SlideShare a Scribd company logo

iOS 6 Exploitation 280 days later

Wang Hao Lee
Wang Hao Lee

How hard has iOS exploitation just got?

TechnologyBusiness
1 of 64
Download to read offline
iOS 6 Exploitation 280 Days Later CanSecWest Vancouver Stefan Esser <stefan.esser@sektioneins.de> http://www.sektioneins.de
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Who am I? Stefan Esser • from Cologne / Germany • in information security since 1998 • initially did a lot of low level security • from 2001 to 2010 focused on PHP / web app security • since mid-2010 focused on iPhone security (ASLR, kernel exploitation) • Head of Research and Development at SektionEins GmbH 2
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  What is this talk about? • iOS 6 is the new major version of iOS with tons of new security features • new kernel security mitigations already discussed by Mark Dowd/Tarjei Mandt • but iOS 6.x has other not yet mentioned new security features • and some kernel features require commentary • basically an update to my CSW 2012 talk • 280 days later because it was about 280 days later when I submitted to Dragos 3
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Part I iOS Security Timeline 2012-2013 4
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  CanSecWest 2012 - iOS 5 An Exploitation Nightmare? • reasons why iOS 5 jailbreak took so long • history of some iOS security features • history of iOS security bugfixes • getting kernel debugger running on new devices • abusing BPF as kernel weird machine 5 March 2012 URL: http://cansecwest.com/csw12/ CSW2012_StefanEsser_iOS5_An_Exploitation_Nightmare_FINAL.pdf
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  iOS Hacker‘s Handbook • Charlie Miller - Dionysius Blazakis - Dino Dai Zovi • Stefan Esser - Vincenzo Iozzo - Ralf-Philipp Weinmann • covers iOS 4 to iOS 5 • iOS Security Basics, iOS in the Enterprise • Encryption, Code Signing and Memory Protection • Sandboxing, Fuzzing iOS Applications • Exploitation, Return-Oriented-Programming • Kernel-Debugging and Exploitation, Jailbreaking, Baseband Attacks 6 April 2012 URL: http://ca.wiley.com/WileyCDA/WileyTitle/ productCd-1118204123.html
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  SyScan 2012 - iOS Kernel Heap Armageddon • different iOS kernel heap wrappers • feasibility of cross zone / memory manager attacks • attacking IOKit application data / object vtables instead of heap meta data • using OSUnserializeXML() for generic kernel level heap feng shui • talk updated for BlackHat USA & XCon 2012 7 April 2012 URL 1: http://reverse.put.as/wp-content/uploads/2011/06/ SyScan2012_StefanEsser_iOS_Kernel_Heap_Armageddon.pdf URL 2: http://media.blackhat.com/bh-us-12/Briefings/Esser/ BH_US_12_Esser_iOS_Kernel_Heap_Armageddon_WP.pdf
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  FinFisher Mobile - The Smartphone Who Loved Me • by CitizenLab • analysis of FinFisher for mobile devices • samples caught in the wild • iOS sample compiled for developer phones • media wrongly assumed developer cert lets you write spy applications 8 August 2012 URL: https://citizenlab.org/2012/08/the-smartphone-who-loved-me- finfisher-goes-mobile/
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  FinSpy Moile: iOS and Apple UDID Leak • by Alex Radocea^Crowdstrike • deep analysis of FinFisher for iOS • revealed that there was no iOS priv escape 0-day in FinFisher iOS - just empty placeholder • instead seems to heavily rely on being jailbroken with a public jailbreak prior to installation 9 September 2012 URL: http://www.crowdstrike.com/blog/finspy-mobile-ios-and-apple- udid-leak/index.html
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  iOS 6 Released and J/“F“ailbroken on Day 1 • by Musclenerd • iOS 6 on pre-A5 already tethered jailbroken on day one • by CHPWN • iOS 6 on iPhone 5 already failbroken on day one • failbroken means Cydia runs but no kernel payload 10 September 2012 URL: https://twitter.com/chpwn/status/249249908094296064
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  HITB2012 - iOS 6 Kernel Security • by Mark Dowd and Tarjei Mandt • deep analysis of new iOS 6 kernel exploit mitigations • contained a 0-day kernel info leak vulnerability • and the vm_map_copy exploitation technique heavily used by latest iOS 6 jailbreak 11 October 2012 URL: http://conference.hackinthebox.org/hitbsecconf2012kul/ materials/D1T2%20-%20Mark%20Dowd%20&%20Tarjei%20Mandt%20- %20iOS6%20Security.pdf Video: http://www.youtube.com/watch?v=O-WZinEoki4
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  POC2012 - Find your own iOS kernel bug • by Xu Hao and Chen Xiaobo • analysis of previous IOKit vulnerability • about fuzzing iOKit for vulnerabilities • later repeated at SyScan360 in December 12 November 2012 URL: http://syscan.org/index.php/download/get/ 328bf4b37e6ae8b799472ff230465339/ XuHao_Chen_Xiaobo_Find_your_own_iOS_kernel_bug.zip
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Hackulo.us / Installous shutdown • announcement that Hackulo.us shut down • also took down Installous the notorious application used by iOS application pirates on jailbroken iPhones • celebrated by media, jailbreak developers and iOS app developers around the world 13 December 2012 URL: http://thanks-god-not-anymo.re
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  kuaiyong, Zeusmos, 25pp, ... • after installous is dead more and more iOS piracy solutions that do not require jailbreak • solutions reportedly based on account sharing and/or some undisclosed exploit • still active ?!? 14 January 2013 URL 1: http://m.csoonline.com/article/725183/now-pirated-ios- apps-can-be-installed-without-jailbreak URL 2: http://no.you.dont.get.the.url.you.want Research Assistant: Marc Rogers
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Community Milking and iOS 6 JB Release • by evad3rs • website with donation button and multiple banner ads • told people repeatedly for about a week to check website for status updates • about one week later release of iOS 6.0/6.1 jailbreak • so far the most expensive jailbreak in terms of crowdfunding 15 February 2013 URL: http://www.evasi0n.com/
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  evasi0n Jailbreak‘s Userland Components • by Braden Thomas^AccuvantLabs • analysis of userland components of evasi0n jailbreak • covers most of the userland bugs exploited by evasi0n 16 February 2013 URL: http://blog.accuvantlabs.com/blog/bthomas/evasi0n- jailbreaks-userland-component
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Dissecting the “evasi0n“ Kernel Exploit • by Tarjei Mandt^Azimuth • analysis of kernel components of evasi0n jailbreak • shows how evasi0n is based on techniques discussed in the iOS 6 kernel security talk by azimuth 17 February 2013 URL: http://blog.azimuthsecurity.com/2013/02/from-usr-to-svc- dissecting-evasi0n.html
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Part II iOS 6 Kernel Security “Improvements“ 18
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  KASLR • iOS 6 introduces KASLR - kernel address space layout randomization • only 256 possible load addresses • each 2 MB apart • starting at 0x81200000 ending at 0xA1000000 19
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  KASLR: But why 2 MB Aligned? • 2 MB alignment of KASLR seems arbitrary • why not smaller alignment? • big alignment is less secure • right now: • leak any address in __DATA and you know the kernel‘s base address (address - 0x200000) & 0xFFE00000 • leak any address from first 2 MB of kernel __TEXT and know the kernel‘s base address address & 0xFFE00000 20
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Address Space Hardening • kernel __TEXT no longer writable ➡ to stop kernel code hotpatching • kernel heap no longer executable ➡ to stop just executing kernel data • kernel address space is separated from user space processes ➡ to stop return into user space code and offset from NULL-deref attacks 21
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Stack Cookies • iOS 6 added stack cookies to protect from kernel stack buffer overflows • implementation is rather unusual • stack cookie on top of stack • bottom of local stack contains ptr to the value it is compared against • second byte of stack cookie is forced to 0x00 22
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Stack Cookie Verification 23 • stack cookie verification in function epilog • verification against cookie pointed to • fact that stack_cookie_ptr and stack_cookie are both on stack is a weakness • wrong cookie value will lead to a kernel panic without message
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Heap Cookies • iOS 4 and iOS 5 kernel heap exploitation has always attacked the free list • in iOS 6 Apple introduced heap protection cookies to protect free list • distinguishes between small poisoned and larger non-poisoned blocks • two different security cookies are used for this ➡ stops attacks against the free list as used before in public jailbreaks 24
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Heap Cookies (larger blocks) • for larger blocks the memory content is kept but end is trashed with cookie • secret cookie has lowest bit cleared • if data of freed block leaks this leaks • a kernel heap address: 0x87b46500 • the secret cookie: 0x6b7769c8 ^ 0x87b46500 = 0xECC30CC8 25 87b46480: 00 65 b4 87 00 00 00 00 00 00 00 00 00 00 00 00 .e.............. 87b46490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 87b464a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 87b464b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 87b464c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 87b464d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 87b464e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 87b464f0: 00 00 00 00 00 00 00 00 00 00 00 00 c8 69 77 6b .............iwk next_pointer next_pointer^non_poisoned_cookie
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Heap Cookies (small blocks) • for small blocks the memory content is overwritten with 0xdeadbeef • secret cookie has lowest bit set • if data of freed block leaks this leaks • a kernel heap address: 0x92f1c740 • the secret cookie: 0x7ec1387b ^ 0x92f1c740 = 0xEC30FF3B 26 92f1c700: 40 c7 f1 92 ef be ad de ef be ad de ef be ad de @............... 92f1c710: ef be ad de ef be ad de ef be ad de ef be ad de ................ 92f1c720: ef be ad de ef be ad de ef be ad de ef be ad de ................ 92f1c730: ef be ad de ef be ad de ef be ad de 7b 38 c1 7e ............{8.~ next_pointer next_pointer^poisoned_cookie
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Heap Cookies after allocation • on allocation free list pointer and cookie are overwritten with 0xdeadbeef • most probably as defense in depth against information leaks 27 9072b000: ef be ad de 00 00 00 ff 00 00 00 ff 00 00 00 ff ................ 9072b010: 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff ................ 9072b020: 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff ................ 9072b030: 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff ................ 9072b040: 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff ................ 9072b050: 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff ................ 9072b060: 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff ................ 9072b070: 00 00 00 ff 00 00 00 ff 00 00 00 ff ef be ad de ................
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Heap Hardening • previously mach_zone_info() and host_zone_info() leaked internal state • both functions now require debugging kernel boot arguments • previously OSUnserializeXML() allowed fine control over kernel heap • Apple fixed some bugs in it and put some arbitrary limits on it • only exact methods described at BlackHat / SyScan were killed • other ways to abuse this function for kernel heap feng shui still working 28
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Death to Kernel Info Leaks • two fold strategy to fight kernel info leaks • fix information leak vulnerabilities • obfuscate kernel addresses returned to user land • example of fixed information leaks • BPF stack data info leak • kern.proc leak fixed • kern.file info leak fixed 29
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Address Obfuscation • lots of kernel API return kernel addresses to user land processes e.g. mach_port_kobject(), mach_port_space_info(), vm_region_recurse(), vm_map_region_recurse(), vm_map_page_info(), proc_info(), fstat(), sysctl() • protected by adding a random 32 bit cookie (lowest bit set) 30
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Image Address Obfuscation • some API might even return addresses inside the kernel image • these addresses are additionally unslid to protect against KASLR leaks 31
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Readonly Syscall Table • previous jailbreaks used partial syscall table overwrites • Apple moved syscall table into section __DATA::__const • section is made read only at runtime • controlled by kernel boot argument dataconstro • stops syscall table corruption ... 32
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Just replace Syscall Table completely? • kernel linking changes in iOS 6 introduced lots of indirect accesses • syscall table is no longer accessed directly (also true for lots of other stuff) • instead pointer to syscall table is used from __nl_symbol_ptr section • and guess what - this section is writable 33
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Part III iOS 6 Misc Hardening 34
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  BPF not so weird anymore... • at CSW 2012 BPF was mentioned as weird machine inside the kernel • in iOS 6.x it is still a machine but not so weird anymore • Apple added sanity checks inside the function • access to slack memory is now checked for bounds 35
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  mobile_house_arrest - Readonly Code Directory • lockdown service for reading / writing into app directories • since iOS 6 application‘s code directory is no longer writable • previously it was possible to replace arbitrary application resources 36
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Part IV User Space ASLR (Address Space Layout Randomization) 37
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  ASLR in iOS 4.3-6.x • randomly slides • main binary • dyld (dynamic linker) • dynamic library cache 38
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Position Independent Executables in 2012 • all system binaries were compiled as PIE • most 3rd party apps were not compiled as PIE 39 $ python ipapiescan.py Adobe Reader - armv7 - PIE - N/A Bluefire Reader - armv6|armv7 - NO_PIE - 3.0 DiamondDash - armv7 - NO_PIE - 4.2 Ebook Reader - armv6|armv7 - NO_PIE - N/A eBookS Reader - armv6|armv7 - NO_PIE - N/A Facebook - armv6|armv7 - NO_PIE - 4.0 Fly With Me - armv6|armv7 - NO_PIE - 3.0 FPK Reader - armv6|armv7 - NO_PIE - 3.2 Hotels - armv6|armv7 - NO_PIE - 3.1 iBooks - armv6|armv7 - NO_PIE - 4.2 KakaoTalk - armv6|armv7 - NO_PIE - 3.1 Messenger - armv6|armv7 - NO_PIE - 4.0 PerfectReader Mini - armv6|armv7 - NO_PIE - N/A QR Reader - armv6|armv7 - NO_PIE - 4.0 QR Scanner - armv6|armv7 - NO_PIE - N/A QR-Scanner - armv7 - NO_PIE - 4.0 QRCode - armv6|armv7 - NO_PIE - N/A Quick Scan - armv6|armv7 - NO_PIE - 4.0 Skype - armv6|armv7 - NO_PIE - N/A Twitter - armv6|armv7 - NO_PIE - 4.0 vBookz PDF - armv7 - PIE - 4.3 VZ-Netzwerke - armv6 - NO_PIE - 3.0 Wallpapers - armv6|armv7 - NO_PIE - 4.1 WhatsApp - armv6|armv7 - NO_PIE - 3.1 Where is - armv6|armv7 - NO_PIE - 4.1 source code of old idapiescan.py is available at Github https://github.com/stefanesser/idapiescan
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  iOS 4.3-6.x: NO PIE main binary randomization • dynamic loader is not slid in iOS 4 for NO PIE main executables • since iOS 5 the dynamic loader is always slid • randomized by kernel in 256 positions 40 iOS 4.3 - 4.3.x - NO PIE main executable iOS 5.0 - 6.x - NO PIE main executable
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Position Independent Executables in 2013 • all system binaries are compiled as PIE • most 3rd party apps are now compiled as PIE • NO_PIE mostly unimportant apps • some high profile exceptions are: Skype, SkyDrive, Google Translate, ... 41 $ python ipapiescan.py Bluefire Reader - armv7(s) - PIE - 4.3 Calendar Pro - armv7(s) - PIE - 4.3 CalenMob - armv7(s) - PIE - 5.0 Chrome - armv7 - PIE - 4.3 CloudOn - armv7 - NO_PIE - 5.0 DiamondDash - armv7(s) - PIE - 4.3 Documents - armv7(s) - PIE - 4.3 Ebook Reader - armv7 - PIE - 4.3 eBookS Reader - armv6|armv7 - NO_PIE - N/A Facebook - armv7 - PIE - 4.3 G-Whizz! - armv6|armv7 - NO_PIE - 4.0 Gmail - armv7 - PIE - 5.0 Google - armv7 - PIE - 4.3 Google Drive - armv7 - PIE - 5.0 Google Earth - armv7 - PIE - 4.3 Google+ - armv7 - PIE - 5.0 iBooks - armv7 - PIE - 5.0 IM+ - armv7(s) - PIE - 4.3 Instagram - armv7 - PIE - 4.3 KakaoTalk - armv7(s) - PIE - 4.3 Latitude - armv6|armv7 - NO_PIE - N/A Local - armv6|armv7 - PIE - 4.3 Lync 2010 - armv7 - NO_PIE - 4.3 Messenger - armv7 - PIE - 4.3 MSN World - armv7(s) - PIE - 4.3 SkyDrive - armv6|armv7 - NO_PIE - 4.0 Skype - armv7 - NO_PIE - 4.3 SmartGlass - armv7 - PIE - 5.0 SSH Mobile Free - armv7(s) - PIE - 4.3 SystemTools - armv7(s) - PIE - 4.3 Translate - armv6|armv7 - NO_PIE - N/A Trillian - armv7 - PIE - 4.3 Twitter - armv7 - PIE - 5.0 Usessh - armv7(s) - PIE - 4.3
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  iOS 4.3-6.0: PIE main binary randomization • for PIE main executables the main binary and dyld are randomized • main binary and dyld are slid the same amount • randomized by kernel in 256 positions 42 iOS 4.3 - 6.0 - PIE main executable
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  iOS 6.1: PIE main binary randomization • since iOS 6.1 the kernel finally generates two separate slides • randomness of both is still limited to 256 positions • knowing addresses in dyld / main no longer leaks address of other 43 iOS 4.3 - 6.0 - PIE main executable iOS 6.1 - PIE main executable
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  iOS 4.3-5.1.1: dyld_shared_cache randomization • data and code must slide together (due to codesigning) • hole after code - data usually loaded to 0x3E000000 • max slide determined by difference of end of shared area and end of data • around 4200 different positions 44 iOS 4.3 - 5.1.1 - maximum slide iOS 4.3 - 5.1.1 - no slide
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  iOS 6.x: dyld_shared_cache randomization • code and data loaded right next to each other • no more hole - no more wasted space • max slide determined by size of shared area minus size of shared cache • about 21500 different positions for iPod 4G (new devices = more code = less random) 45 iOS 6.x - no slide iOS 6.x - maximum slide
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Part V iOS 6 and the Partial Code-signing Vulnerability 46
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Partial Code-signing Vulnerability (iOS 4) • in iOS 4.x jailbreaks the method of choice to launch untether exploits • when a mach-o is loaded the kernel will load it as is • a possible signature will be registered • missing signature is okay until a not signed executable page is accessed • dyld was tricked with malformed mach-o data structures to execute code 47
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  sniffLoadCommands (iOS 4.3.4) • function does pre-handling of mach-o load commands • iOS 4.3.4 adds protection against partial code signing • mach-o load commands must be inside a segment • mach-o load commands can only be in R + X segment • mach-o load commands may not be partially in a segment ➡ effect is that once dyld maps the header R+X it can only continue to work on it if there is a valid signature 48
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Partial Code-signing Vuln (iOS 4.3.4-iOS 5.1.1) • protection in sniffLoadCommands could be bypassed • by having a RW- LC_SEGMENT64 for mach-o header • and a fake R-X LC_SEGMENT for mach-o header • disclosed at CanSecWest 2012 - here on stage • worked because kernel handles LC_SEGMENT64 and dyld did not • magic is that dyld will read mach-o header from from address in memory 49
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  sniffLoadCommands (iOS 6.0) • iOS 6.0 adds protection against CSW 2012 trick to sniffLoadCommands • if a LC_SEGMENT64 load command is found an exception is thrown ➡ CSW 2012 trick was already partially broken after iOS 5.1.1 • in iOS 5.1.1 AMFI verified existence of a code signing blob 50
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Load Command Segment Override (iOS 6.0-6.1.2) • bug used by evasi0n • kernel not directly involved in loading dynamic libraries only dyld is • dyld could be tricked with a malicious dylib • contains real R-X segment with load commands in it • contains second R-- segment that contains copy of load commands • virtual address of both segments is set to same position • later segment in mach-o will replace previous in memory • when dyld accesses header it is in RO memory = no sig needed = bypass 51
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  sniffLoadCommands (iOS 6.1.3 beta 2) • iOS 6.1.3 beta 2 adds additional protections to sniffLoadCommands • load commands must now be in one segment only • for dynamic libraries a second sniff pass is added • all segments must not intersect the R-X segment containing the load commands ➡ evasi0n untether killed 52
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Part VI iOS 6.1 and Launch-Daemon-Code-Signing 53
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Launch Daemons to launch Untethers • in iOS 5.x jailbreaks were launched on boot via launch daemons • launch daemons are plists describing system services 54 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http:// www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>jb</string> <key>ProgramArguments</key> <array> <string>/usr/sbin/corona</string> <string>-f</string> <string>racoon-exploit.conf</string> </array> <key>WorkingDirectory</key> <string>/usr/share/corona/</string> <key>RunAtLoad</key> <true/> <key>LaunchOnlyOnce</key> <true/> <key>DisableAslr</key> <true/> </dict> </plist> DisableAslr was removed from iOS 5.1
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Launch-Daemon-Code-Signing (I) 55 • abuse of launch daemons lead to new iOS 6.1 security feature • launch daemon loading is now code signed • implemented in /bin/launchctl • can be bypassed by setting kernel boot arguments (not possible without low-level exploit)
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Launch-Daemon-Code-Signing (II) 56 • without launch-daemon-code-signing /bin/launchctl scans /System/Library/LaunchDaemons for defined launch daemons and loads them • with activated launch-daemon-code-signing a big plist with all defined launch daemons is loaded instead • launch daemon can only be loaded if it is defined in the plist and exists on disk
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Launch-Daemon-Code-Signing (III) 57 • big launch daemon plist is loaded from /System/Library/Caches/com.apple.xpcd/xpcd_cache.dylib • this dynamic library is within the dyld_shared_cache and therefore code signed • symbol __xpcd_cache must exist • but binary plist is take from sectiondata of __TEXT::__xpcd_cache
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  XPCD_CACHE.PLIST 58
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Launch-Daemon-Code-Signing Security 59 How secure Apple wanted Launch-Daemon-Code-Signing to be...
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Launch-Daemon-Code-Signing Security 60 How secure Launch-Daemon-Code-Signing is right now...
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Launch-Daemon-Code-Signing Security • code signing itself seems to stop loading arbitrary launch daemons • but Apple forgot / or ignored /etc/launchd.conf • /etc/launchd.conf defines commands launchctl executes on start • attacker can execute arbitrary existing commands 61 bsexec .. /sbin/mount -u -o rw,suid,dev / setenv DYLD_INSERT_LIBRARIES /private/var/evasi0n/amfi.dylib load /System/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist bsexec .. /private/var/evasi0n/evasi0n unsetenv DYLD_INSERT_LIBRARIES bsexec .. /bin/rm -f /private/var/evasi0n/sock bsexec .. /bin/ln -f /var/tmp/launchd/sock /private/var/evasi0n/sock
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  FAQ: Why not put old launchctl binary on device? Q: “If only the newest iOS 6.1 launchctl binary implements this code signing. Why not put an iOS 6.0 launchctl binary on the device to bypass this protection?“ A: “System binaries like launchctl do not come with a valid code signing signature from Apple. Instead they come only with the table of memory page hashes and entitlements. When the kernel loads such a binary it hashes these tables and checks if the hash is in a whitelist inside the kernel (a.k.a. trust cache). The old launchctl binary will not be accepted because it is not in the trust cache of the new kernel.“ 62
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Final Words • with iOS 6 Apple has tried to kill all public techniques • finally kills some stuff that was previously known and ignored for 10 years • the new mitigations make exploitation a lot harder • when launch daemon code signing is hardened a bit more, persisting on iDevices will become incredibly hard • however there are still weaknesses in most of the protections • ... and tons of kernel information leaks 63
Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Questions ? 64

Recommended

Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Gonzalo Parra
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingJason Haddix
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Jail breaking
Jail breakingJail breaking
Jail breakingRokkam Reddy
 

Recommended

Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Gonzalo Parra
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingJason Haddix
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Jail breaking
Jail breakingJail breaking
Jail breakingRokkam Reddy
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption SystemsPeter Teufl
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testingn|u - The Open Security Community
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Kuba Břečka
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovJose Moruno Cadima
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.DataArt
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.DataArt
 
Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...
Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...
Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...hlittle
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Sebastián Guerrero Selma
 
Apple iOS
Apple iOSApple iOS
Apple iOSChetan Gowda
 
Android Security
Android SecurityAndroid Security
Android SecurityMehrnaz Amoon
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown Tom Eston
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecDroidConTLV
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)Sam Bowne
 
iOS platform
iOS platformiOS platform
iOS platformmaya_slides
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Dconf2015 d2 t4
Dconf2015 d2 t4Dconf2015 d2 t4
Dconf2015 d2 t4Andrei Alexandrescu
 
Three Optimization Tips for C++
Three Optimization Tips for C++Three Optimization Tips for C++
Three Optimization Tips for C++Andrei Alexandrescu
 

More Related Content

What's hot

Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption SystemsPeter Teufl
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Kuba Břečka
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovJose Moruno Cadima
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.DataArt
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.DataArt
 
Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...
Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...
Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...hlittle
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown Tom Eston
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecDroidConTLV
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)Sam Bowne
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 

What's hot (20)

Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption Systems
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.
 
Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...
Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...
Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...
 
Android system security
Android system securityAndroid system security
Android system security
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
 
Apple iOS
Apple iOSApple iOS
Apple iOS
 
Android Security
Android SecurityAndroid Security
Android Security
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSec
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)
 
iOS platform
iOS platformiOS platform
iOS platform
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 

Viewers also liked

Deep C Programming
Deep C ProgrammingDeep C Programming
Deep C ProgrammingWang Hao Lee
 
C++ idioms by example (Nov 2008)
C++ idioms by example (Nov 2008)C++ idioms by example (Nov 2008)
C++ idioms by example (Nov 2008)Olve Maudal
 
Solid C++ by Example
Solid C++ by ExampleSolid C++ by Example
Solid C++ by ExampleOlve Maudal
 
Insecure coding in C (and C++)
Insecure coding in C (and C++)Insecure coding in C (and C++)
Insecure coding in C (and C++)Olve Maudal
 
TDD in C - Recently Used List Kata
TDD in C - Recently Used List KataTDD in C - Recently Used List Kata
TDD in C - Recently Used List KataOlve Maudal
 

Viewers also liked (10)

Dconf2015 d2 t4
Dconf2015 d2 t4Dconf2015 d2 t4
Dconf2015 d2 t4
 
Three Optimization Tips for C++
Three Optimization Tips for C++Three Optimization Tips for C++
Three Optimization Tips for C++
 
Three Optimization Tips for C++
Three Optimization Tips for C++Three Optimization Tips for C++
Three Optimization Tips for C++
 
Deep C Programming
Deep C ProgrammingDeep C Programming
Deep C Programming
 
C++11
C++11C++11
C++11
 
C++ idioms by example (Nov 2008)
C++ idioms by example (Nov 2008)C++ idioms by example (Nov 2008)
C++ idioms by example (Nov 2008)
 
Solid C++ by Example
Solid C++ by ExampleSolid C++ by Example
Solid C++ by Example
 
Insecure coding in C (and C++)
Insecure coding in C (and C++)Insecure coding in C (and C++)
Insecure coding in C (and C++)
 
TDD in C - Recently Used List Kata
TDD in C - Recently Used List KataTDD in C - Recently Used List Kata
TDD in C - Recently Used List Kata
 
Deep C
Deep CDeep C
Deep C
 

Similar to iOS 6 Exploitation 280 days later

iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
 
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailSyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailStefan Esser
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSSeguridad Apple
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Targeting the iOS kernel
Targeting the iOS kernelTargeting the iOS kernel
Targeting the iOS kernelSeguridad Apple
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelStefan Esser
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
CocoaHeads Toulouse - iOS TechTalk - Mélanie Bessagnet
CocoaHeads Toulouse - iOS TechTalk - Mélanie BessagnetCocoaHeads Toulouse - iOS TechTalk - Mélanie Bessagnet
CocoaHeads Toulouse - iOS TechTalk - Mélanie BessagnetCocoaHeads France
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsPriyanka Aash
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupEC-Council
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
azure synapse analytics end-to-end solution-hands-on at 20200728
azure synapse analytics end-to-end solution-hands-on at 20200728azure synapse analytics end-to-end solution-hands-on at 20200728
azure synapse analytics end-to-end solution-hands-on at 20200728Daichi Isami
 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsRuxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)Sam Bowne
 
(130622) #fitalk i cloud keychain forensics
(130622) #fitalk i cloud keychain forensics(130622) #fitalk i cloud keychain forensics
(130622) #fitalk i cloud keychain forensicsINSIGHT FORENSIC
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?Reality Net System Solutions
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 

Similar to iOS 6 Exploitation 280 days later (20)

iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
 
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailSyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in Fail
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOS
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
Targeting the iOS kernel
Targeting the iOS kernelTargeting the iOS kernel
Targeting the iOS kernel
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
CocoaHeads Toulouse - iOS TechTalk - Mélanie Bessagnet
CocoaHeads Toulouse - iOS TechTalk - Mélanie BessagnetCocoaHeads Toulouse - iOS TechTalk - Mélanie Bessagnet
CocoaHeads Toulouse - iOS TechTalk - Mélanie Bessagnet
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
azure synapse analytics end-to-end solution-hands-on at 20200728
azure synapse analytics end-to-end solution-hands-on at 20200728azure synapse analytics end-to-end solution-hands-on at 20200728
azure synapse analytics end-to-end solution-hands-on at 20200728
 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsRuxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
 
(130622) #fitalk i cloud keychain forensics
(130622) #fitalk i cloud keychain forensics(130622) #fitalk i cloud keychain forensics
(130622) #fitalk i cloud keychain forensics
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
 

Recently uploaded

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

iOS 6 Exploitation 280 days later

  • 1. iOS 6 Exploitation 280 Days Later CanSecWest Vancouver Stefan Esser <stefan.esser@sektioneins.de> http://www.sektioneins.de
  • 2. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Who am I? Stefan Esser • from Cologne / Germany • in information security since 1998 • initially did a lot of low level security • from 2001 to 2010 focused on PHP / web app security • since mid-2010 focused on iPhone security (ASLR, kernel exploitation) • Head of Research and Development at SektionEins GmbH 2
  • 3. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  What is this talk about? • iOS 6 is the new major version of iOS with tons of new security features • new kernel security mitigations already discussed by Mark Dowd/Tarjei Mandt • but iOS 6.x has other not yet mentioned new security features • and some kernel features require commentary • basically an update to my CSW 2012 talk • 280 days later because it was about 280 days later when I submitted to Dragos 3
  • 4. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Part I iOS Security Timeline 2012-2013 4
  • 5. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  CanSecWest 2012 - iOS 5 An Exploitation Nightmare? • reasons why iOS 5 jailbreak took so long • history of some iOS security features • history of iOS security bugfixes • getting kernel debugger running on new devices • abusing BPF as kernel weird machine 5 March 2012 URL: http://cansecwest.com/csw12/ CSW2012_StefanEsser_iOS5_An_Exploitation_Nightmare_FINAL.pdf
  • 6. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  iOS Hacker‘s Handbook • Charlie Miller - Dionysius Blazakis - Dino Dai Zovi • Stefan Esser - Vincenzo Iozzo - Ralf-Philipp Weinmann • covers iOS 4 to iOS 5 • iOS Security Basics, iOS in the Enterprise • Encryption, Code Signing and Memory Protection • Sandboxing, Fuzzing iOS Applications • Exploitation, Return-Oriented-Programming • Kernel-Debugging and Exploitation, Jailbreaking, Baseband Attacks 6 April 2012 URL: http://ca.wiley.com/WileyCDA/WileyTitle/ productCd-1118204123.html
  • 7. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  SyScan 2012 - iOS Kernel Heap Armageddon • different iOS kernel heap wrappers • feasibility of cross zone / memory manager attacks • attacking IOKit application data / object vtables instead of heap meta data • using OSUnserializeXML() for generic kernel level heap feng shui • talk updated for BlackHat USA & XCon 2012 7 April 2012 URL 1: http://reverse.put.as/wp-content/uploads/2011/06/ SyScan2012_StefanEsser_iOS_Kernel_Heap_Armageddon.pdf URL 2: http://media.blackhat.com/bh-us-12/Briefings/Esser/ BH_US_12_Esser_iOS_Kernel_Heap_Armageddon_WP.pdf
  • 8. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  FinFisher Mobile - The Smartphone Who Loved Me • by CitizenLab • analysis of FinFisher for mobile devices • samples caught in the wild • iOS sample compiled for developer phones • media wrongly assumed developer cert lets you write spy applications 8 August 2012 URL: https://citizenlab.org/2012/08/the-smartphone-who-loved-me- finfisher-goes-mobile/
  • 9. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  FinSpy Moile: iOS and Apple UDID Leak • by Alex Radocea^Crowdstrike • deep analysis of FinFisher for iOS • revealed that there was no iOS priv escape 0-day in FinFisher iOS - just empty placeholder • instead seems to heavily rely on being jailbroken with a public jailbreak prior to installation 9 September 2012 URL: http://www.crowdstrike.com/blog/finspy-mobile-ios-and-apple- udid-leak/index.html
  • 10. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  iOS 6 Released and J/“F“ailbroken on Day 1 • by Musclenerd • iOS 6 on pre-A5 already tethered jailbroken on day one • by CHPWN • iOS 6 on iPhone 5 already failbroken on day one • failbroken means Cydia runs but no kernel payload 10 September 2012 URL: https://twitter.com/chpwn/status/249249908094296064
  • 11. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  HITB2012 - iOS 6 Kernel Security • by Mark Dowd and Tarjei Mandt • deep analysis of new iOS 6 kernel exploit mitigations • contained a 0-day kernel info leak vulnerability • and the vm_map_copy exploitation technique heavily used by latest iOS 6 jailbreak 11 October 2012 URL: http://conference.hackinthebox.org/hitbsecconf2012kul/ materials/D1T2%20-%20Mark%20Dowd%20&%20Tarjei%20Mandt%20- %20iOS6%20Security.pdf Video: http://www.youtube.com/watch?v=O-WZinEoki4
  • 12. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  POC2012 - Find your own iOS kernel bug • by Xu Hao and Chen Xiaobo • analysis of previous IOKit vulnerability • about fuzzing iOKit for vulnerabilities • later repeated at SyScan360 in December 12 November 2012 URL: http://syscan.org/index.php/download/get/ 328bf4b37e6ae8b799472ff230465339/ XuHao_Chen_Xiaobo_Find_your_own_iOS_kernel_bug.zip
  • 13. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Hackulo.us / Installous shutdown • announcement that Hackulo.us shut down • also took down Installous the notorious application used by iOS application pirates on jailbroken iPhones • celebrated by media, jailbreak developers and iOS app developers around the world 13 December 2012 URL: http://thanks-god-not-anymo.re
  • 14. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  kuaiyong, Zeusmos, 25pp, ... • after installous is dead more and more iOS piracy solutions that do not require jailbreak • solutions reportedly based on account sharing and/or some undisclosed exploit • still active ?!? 14 January 2013 URL 1: http://m.csoonline.com/article/725183/now-pirated-ios- apps-can-be-installed-without-jailbreak URL 2: http://no.you.dont.get.the.url.you.want Research Assistant: Marc Rogers
  • 15. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Community Milking and iOS 6 JB Release • by evad3rs • website with donation button and multiple banner ads • told people repeatedly for about a week to check website for status updates • about one week later release of iOS 6.0/6.1 jailbreak • so far the most expensive jailbreak in terms of crowdfunding 15 February 2013 URL: http://www.evasi0n.com/
  • 16. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  evasi0n Jailbreak‘s Userland Components • by Braden Thomas^AccuvantLabs • analysis of userland components of evasi0n jailbreak • covers most of the userland bugs exploited by evasi0n 16 February 2013 URL: http://blog.accuvantlabs.com/blog/bthomas/evasi0n- jailbreaks-userland-component
  • 17. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Dissecting the “evasi0n“ Kernel Exploit • by Tarjei Mandt^Azimuth • analysis of kernel components of evasi0n jailbreak • shows how evasi0n is based on techniques discussed in the iOS 6 kernel security talk by azimuth 17 February 2013 URL: http://blog.azimuthsecurity.com/2013/02/from-usr-to-svc- dissecting-evasi0n.html
  • 18. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Part II iOS 6 Kernel Security “Improvements“ 18
  • 19. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  KASLR • iOS 6 introduces KASLR - kernel address space layout randomization • only 256 possible load addresses • each 2 MB apart • starting at 0x81200000 ending at 0xA1000000 19
  • 20. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  KASLR: But why 2 MB Aligned? • 2 MB alignment of KASLR seems arbitrary • why not smaller alignment? • big alignment is less secure • right now: • leak any address in __DATA and you know the kernel‘s base address (address - 0x200000) & 0xFFE00000 • leak any address from first 2 MB of kernel __TEXT and know the kernel‘s base address address & 0xFFE00000 20
  • 21. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Address Space Hardening • kernel __TEXT no longer writable ➡ to stop kernel code hotpatching • kernel heap no longer executable ➡ to stop just executing kernel data • kernel address space is separated from user space processes ➡ to stop return into user space code and offset from NULL-deref attacks 21
  • 22. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Stack Cookies • iOS 6 added stack cookies to protect from kernel stack buffer overflows • implementation is rather unusual • stack cookie on top of stack • bottom of local stack contains ptr to the value it is compared against • second byte of stack cookie is forced to 0x00 22
  • 23. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Stack Cookie Verification 23 • stack cookie verification in function epilog • verification against cookie pointed to • fact that stack_cookie_ptr and stack_cookie are both on stack is a weakness • wrong cookie value will lead to a kernel panic without message
  • 24. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Heap Cookies • iOS 4 and iOS 5 kernel heap exploitation has always attacked the free list • in iOS 6 Apple introduced heap protection cookies to protect free list • distinguishes between small poisoned and larger non-poisoned blocks • two different security cookies are used for this ➡ stops attacks against the free list as used before in public jailbreaks 24
  • 25. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Heap Cookies (larger blocks) • for larger blocks the memory content is kept but end is trashed with cookie • secret cookie has lowest bit cleared • if data of freed block leaks this leaks • a kernel heap address: 0x87b46500 • the secret cookie: 0x6b7769c8 ^ 0x87b46500 = 0xECC30CC8 25 87b46480: 00 65 b4 87 00 00 00 00 00 00 00 00 00 00 00 00 .e.............. 87b46490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 87b464a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 87b464b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 87b464c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 87b464d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 87b464e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 87b464f0: 00 00 00 00 00 00 00 00 00 00 00 00 c8 69 77 6b .............iwk next_pointer next_pointer^non_poisoned_cookie
  • 26. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Heap Cookies (small blocks) • for small blocks the memory content is overwritten with 0xdeadbeef • secret cookie has lowest bit set • if data of freed block leaks this leaks • a kernel heap address: 0x92f1c740 • the secret cookie: 0x7ec1387b ^ 0x92f1c740 = 0xEC30FF3B 26 92f1c700: 40 c7 f1 92 ef be ad de ef be ad de ef be ad de @............... 92f1c710: ef be ad de ef be ad de ef be ad de ef be ad de ................ 92f1c720: ef be ad de ef be ad de ef be ad de ef be ad de ................ 92f1c730: ef be ad de ef be ad de ef be ad de 7b 38 c1 7e ............{8.~ next_pointer next_pointer^poisoned_cookie
  • 27. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Heap Cookies after allocation • on allocation free list pointer and cookie are overwritten with 0xdeadbeef • most probably as defense in depth against information leaks 27 9072b000: ef be ad de 00 00 00 ff 00 00 00 ff 00 00 00 ff ................ 9072b010: 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff ................ 9072b020: 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff ................ 9072b030: 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff ................ 9072b040: 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff ................ 9072b050: 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff ................ 9072b060: 00 00 00 ff 00 00 00 ff 00 00 00 ff 00 00 00 ff ................ 9072b070: 00 00 00 ff 00 00 00 ff 00 00 00 ff ef be ad de ................
  • 28. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Heap Hardening • previously mach_zone_info() and host_zone_info() leaked internal state • both functions now require debugging kernel boot arguments • previously OSUnserializeXML() allowed fine control over kernel heap • Apple fixed some bugs in it and put some arbitrary limits on it • only exact methods described at BlackHat / SyScan were killed • other ways to abuse this function for kernel heap feng shui still working 28
  • 29. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Death to Kernel Info Leaks • two fold strategy to fight kernel info leaks • fix information leak vulnerabilities • obfuscate kernel addresses returned to user land • example of fixed information leaks • BPF stack data info leak • kern.proc leak fixed • kern.file info leak fixed 29
  • 30. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Address Obfuscation • lots of kernel API return kernel addresses to user land processes e.g. mach_port_kobject(), mach_port_space_info(), vm_region_recurse(), vm_map_region_recurse(), vm_map_page_info(), proc_info(), fstat(), sysctl() • protected by adding a random 32 bit cookie (lowest bit set) 30
  • 31. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Kernel Image Address Obfuscation • some API might even return addresses inside the kernel image • these addresses are additionally unslid to protect against KASLR leaks 31
  • 32. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Readonly Syscall Table • previous jailbreaks used partial syscall table overwrites • Apple moved syscall table into section __DATA::__const • section is made read only at runtime • controlled by kernel boot argument dataconstro • stops syscall table corruption ... 32
  • 33. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Just replace Syscall Table completely? • kernel linking changes in iOS 6 introduced lots of indirect accesses • syscall table is no longer accessed directly (also true for lots of other stuff) • instead pointer to syscall table is used from __nl_symbol_ptr section • and guess what - this section is writable 33
  • 34. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Part III iOS 6 Misc Hardening 34
  • 35. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  BPF not so weird anymore... • at CSW 2012 BPF was mentioned as weird machine inside the kernel • in iOS 6.x it is still a machine but not so weird anymore • Apple added sanity checks inside the function • access to slack memory is now checked for bounds 35
  • 36. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  mobile_house_arrest - Readonly Code Directory • lockdown service for reading / writing into app directories • since iOS 6 application‘s code directory is no longer writable • previously it was possible to replace arbitrary application resources 36
  • 37. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Part IV User Space ASLR (Address Space Layout Randomization) 37
  • 38. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  ASLR in iOS 4.3-6.x • randomly slides • main binary • dyld (dynamic linker) • dynamic library cache 38
  • 39. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Position Independent Executables in 2012 • all system binaries were compiled as PIE • most 3rd party apps were not compiled as PIE 39 $ python ipapiescan.py Adobe Reader - armv7 - PIE - N/A Bluefire Reader - armv6|armv7 - NO_PIE - 3.0 DiamondDash - armv7 - NO_PIE - 4.2 Ebook Reader - armv6|armv7 - NO_PIE - N/A eBookS Reader - armv6|armv7 - NO_PIE - N/A Facebook - armv6|armv7 - NO_PIE - 4.0 Fly With Me - armv6|armv7 - NO_PIE - 3.0 FPK Reader - armv6|armv7 - NO_PIE - 3.2 Hotels - armv6|armv7 - NO_PIE - 3.1 iBooks - armv6|armv7 - NO_PIE - 4.2 KakaoTalk - armv6|armv7 - NO_PIE - 3.1 Messenger - armv6|armv7 - NO_PIE - 4.0 PerfectReader Mini - armv6|armv7 - NO_PIE - N/A QR Reader - armv6|armv7 - NO_PIE - 4.0 QR Scanner - armv6|armv7 - NO_PIE - N/A QR-Scanner - armv7 - NO_PIE - 4.0 QRCode - armv6|armv7 - NO_PIE - N/A Quick Scan - armv6|armv7 - NO_PIE - 4.0 Skype - armv6|armv7 - NO_PIE - N/A Twitter - armv6|armv7 - NO_PIE - 4.0 vBookz PDF - armv7 - PIE - 4.3 VZ-Netzwerke - armv6 - NO_PIE - 3.0 Wallpapers - armv6|armv7 - NO_PIE - 4.1 WhatsApp - armv6|armv7 - NO_PIE - 3.1 Where is - armv6|armv7 - NO_PIE - 4.1 source code of old idapiescan.py is available at Github https://github.com/stefanesser/idapiescan
  • 40. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  iOS 4.3-6.x: NO PIE main binary randomization • dynamic loader is not slid in iOS 4 for NO PIE main executables • since iOS 5 the dynamic loader is always slid • randomized by kernel in 256 positions 40 iOS 4.3 - 4.3.x - NO PIE main executable iOS 5.0 - 6.x - NO PIE main executable
  • 41. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Position Independent Executables in 2013 • all system binaries are compiled as PIE • most 3rd party apps are now compiled as PIE • NO_PIE mostly unimportant apps • some high profile exceptions are: Skype, SkyDrive, Google Translate, ... 41 $ python ipapiescan.py Bluefire Reader - armv7(s) - PIE - 4.3 Calendar Pro - armv7(s) - PIE - 4.3 CalenMob - armv7(s) - PIE - 5.0 Chrome - armv7 - PIE - 4.3 CloudOn - armv7 - NO_PIE - 5.0 DiamondDash - armv7(s) - PIE - 4.3 Documents - armv7(s) - PIE - 4.3 Ebook Reader - armv7 - PIE - 4.3 eBookS Reader - armv6|armv7 - NO_PIE - N/A Facebook - armv7 - PIE - 4.3 G-Whizz! - armv6|armv7 - NO_PIE - 4.0 Gmail - armv7 - PIE - 5.0 Google - armv7 - PIE - 4.3 Google Drive - armv7 - PIE - 5.0 Google Earth - armv7 - PIE - 4.3 Google+ - armv7 - PIE - 5.0 iBooks - armv7 - PIE - 5.0 IM+ - armv7(s) - PIE - 4.3 Instagram - armv7 - PIE - 4.3 KakaoTalk - armv7(s) - PIE - 4.3 Latitude - armv6|armv7 - NO_PIE - N/A Local - armv6|armv7 - PIE - 4.3 Lync 2010 - armv7 - NO_PIE - 4.3 Messenger - armv7 - PIE - 4.3 MSN World - armv7(s) - PIE - 4.3 SkyDrive - armv6|armv7 - NO_PIE - 4.0 Skype - armv7 - NO_PIE - 4.3 SmartGlass - armv7 - PIE - 5.0 SSH Mobile Free - armv7(s) - PIE - 4.3 SystemTools - armv7(s) - PIE - 4.3 Translate - armv6|armv7 - NO_PIE - N/A Trillian - armv7 - PIE - 4.3 Twitter - armv7 - PIE - 5.0 Usessh - armv7(s) - PIE - 4.3
  • 42. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  iOS 4.3-6.0: PIE main binary randomization • for PIE main executables the main binary and dyld are randomized • main binary and dyld are slid the same amount • randomized by kernel in 256 positions 42 iOS 4.3 - 6.0 - PIE main executable
  • 43. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  iOS 6.1: PIE main binary randomization • since iOS 6.1 the kernel finally generates two separate slides • randomness of both is still limited to 256 positions • knowing addresses in dyld / main no longer leaks address of other 43 iOS 4.3 - 6.0 - PIE main executable iOS 6.1 - PIE main executable
  • 44. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  iOS 4.3-5.1.1: dyld_shared_cache randomization • data and code must slide together (due to codesigning) • hole after code - data usually loaded to 0x3E000000 • max slide determined by difference of end of shared area and end of data • around 4200 different positions 44 iOS 4.3 - 5.1.1 - maximum slide iOS 4.3 - 5.1.1 - no slide
  • 45. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  iOS 6.x: dyld_shared_cache randomization • code and data loaded right next to each other • no more hole - no more wasted space • max slide determined by size of shared area minus size of shared cache • about 21500 different positions for iPod 4G (new devices = more code = less random) 45 iOS 6.x - no slide iOS 6.x - maximum slide
  • 46. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Part V iOS 6 and the Partial Code-signing Vulnerability 46
  • 47. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Partial Code-signing Vulnerability (iOS 4) • in iOS 4.x jailbreaks the method of choice to launch untether exploits • when a mach-o is loaded the kernel will load it as is • a possible signature will be registered • missing signature is okay until a not signed executable page is accessed • dyld was tricked with malformed mach-o data structures to execute code 47
  • 48. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  sniffLoadCommands (iOS 4.3.4) • function does pre-handling of mach-o load commands • iOS 4.3.4 adds protection against partial code signing • mach-o load commands must be inside a segment • mach-o load commands can only be in R + X segment • mach-o load commands may not be partially in a segment ➡ effect is that once dyld maps the header R+X it can only continue to work on it if there is a valid signature 48
  • 49. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Partial Code-signing Vuln (iOS 4.3.4-iOS 5.1.1) • protection in sniffLoadCommands could be bypassed • by having a RW- LC_SEGMENT64 for mach-o header • and a fake R-X LC_SEGMENT for mach-o header • disclosed at CanSecWest 2012 - here on stage • worked because kernel handles LC_SEGMENT64 and dyld did not • magic is that dyld will read mach-o header from from address in memory 49
  • 50. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  sniffLoadCommands (iOS 6.0) • iOS 6.0 adds protection against CSW 2012 trick to sniffLoadCommands • if a LC_SEGMENT64 load command is found an exception is thrown ➡ CSW 2012 trick was already partially broken after iOS 5.1.1 • in iOS 5.1.1 AMFI verified existence of a code signing blob 50
  • 51. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Load Command Segment Override (iOS 6.0-6.1.2) • bug used by evasi0n • kernel not directly involved in loading dynamic libraries only dyld is • dyld could be tricked with a malicious dylib • contains real R-X segment with load commands in it • contains second R-- segment that contains copy of load commands • virtual address of both segments is set to same position • later segment in mach-o will replace previous in memory • when dyld accesses header it is in RO memory = no sig needed = bypass 51
  • 52. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  sniffLoadCommands (iOS 6.1.3 beta 2) • iOS 6.1.3 beta 2 adds additional protections to sniffLoadCommands • load commands must now be in one segment only • for dynamic libraries a second sniff pass is added • all segments must not intersect the R-X segment containing the load commands ➡ evasi0n untether killed 52
  • 53. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Part VI iOS 6.1 and Launch-Daemon-Code-Signing 53
  • 54. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Launch Daemons to launch Untethers • in iOS 5.x jailbreaks were launched on boot via launch daemons • launch daemons are plists describing system services 54 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http:// www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>jb</string> <key>ProgramArguments</key> <array> <string>/usr/sbin/corona</string> <string>-f</string> <string>racoon-exploit.conf</string> </array> <key>WorkingDirectory</key> <string>/usr/share/corona/</string> <key>RunAtLoad</key> <true/> <key>LaunchOnlyOnce</key> <true/> <key>DisableAslr</key> <true/> </dict> </plist> DisableAslr was removed from iOS 5.1
  • 55. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Launch-Daemon-Code-Signing (I) 55 • abuse of launch daemons lead to new iOS 6.1 security feature • launch daemon loading is now code signed • implemented in /bin/launchctl • can be bypassed by setting kernel boot arguments (not possible without low-level exploit)
  • 56. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Launch-Daemon-Code-Signing (II) 56 • without launch-daemon-code-signing /bin/launchctl scans /System/Library/LaunchDaemons for defined launch daemons and loads them • with activated launch-daemon-code-signing a big plist with all defined launch daemons is loaded instead • launch daemon can only be loaded if it is defined in the plist and exists on disk
  • 57. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Launch-Daemon-Code-Signing (III) 57 • big launch daemon plist is loaded from /System/Library/Caches/com.apple.xpcd/xpcd_cache.dylib • this dynamic library is within the dyld_shared_cache and therefore code signed • symbol __xpcd_cache must exist • but binary plist is take from sectiondata of __TEXT::__xpcd_cache
  • 58. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  XPCD_CACHE.PLIST 58
  • 59. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Launch-Daemon-Code-Signing Security 59 How secure Apple wanted Launch-Daemon-Code-Signing to be...
  • 60. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Launch-Daemon-Code-Signing Security 60 How secure Launch-Daemon-Code-Signing is right now...
  • 61. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Launch-Daemon-Code-Signing Security • code signing itself seems to stop loading arbitrary launch daemons • but Apple forgot / or ignored /etc/launchd.conf • /etc/launchd.conf defines commands launchctl executes on start • attacker can execute arbitrary existing commands 61 bsexec .. /sbin/mount -u -o rw,suid,dev / setenv DYLD_INSERT_LIBRARIES /private/var/evasi0n/amfi.dylib load /System/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist bsexec .. /private/var/evasi0n/evasi0n unsetenv DYLD_INSERT_LIBRARIES bsexec .. /bin/rm -f /private/var/evasi0n/sock bsexec .. /bin/ln -f /var/tmp/launchd/sock /private/var/evasi0n/sock
  • 62. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  FAQ: Why not put old launchctl binary on device? Q: “If only the newest iOS 6.1 launchctl binary implements this code signing. Why not put an iOS 6.0 launchctl binary on the device to bypass this protection?“ A: “System binaries like launchctl do not come with a valid code signing signature from Apple. Instead they come only with the table of memory page hashes and entitlements. When the kernel loads such a binary it hashes these tables and checks if the hash is in a whitelist inside the kernel (a.k.a. trust cache). The old launchctl binary will not be accepted because it is not in the trust cache of the new kernel.“ 62
  • 63. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Final Words • with iOS 6 Apple has tried to kill all public techniques • finally kills some stuff that was previously known and ignored for 10 years • the new mitigations make exploitation a lot harder • when launch daemon code signing is hardened a bit more, persisting on iDevices will become incredibly hard • however there are still weaknesses in most of the protections • ... and tons of kernel information leaks 63
  • 64. Stefan Esser • iOS 6 - Exploitation 280 Days Later • March 2013 •  Questions ? 64