead of <= in the code • therefore __LAST::__last (the last kernel symbol) is not unslid 67 #define VM_KERNEL_UNSLIDE(_v) ((VM_KERNEL_IS_SLID(_v) || VM_KERNEL_IS_KEXT(_v)) ? (vm_offset_t)(_v) - vm_kernel_slide : (vm_offset_t)(_v)) #define VM_KERNEL_IS_SLID(_o) (((vm_offset_t)(_o) >= vm_kernel_base) && ((vm_offset_t)(_o) < vm_kernel_top)) #define VM_KERNEL_IS_KEXT(_o) (((vm_offset_t)(_o) >= vm_kext_base) && ((vm_offset_t)(_o) < vm_kext_top))
  • 68. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China 68
  • 69. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China • there has been a change in guard • recent Jailbreaks are no longer developed by “Westeners” • now Chinese teams seem to rule the scene • but why? 69
  • 70. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - Why? • “Western” Jailbreak developers • shared a lot of tools and techniques • now have to deal with exploit export control regulations • worked hard for nearly nothing (few donations) • while information security companies made millions of their work • on top of that had to deal with greedy JB community 70
  • 71. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - Why? • “Chinese” Jailbreak developers • are paid by Chinese companies with app stores ( e.g. 1 Mio USD ) • use money to buy vulnerabilities / exploits ( from the west ) • use questionable methods like stolen enterprise certificates • use public & non public code ignoring software licenses / copyright 71 at the moment I have no permission to disclose identity of jailbreaker who wrote this if you can offer 100.000 USD for buying a vulnerability / exploit this means you must get a lot for the end product
  • 72. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - and Apple • so far “Chinese” Jailbreakers • had a lucky time because of Apple security’s total lack of QA • have mostly relied on techniques invented by westerners • could reuse the same vulnerabilities over and over 72
  • 73. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - Community • so far “Chinese” Jailbreakers have • not released any code to advance the iOS research community • instead have heavily obfuscated their jailbreaks • intentionally removed patches to hinder work of other researchers • have destructive kernel patches that overwrite part of kernel binary • they are in it for the money and don’t want competition 73
  • 74. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Conclusion 74
  • 75. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Conclusion • looking at how Apple security fails over and over again shows they are not taking it seriously and have no QA on their security fixes AT ALL. • Basically Apple Security’s failed patches made the Chinese jb possible • IMHO the fact that media is celebrating Jailbreaks instead of taking them as what they are: exploits for vulnerabilities is partly the reason why Apple does not take fixing them seriously • media should stress the fact that every unfixed jailbreak makes it CHEAP for state sponsored attackers to spy on people • actually it has been shown that several iOS surveillance tools fully rely on release of public jailbreaks 75
  • 76. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Questions ? 76