SlideShare a Scribd company logo

SyScan 2015 - iOS 678 Security - A Study in Fail

Stefan Esser
Stefan Esser

Talk from SyScan 2015 about Apple Security failing to patch vulnerabilities over and over again, because they have apparently no QA at all on security patches.

1 of 76
Download to read offline
iOS 678 Security
 —== A Study in Fail ==— Stefan Esser <stefan.esser@sektioneins.de> http://www.sektioneins.de
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Who am I? Stefan Esser • from Cologne / Germany • in information security since 1998 • invested in PHP security from 2001 to 20xx • since 2010 focused on iPhone security (ASLR/jailbreak) • founder of SektionEins GmbH 2
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Lots of Fail, but this talk is not about … • Apple releasing an iOS 8.0.1 update that would kill cell service on iPhone 6/6p • Apple adding unsecured double linked lists as meta-data to the iOS 7 kernel heap that made kernel heap exploitation easy (safe unlink in iOS 8) • Apple “improving” their iOS 7 early random number generator so that Tarjei Mandt would totally rip it apart and calculate all past and future numbers • Apple having a double “goto fail” in their SSL for iOS 6 - iOS 7.0.5 that broke it completely • … so yes I am skipping a lot of fail but what I cover is already too much for 45 minutes 3
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  So what is it about? this talk is about iOS jailbreaks and Apple fixing the bugs within 4
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fixing Bugs … 5
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  BUT APPLE SECURITY AIN’T NO JEDI 6 BUT APPLE SECURITY AIN’T NO JEDI
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  So actually … this talk is about iOS jailbreaks and Apple not fixing the bugs within 7
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Before we start … what are the ingredients of an iOS jailbreak? 8
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Ingredients Initial Injection Vector Persistency 9
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Not talking about that Initial Injection Vector but apparently Apple had to issue several updates to fix those bugs, too 10
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Concentrating on Jailbreak Persistency 11
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak Persistency (I) • why concentrate on persistency? • attack surface for injection is just extremely = huge no chance of win • injection vectors for iOS can be easily exchanged • USB, mobile safari, malicious apps • some injections would require more powerful kernel bugs than public jailbreaks, but those do exist and are traded in the underground 12
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak Persistency (II) • attack surface for jailbreak persistency is in comparison extremely small • could be made even smaller and smaller if Apple would do it right • i just want the public to pressure Apple into changing • PUBLIC PERSISTENCE EXPLOITS CAN BE EASILY REUSED IN STATE SPONSORED ATTACKS = LOT CHEAPER + NOT WASTE BUGS 13
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  AMFI trickery 14
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  AMFI Trickery • whole story starts with the exploit chain evad3rs “invented” for iOS 6 • for signature verification • kernel asks AMFI driver • AMFI driver asks AMFID user space daemon • AMFID uses libmis.dylib • Attack: 
 inject a malicious library into AMFID that makes libmis.dylib return “true” 15
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Injecting a malicious dylib AMFI attack • injecting malicious dylib / replacing libmis.dylib not as easy at it sounds • need to trick dynamic linker into attempting to do it • need to trick dynamic linker into accepting a not signed library • Idea: 
 use launch daemon config + DYLD_INSERT_LIBRARIES for first part
 use incomplete codesigning bypass for second part 16
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Putting the full chain together 17
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple “trying” to fix evasi0n • launchd.conf no longer loaded • __restrict in AMFID stops DYLD_INSERT_LIBRARIES • apply patch to fix incomplete code signing bypass (patient ALPHA) • fix kernel info leak and memory corruption 18
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  evad3rs needed new tricks • patch of incomplete code signing trick (patient ALPHA) required new incomplete code signing trick ➡ evad3rs unnecessarily burned a new vulnerability some gave to them • __restrict in AMFID required new way to replace/inject library ➡ just use dyld feature enable-dylibs-to-override-cache
 (makes dyld load a replacement library instead of original one) 19
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  evad3rs needed new tricks (II) • removal of launchd.conf required trick to inject launch daemons beside launch daemon codesigning • just use previous two also load a malicious xpcd_cache.dylib • kernel bugs required to be replaced • they just used some new bugs (because there are plenty) 20
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  New chain for evasi0n 7 21
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple fixing evasi0n7 *LESS AGGRESSIVE* • new incomplete codesigning bypass trick fixed • kernel bugs are fixed • rest of chain is left completely untouched 22
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Pangu7 Jailbreak • Pangu realised that original bug Patient ALPHA was fixed incorrectly • used new kernel bugs 23 DejaVu
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple “trying to fix” Pangu7 • they try to fix their broken fix for the codesigning • kernel bugs are claimed fixed • rest of chain is still completely untouched 24 DejaVu
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Pangu8 Jailbreak • Pangu realised that fix for fix for Patient ALPHA is still incorrect • also their kernel bugs were apparently not patched correctly 25 DejaVu
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple “trying to fix” Pangu8 • they try to fix their broken fix for the broken fix for the codesigning • kernel bugs are claimed fixed again • rest of chain is still completely untouched 26 DejaVu
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  TaiG Jailbreak • Pangu TaiG realised that fix for fix for fix for Patient ALPHA is still incorrect • used other kernel bugs 27 DejaVu
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache 28
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache • a flag file in /System/Library/Caches/com.apple.dyld • when present libraries on disk will be loaded instead of a cached copy • used by jailbreaks to trick dyld into loading • malicious libmis.dylib into AMFID • malicious list of launchd daemons xpcd_cache.dylib into launchctl 29
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache • see how enable-dylibs-to-override-cache is in center of everything? • without this element the whole chain would have been destroyed 30
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache • first abused in iOS 7.0 jailbreak by evad3rs (December 2013) • without it the whole exploit chains of all jailbreaks since then would have fallen apart • after 14 months still unfixed • from a strategic standpoint it is unbelievable that Apple did not fix this • by not fixing this for 14 months Apple made persistence on device easier • fixing this bug would have made iOS far more secure than the 
 security by obscurity patches that Apple implemented to stop
 the root filesystem from being writable or the team identifier hack 31
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Patient Alpha (incomplete codesigning) 32
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Incomplete Codesigning • simplified: • if a page is not executable a missing code sig is not a problem • if a page is executable there must be a code sig on first access • prior to iOS 5 therefore jailbreaks would use ALL DATA dylibs to exploit dyld via various meta-data structures • around the end of iOS 4 Apple added checks to dyld to enforce load commands are in an executable segment • therefore while header parsing (first access) code sig is required 33
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach-o dynamic library loading • mach-o dynamic libraries loaded by dyld • load commands describe i.a. layout of segments in memory • virtual address and 
 virtual size of segments • file position and 
 file size of segment 34
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Ohhh really? • actually it is not that simple • mach-o header is first loaded into stack • initial LC parse is performed to collect info • this info is used to map the file into memory • segments are touched to enforce code sig • another LC parse is performed to make dyld use the mach-o header from paged memory • more and more parsing 35
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  evad3rs come along • and then the evad3rs came along • for evasi0n (iOS 6) they used a 
 TOCTOU trick to bypass the checks • attack logic between sniffLoadCommands and crashIfInvalidCodesignature • just trick mapSegments 36
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mapSegments • mapSegments uses mmap() • mmap allows to override previous mappings • just have two mappings at same virtual address • 1st contains LC and is R+X • 2nd contains fake LC and is R / RW • therefore at time of later access to page it will not require a code signature 37
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s first fix • Apple added a detection for 
 overlapping segments • code tests LC segment against all others so that it does not get overlapped by other segment • test uses virtual address and virtual size 38
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Problem with Apple’s first fix • the security check by Apple did not account for integer wraps • a segment with vmaddr at end of address space and wrapping around is not detected as overlapping • in reality the mapping is not wrapping around the address space due to being slid for ASLR 39
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s second fix • Apple added a detection for LC segment wrapping around • such a setup will be detected and disallowed 40
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Problem with Apple’s second fix • the integer wrap check was only done on the 
 LC segment • just doing the same trick again but letting the other segment wrap around would still do the trick • what was Apple thinking? 41
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s third fix • Apple added a detection for other segments wrapping around • such a setup will now also be detected and disallowed 42
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Problem with Apple’s third fix • all these battles by Apple security with Chinese jailbreakers were for nothing • the security checks by Apple all did detect overlaps by checking vmaddr + vmsize • however mapSegments never used vmsize • mapping into memory uses filesize • filesize could be a lot larger than vmsize • overlapping would never be detected 43
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s fourth fix • Apple now detects when filesize is bigger than vmsize • such segments are now forbidden • they now added a number of other checks that also killed another bypass by accident (will be disclosed in my blog) • it took Apple only 2 years to realise this ;-) 44 • DISCLAIMER: I am absolutely NOT claiming that this is the end
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject 45
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject • debugging Mach API call • returns kobject associated with a mach port • kobject filled with different values depending on type of port • IOKit object ports: a kernel heap address containing a function table • Host ports: address of realhost variable in kernel • other ports: something else • SECURITY PROBLEM: leaked addresses very useful for exploitation 46 *typep = (unsigned int) ip_kotype(port); kaddr = (mach_vm_address_t)port->ip_kobject; ip_unlock(port); if (0 != kaddr && is_ipc_kobject(*typep)) *addrp = kaddr; else *addrp = 0;
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fix 1 47
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject in iOS 6.0 • Apple added kernel address obfuscation • random 32 / 64 bit secret vm_kernel_addrperm • added to all returned addresses • should stop leakage of valid kernel pointers 48 *typep = (unsigned int) ip_kotype(port); kaddr = (mach_vm_address_t)port->ip_kobject; ip_unlock(port); if (0 != kaddr && is_ipc_kobject(*typep)) *addrp = VM_KERNEL_ADDRPERM(VM_KERNEL_UNSLIDE(kaddr)); else *addrp = 0;
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Weakness of ADD Obfuscation • all returned addresses are obfuscated with the same secret summand • ADDR + SECRET = OBFUSCATED_ADDR • a single pair of ADDR and its OBFUSCATED_ADDR break the security • if SECRET is known all obfuscated addresses can be easily decrypted 49
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Houston we have a problem … • Remember this? • kobject filled with different values depending on type of port • IOKit object ports: a kernel heap address containing a function table • Host ports: address of realhost variable in kernel • other ports: something else • SECURITY PROBLEM: 
 we know realhost’s address and can break obfuscation 50 we know plain address of this variable therefore we can break obfuscation
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fix 2 51
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject in iOS 8.0 • Apple now detects pointers inside kernel and does not obfuscate • stops attack via e.g. host ports 52 *typep = (unsigned int) ip_kotype(port); kaddr = (mach_vm_address_t)port->ip_kobject; ip_unlock(port); if (0 != kaddr && is_ipc_kobject(*typep)) *addrp = VM_KERNEL_UNSLIDE_OR_PERM(kaddr); else *addrp = 0;
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Houston we have a problem … • Remember this? • kobject filled with different values depending on type of port • IOKit object ports: a kernel heap address containing a function table • Host ports: address of realhost variable in kernel • other ports: something else • master ports: the value of kobject is 1 • SECURITY PROBLEM:
 Obfuscation secret is mach_port_kobject(master)-1 53
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fun Fact • master port attack was taught to Pangu in SektionEins’ iOS training • Pangu used it in their jailbreak in June 2014 • This means this attack was used in public 3 MONTHS before iOS 8.0 release* • TaiG reused this trick in November 2014 for their jailbreak 54 * this means when fix 2 was released to public this was already known to be insufficient
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fix 3 55
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject in iOS 8.1.3 • Apple released iOS 8.1.3 at end of January • they fixed the problem the Apple’s wayTM • they just removed the function altogether • removing the function took them ONLY 7 MONTHS • This bug was assigned CVE-2014-4496 and Apple wrongly credits TaiG for it 56
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request 57
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() • Mach API call • allows applications to request information about kernel modules • active operations are locked down (load, unload, start, stop, …) • passive operations partially working from even within the sandbox • Apple fixed it to unslide load addresses to protect against KASLR leaks 58
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() - Get Loaded Kext Info • of special interest is a sub request called • Get Loaded Kext Info • returns a serialised dictionary with information about all loaded Kext • information contained includes the mach-o headers • Apple even modifies those headers to protect KASLR 59
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() - Get Loaded Kext Info 60 mach_msg_type_number_t reqlen, resplen = 0, loglen = 0; char *request, *response = NULL, *log = NULL; kern_return_t kr; request = "<dict><key>Kext Request Predicate</key><string>Get Loaded Kext Info</string></dict>"; reqlen = strlen(request) + 1; kext_request(mach_host_self(), 0, request, reqlen, &response, &resplen, &log, &loglen, &kr);
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() - iPhone 6plus / iOS 8.0.2 61 <dict ID="0"><key>__kernel__</key><dict ID="1"><key>OSBundleMachOHeaders</key><data ID="2">z/rt/gwAAAEAAAAAAgAAAA 8AAABACwAAAQAgAAAAAAAZAAAAOAEAAF9fVEVYVAAAAAAAAAAAAAAAIAACgP///wAgSAAAAAAAAAAAAAAAAAAAIEgAAAAAAAUAAAAFA AAAAwAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAAAAwAAKA////rCJCAAAAAAAAEAAADAAAAAAAAAAAAAAAAAQAgAAAAAA AAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwFJCAoD///9oYAIAAAAAAMAyQgAFAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAX19jc3RyaW5nAAAAAAAAAF9fVEVYVAAAAAAAAAAAAAAos0QCgP///2h +AwAAAAAAKJNEAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAZAAAAyAIAAF9fREFUQQAAAAAAAAAAAAAAQEgCgP/// wBACwAAAAAAACBIAAAAAAAAwAQAAAAAAAMAAAADAAAACAAAAAAAAABfX21vZF9pbml0X2Z1bmMAX19EQVRBAAAAAAAAAAAAAABASAKA//// CAIAAAAAAAAAIEgAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAF9fbW9kX3Rlcm1fZnVuYwBfX0RBVEEAAAAAAAAAAAAACEJIAoD/// 8AAgAAAAAAAAgiSAADAAAAAAAAAAAAAAAKAAAAAAAAAAAAAAAAAAAAX19jb25zdAAAAAAAAAAAAF9fREFUQQAAAAAAAAAAAAAQREgCgP/// yCWAQAAAAAAECRIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2RhdGEAAAAAAAAAAAAAX19EQVRBAAAAAAAAAAAAAAAASgKA//// aNICAAAAAAAA4EkADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fc2ZpX2NsYXNzX3JlZwBfX0RBVEEAAAAAAAAAAAAAaNJMAoD/// 8AAgAAAAAAAGiyTAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX19zeXNjdGxfc2V0AAAAAF9fREFUQQAAAAAAAAAAAABo1EwCgP/// 3AcAAAAAAAAaLRMAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2JzcwAAAAAAAAAAAAAAX19EQVRBAAAAAAAAAAAAAAAATQKA//// kF8GAAAAAAAAAAAADAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAF9fY29tbW9uAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAAGBTAoD/// 8YEQAAAAAAAAAAAAAMAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAGQAAACgCAABfX0tMRAAAAAAAAAAAAAAAAIBTAoD/// 8AIAAAAAAAAADwTAAAAAAAACAAAAAAAAADAAAAAwAAAAYAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9fS0xEAAAAAAAAAAAAAAAAgFMCgP/// 1ASAAAAAAAAAPBMAAIAAAAAAAAAAAAAAAAEAIAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19LTEQAAAAAAAAAAAAAAFCSUwKA//// CAcAAAAAAABQAk0AAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX0tMRAAAAAAAAAAAAAAAWJlTAoD/// 9oAAAAAAAAAFgJTQADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX19tb2RfaW5pdF9mdW5jAF9fS0xEAAAAAAAAAAAAAADAmVMCgP/// wgAAAAAAAAAwAlNAAMAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAAABfX21vZF90ZXJtX2Z1bmMAX19LTEQAAAAAAAAAAAAAAMiZUwKA//// CAAAAAAAAADICU0AAwAAAAAAAAAAAAAACgAAAAAAAAAAAAAAAAAAAF9fYnNzAAAAAAAAAAAAAABfX0tMRAAAAAAAAAAAAAAA0JlTAoD/// 8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAGQAAAOgAAABfX0xBU1QAAAAAAAAAAAAAAKBTAoD/// 8AEAAAAAAAAAAQTQAAAAAAABAAAAAAAAADAAAAAwAAAAIAAAAAAAAAX19tb2RfaW5pdF9mdW5jAF9fTEFTVAAAAAAAAAAAAAAAoFMCgP/// wgAAAAAAAAAABBNAAMAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAAABfX2xhc3QAAAAAAAAAAAAAX19MQVNUAAAAAAAAAAAAAAig8xKA//// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABkAAACYAAAAX19QUkVMSU5LX1RFWFQAAAAwWQKA//// AJDTAAAAAAAAoFIAAAAAAACQ0wAAAAAAAwAAAAMAAAABAAAAAAAAAF9fdGV4dAAAAAAAAAAAAABfX1BSRUxJTktfVEVYVAAAADBZAoD/// 8AkNMAAAAAAACgUgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGQAAAOgAAABfX1BSRUxJTktfU1RBVEUAALDzEoD/// 8AAAAAAAAAAAAgTQAAAAAAAAAAAAAAAAADAAAAAwAAAAIAAAAAAAAAX19rZXJuZWwAAAAAAAAAAF9fUFJFTElOS19TVEFURQAAsPMSgP/// wAAAAAAAAAAACBNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2tleHRzAAAAAAAAAAAAX19QUkVMSU5LX1NUQVRFAACw8xKA//// AAAAAAAAAAAAIE0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABkAAACYAAAAX19QUkVMSU5LX0lORk8AAADAzBOA//// AFAIAAAAAAAAMCYBAAAAAPhPCAAAAAAAAwAAAAMAAAABAAAAAAAAAF9faW5mbwAAAAAAAAAAAABfX1BSRUxJTktfSU5GTwAAAMDME4D//// 4TwgAAAAAAAAwJgEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGQAAAEgAAABfX0xJTktFRElUAAAAAAAAALDzEoD/// 94eQUAAAAAAAAgTQAAAAAAeHkFAAAAAAABAAAAAQAAAAAAAAAAAAAAAgAAABgAAADwnU8AnhAAANCnUACo8QEACwAAAFAAAAAAAAAAAAAAAAAAAACeEAAAn hAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACBNAPVHAAAbAAAAGAAAAPke8gf2KzpJlbujQoICCjclAAAAEAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWIANAoD///8AAAAAAAAAACYAAAAQAAAAqF9PAEg+AAA= </data><key>OSBundleCPUType</key><integer size="32" ID="3">0x100000c</integer><key>OSBundleCPUSubtype</key><integer size="32" ID="4">0x0</ integer><key>CFBundleIdentifier</key><string ID="5">__kernel__</string><key>CFBundleVersion</key><string ID="6">14.0.0</string><key>OSBundleUUID</key><data ID="7">+R7yB/YrOkmVu6NCggIKNw==</data><key>OSKernelResource</ key><true/><key>OSBundleIsInterface</key><false/><key>OSBundlePrelinked</key><false/><key>OSBundleStarted</key><true/ ><key>OSBundleLoadTag</key><integer size="32" ID="8">0x0</integer><key>OSBundleLoadAddress</key><integer size="64" ID="9">0xffffff8002002000</integer><key>OSBundleLoadSize</key>
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() vs. Mark Dowd • so in October 2012 Mark Dowd disclosed that Apple forgot to unslide addresses in mach-o section defintion • Apple released a fix in iOS 6.0.1 • so KASLR was easy to defeat in iOS 6.0 • at this point everyone was auditing this function 62 I was informed by Mark Dowd that disclosure of bug was actually done by Tarjei Mandt. So I am sorry for crediting it to the wrong person :)
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  However … • however there were ADDITIONAL bugs • macro Apple used did only unslide main kernel and pre-loaded kernel extensions • but there are parts in the kernelcache that were in between and therefore not unslid • leaks KASLR slide once again => KASLR broken 63 #define VM_KERNEL_UNSLIDE(_v) ((VM_KERNEL_IS_SLID(_v) || VM_KERNEL_IS_KEXT(_v)) ? (vm_offset_t)(_v) - vm_kernel_slide : (vm_offset_t)(_v)) #define VM_KERNEL_IS_SLID(_o) (((vm_offset_t)(_o) >= vm_kernel_base) && ((vm_offset_t)(_o) < vm_kernel_top)) #define VM_KERNEL_IS_KEXT(_o) (((vm_offset_t)(_o) >= vm_kext_base) && ((vm_offset_t)(_o) < vm_kext_top))
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple Releases a Fix • end of January 2015 Apple releases iOS 8.1.3 to fix this • fixed it the Apple way: they remove the OSBundleMachOHeaders altogether • but they lie about it in the release announcement (claim it was fixed/not removed) • took them only more than 2 years to realize this 2nd vulnerability • and only 7 months from it being publicly used in a jailbreak • people in training saw this within 10 min when checking out fix for Dowd’s 2012 bug 64 Tarjei Mandt's
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  one more thing 65
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  one more thing • Of course all of these bugs also apply to OS X • so no surprise that Apple fixed kext_request() in OS X 10.10.2 • but for 10.10.2 they keep the OSBundleMachOHeaders and try to do it correctly 66
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  one more thing • at this point it might not surprise the audience anymore • kext_request KASLR info leak is still not fully fixed in Mac OS X 10.10.2 • the slide still leaks through the contained OSBundleMachOHeaders • reason is that they use < instead of <= in the code • therefore __LAST::__last (the last kernel symbol) is not unslid 67 #define VM_KERNEL_UNSLIDE(_v) ((VM_KERNEL_IS_SLID(_v) || VM_KERNEL_IS_KEXT(_v)) ? (vm_offset_t)(_v) - vm_kernel_slide : (vm_offset_t)(_v)) #define VM_KERNEL_IS_SLID(_o) (((vm_offset_t)(_o) >= vm_kernel_base) && ((vm_offset_t)(_o) < vm_kernel_top)) #define VM_KERNEL_IS_KEXT(_o) (((vm_offset_t)(_o) >= vm_kext_base) && ((vm_offset_t)(_o) < vm_kext_top))
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China 68
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China • there has been a change in guard • recent Jailbreaks are no longer developed by “Westeners” • now Chinese teams seem to rule the scene • but why? 69
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - Why? • “Western” Jailbreak developers • shared a lot of tools and techniques • now have to deal with exploit export control regulations • worked hard for nearly nothing (few donations) • while information security companies made millions of their work • on top of that had to deal with greedy JB community 70
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - Why? • “Chinese” Jailbreak developers • are paid by Chinese companies with app stores ( e.g. 1 Mio USD ) • use money to buy vulnerabilities / exploits ( from the west ) • use questionable methods like stolen enterprise certificates • use public & non public code ignoring software licenses / copyright 71 at the moment I have no permission to disclose identity of jailbreaker who wrote this if you can offer 100.000 USD for buying a vulnerability / exploit this means you must get a lot for the end product
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - and Apple • so far “Chinese” Jailbreakers • had a lucky time because of Apple security’s total lack of QA • have mostly relied on techniques invented by westerners • could reuse the same vulnerabilities over and over 72
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - Community • so far “Chinese” Jailbreakers have • not released any code to advance the iOS research community • instead have heavily obfuscated their jailbreaks • intentionally removed patches to hinder work of other researchers • have destructive kernel patches that overwrite part of kernel binary • they are in it for the money and don’t want competition 73
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Conclusion 74
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Conclusion • looking at how Apple security fails over and over again shows they are not taking it seriously and have no QA on their security fixes AT ALL. • Basically Apple Security’s failed patches made the Chinese jb possible • IMHO the fact that media is celebrating Jailbreaks instead of taking them as what they are: exploits for vulnerabilities is partly the reason why Apple does not take fixing them seriously • media should stress the fact that every unfixed jailbreak makes it CHEAP for state sponsored attackers to spy on people • actually it has been shown that several iOS surveillance tools fully rely on release of public jailbreaks 75
Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Questions ? 76

Recommended

CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS Core
Stefan Esser
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
Nemwos
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Guide to MFA
Guide to MFAGuide to MFA
Guide to MFA
Jack Forbes
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
Shital Kat
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITY
afaque jaya
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 

Recommended

CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS Core
Stefan Esser
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
Nemwos
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Guide to MFA
Guide to MFAGuide to MFA
Guide to MFA
Jack Forbes
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
Shital Kat
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITY
afaque jaya
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
ClearPass Policy Model - An Introduction
ClearPass Policy Model - An IntroductionClearPass Policy Model - An Introduction
ClearPass Policy Model - An Introduction
Aruba, a Hewlett Packard Enterprise company
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Aleksandr Timorin
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
 
IOS security
IOS securityIOS security
IOS security
bakhti rahman
 
Network security
Network securityNetwork security
Network security
Christalin Nelson
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configuration
Alberto Rivai
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
Fidelis Cybersecurity
 
The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)
F5 Networks
 
IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process
EC-Council
 
Computer Security - CCNA Security - Lecture 1
Computer Security - CCNA Security - Lecture 1Computer Security - CCNA Security - Lecture 1
Computer Security - CCNA Security - Lecture 1
Mohamed Loey
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoSjgrahamc
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
Raffael Marty
 
WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and Dragonfly
Napier University
 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsRuxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Stefan Esser
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
Dave Monahan
 
IT Security DOs and DON'Ts
IT Security DOs and DON'Ts IT Security DOs and DON'Ts
IT Security DOs and DON'Ts
Sophos
 
iOS 6 Exploitation 280 days later
iOS 6 Exploitation 280 days lateriOS 6 Exploitation 280 days later
iOS 6 Exploitation 280 days later
Wang Hao Lee
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
Seguridad Apple
 

More Related Content

What's hot

ClearPass Policy Model - An Introduction
ClearPass Policy Model - An IntroductionClearPass Policy Model - An Introduction
ClearPass Policy Model - An Introduction
Aruba, a Hewlett Packard Enterprise company
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Aleksandr Timorin
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
 
IOS security
IOS securityIOS security
IOS security
bakhti rahman
 
Network security
Network securityNetwork security
Network security
Christalin Nelson
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configuration
Alberto Rivai
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
Fidelis Cybersecurity
 
The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)
F5 Networks
 
IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process
EC-Council
 
Computer Security - CCNA Security - Lecture 1
Computer Security - CCNA Security - Lecture 1Computer Security - CCNA Security - Lecture 1
Computer Security - CCNA Security - Lecture 1
Mohamed Loey
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoSjgrahamc
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
Raffael Marty
 
WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and Dragonfly
Napier University
 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsRuxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Stefan Esser
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
Dave Monahan
 
IT Security DOs and DON'Ts
IT Security DOs and DON'Ts IT Security DOs and DON'Ts
IT Security DOs and DON'Ts
Sophos
 

What's hot (20)

ClearPass Policy Model - An Introduction
ClearPass Policy Model - An IntroductionClearPass Policy Model - An Introduction
ClearPass Policy Model - An Introduction
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
IOS security
IOS securityIOS security
IOS security
 
Network security
Network securityNetwork security
Network security
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configuration
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
 
The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)
 
IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process
 
Computer Security - CCNA Security - Lecture 1
Computer Security - CCNA Security - Lecture 1Computer Security - CCNA Security - Lecture 1
Computer Security - CCNA Security - Lecture 1
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
 
WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and Dragonfly
 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsRuxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
 
IT Security DOs and DON'Ts
IT Security DOs and DON'Ts IT Security DOs and DON'Ts
IT Security DOs and DON'Ts
 

Similar to SyScan 2015 - iOS 678 Security - A Study in Fail

iOS 6 Exploitation 280 days later
iOS 6 Exploitation 280 days lateriOS 6 Exploitation 280 days later
iOS 6 Exploitation 280 days later
Wang Hao Lee
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
Seguridad Apple
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
Stefan Esser
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOS
Seguridad Apple
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
Tom Eston
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
Stefan Esser
 
Targeting the iOS kernel
Targeting the iOS kernelTargeting the iOS kernel
Targeting the iOS kernel
Seguridad Apple
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
Reality Net System Solutions
 
Toorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for ThatToorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for That
Eric Monti
 
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPSyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
Stefan Esser
 
iOS and BlackBerry Forensics
iOS and BlackBerry ForensicsiOS and BlackBerry Forensics
iOS and BlackBerry ForensicsAndrey Belenko
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
Koan-Sin Tan
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
iphonepentest
 
iOS Ecosystem @ Fiera del Radioamatore Pordenone
iOS Ecosystem @ Fiera del Radioamatore PordenoneiOS Ecosystem @ Fiera del Radioamatore Pordenone
iOS Ecosystem @ Fiera del Radioamatore Pordenone
Klaus Lanzarini
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
deepikakumari643428
 

Similar to SyScan 2015 - iOS 678 Security - A Study in Fail (20)

iOS 6 Exploitation 280 days later
iOS 6 Exploitation 280 days lateriOS 6 Exploitation 280 days later
iOS 6 Exploitation 280 days later
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOS
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
 
Targeting the iOS kernel
Targeting the iOS kernelTargeting the iOS kernel
Targeting the iOS kernel
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
 
Toorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for ThatToorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for That
 
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPSyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IP
 
iOS and BlackBerry Forensics
iOS and BlackBerry ForensicsiOS and BlackBerry Forensics
iOS and BlackBerry Forensics
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
iOS Ecosystem @ Fiera del Radioamatore Pordenone
iOS Ecosystem @ Fiera del Radioamatore PordenoneiOS Ecosystem @ Fiera del Radioamatore Pordenone
iOS Ecosystem @ Fiera del Radioamatore Pordenone
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
 

Recently uploaded

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 

SyScan 2015 - iOS 678 Security - A Study in Fail

  • 1. iOS 678 Security
 —== A Study in Fail ==— Stefan Esser <stefan.esser@sektioneins.de> http://www.sektioneins.de
  • 2. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Who am I? Stefan Esser • from Cologne / Germany • in information security since 1998 • invested in PHP security from 2001 to 20xx • since 2010 focused on iPhone security (ASLR/jailbreak) • founder of SektionEins GmbH 2
  • 3. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Lots of Fail, but this talk is not about … • Apple releasing an iOS 8.0.1 update that would kill cell service on iPhone 6/6p • Apple adding unsecured double linked lists as meta-data to the iOS 7 kernel heap that made kernel heap exploitation easy (safe unlink in iOS 8) • Apple “improving” their iOS 7 early random number generator so that Tarjei Mandt would totally rip it apart and calculate all past and future numbers • Apple having a double “goto fail” in their SSL for iOS 6 - iOS 7.0.5 that broke it completely • … so yes I am skipping a lot of fail but what I cover is already too much for 45 minutes 3
  • 4. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  So what is it about? this talk is about iOS jailbreaks and Apple fixing the bugs within 4
  • 5. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fixing Bugs … 5
  • 6. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  BUT APPLE SECURITY AIN’T NO JEDI 6 BUT APPLE SECURITY AIN’T NO JEDI
  • 7. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  So actually … this talk is about iOS jailbreaks and Apple not fixing the bugs within 7
  • 8. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Before we start … what are the ingredients of an iOS jailbreak? 8
  • 9. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Ingredients Initial Injection Vector Persistency 9
  • 10. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Not talking about that Initial Injection Vector but apparently Apple had to issue several updates to fix those bugs, too 10
  • 11. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Concentrating on Jailbreak Persistency 11
  • 12. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak Persistency (I) • why concentrate on persistency? • attack surface for injection is just extremely = huge no chance of win • injection vectors for iOS can be easily exchanged • USB, mobile safari, malicious apps • some injections would require more powerful kernel bugs than public jailbreaks, but those do exist and are traded in the underground 12
  • 13. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak Persistency (II) • attack surface for jailbreak persistency is in comparison extremely small • could be made even smaller and smaller if Apple would do it right • i just want the public to pressure Apple into changing • PUBLIC PERSISTENCE EXPLOITS CAN BE EASILY REUSED IN STATE SPONSORED ATTACKS = LOT CHEAPER + NOT WASTE BUGS 13
  • 14. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  AMFI trickery 14
  • 15. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  AMFI Trickery • whole story starts with the exploit chain evad3rs “invented” for iOS 6 • for signature verification • kernel asks AMFI driver • AMFI driver asks AMFID user space daemon • AMFID uses libmis.dylib • Attack: 
 inject a malicious library into AMFID that makes libmis.dylib return “true” 15
  • 16. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Injecting a malicious dylib AMFI attack • injecting malicious dylib / replacing libmis.dylib not as easy at it sounds • need to trick dynamic linker into attempting to do it • need to trick dynamic linker into accepting a not signed library • Idea: 
 use launch daemon config + DYLD_INSERT_LIBRARIES for first part
 use incomplete codesigning bypass for second part 16
  • 17. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Putting the full chain together 17
  • 18. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple “trying” to fix evasi0n • launchd.conf no longer loaded • __restrict in AMFID stops DYLD_INSERT_LIBRARIES • apply patch to fix incomplete code signing bypass (patient ALPHA) • fix kernel info leak and memory corruption 18
  • 19. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  evad3rs needed new tricks • patch of incomplete code signing trick (patient ALPHA) required new incomplete code signing trick ➡ evad3rs unnecessarily burned a new vulnerability some gave to them • __restrict in AMFID required new way to replace/inject library ➡ just use dyld feature enable-dylibs-to-override-cache
 (makes dyld load a replacement library instead of original one) 19
  • 20. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  evad3rs needed new tricks (II) • removal of launchd.conf required trick to inject launch daemons beside launch daemon codesigning • just use previous two also load a malicious xpcd_cache.dylib • kernel bugs required to be replaced • they just used some new bugs (because there are plenty) 20
  • 21. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  New chain for evasi0n 7 21
  • 22. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple fixing evasi0n7 *LESS AGGRESSIVE* • new incomplete codesigning bypass trick fixed • kernel bugs are fixed • rest of chain is left completely untouched 22
  • 23. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Pangu7 Jailbreak • Pangu realised that original bug Patient ALPHA was fixed incorrectly • used new kernel bugs 23 DejaVu
  • 24. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple “trying to fix” Pangu7 • they try to fix their broken fix for the codesigning • kernel bugs are claimed fixed • rest of chain is still completely untouched 24 DejaVu
  • 25. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Pangu8 Jailbreak • Pangu realised that fix for fix for Patient ALPHA is still incorrect • also their kernel bugs were apparently not patched correctly 25 DejaVu
  • 26. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple “trying to fix” Pangu8 • they try to fix their broken fix for the broken fix for the codesigning • kernel bugs are claimed fixed again • rest of chain is still completely untouched 26 DejaVu
  • 27. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  TaiG Jailbreak • Pangu TaiG realised that fix for fix for fix for Patient ALPHA is still incorrect • used other kernel bugs 27 DejaVu
  • 28. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache 28
  • 29. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache • a flag file in /System/Library/Caches/com.apple.dyld • when present libraries on disk will be loaded instead of a cached copy • used by jailbreaks to trick dyld into loading • malicious libmis.dylib into AMFID • malicious list of launchd daemons xpcd_cache.dylib into launchctl 29
  • 30. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache • see how enable-dylibs-to-override-cache is in center of everything? • without this element the whole chain would have been destroyed 30
  • 31. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  enable-dylibs-to-override-cache • first abused in iOS 7.0 jailbreak by evad3rs (December 2013) • without it the whole exploit chains of all jailbreaks since then would have fallen apart • after 14 months still unfixed • from a strategic standpoint it is unbelievable that Apple did not fix this • by not fixing this for 14 months Apple made persistence on device easier • fixing this bug would have made iOS far more secure than the 
 security by obscurity patches that Apple implemented to stop
 the root filesystem from being writable or the team identifier hack 31
  • 32. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Patient Alpha (incomplete codesigning) 32
  • 33. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Incomplete Codesigning • simplified: • if a page is not executable a missing code sig is not a problem • if a page is executable there must be a code sig on first access • prior to iOS 5 therefore jailbreaks would use ALL DATA dylibs to exploit dyld via various meta-data structures • around the end of iOS 4 Apple added checks to dyld to enforce load commands are in an executable segment • therefore while header parsing (first access) code sig is required 33
  • 34. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach-o dynamic library loading • mach-o dynamic libraries loaded by dyld • load commands describe i.a. layout of segments in memory • virtual address and 
 virtual size of segments • file position and 
 file size of segment 34
  • 35. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Ohhh really? • actually it is not that simple • mach-o header is first loaded into stack • initial LC parse is performed to collect info • this info is used to map the file into memory • segments are touched to enforce code sig • another LC parse is performed to make dyld use the mach-o header from paged memory • more and more parsing 35
  • 36. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  evad3rs come along • and then the evad3rs came along • for evasi0n (iOS 6) they used a 
 TOCTOU trick to bypass the checks • attack logic between sniffLoadCommands and crashIfInvalidCodesignature • just trick mapSegments 36
  • 37. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mapSegments • mapSegments uses mmap() • mmap allows to override previous mappings • just have two mappings at same virtual address • 1st contains LC and is R+X • 2nd contains fake LC and is R / RW • therefore at time of later access to page it will not require a code signature 37
  • 38. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s first fix • Apple added a detection for 
 overlapping segments • code tests LC segment against all others so that it does not get overlapped by other segment • test uses virtual address and virtual size 38
  • 39. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Problem with Apple’s first fix • the security check by Apple did not account for integer wraps • a segment with vmaddr at end of address space and wrapping around is not detected as overlapping • in reality the mapping is not wrapping around the address space due to being slid for ASLR 39
  • 40. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s second fix • Apple added a detection for LC segment wrapping around • such a setup will be detected and disallowed 40
  • 41. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Problem with Apple’s second fix • the integer wrap check was only done on the 
 LC segment • just doing the same trick again but letting the other segment wrap around would still do the trick • what was Apple thinking? 41
  • 42. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s third fix • Apple added a detection for other segments wrapping around • such a setup will now also be detected and disallowed 42
  • 43. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Problem with Apple’s third fix • all these battles by Apple security with Chinese jailbreakers were for nothing • the security checks by Apple all did detect overlaps by checking vmaddr + vmsize • however mapSegments never used vmsize • mapping into memory uses filesize • filesize could be a lot larger than vmsize • overlapping would never be detected 43
  • 44. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple’s fourth fix • Apple now detects when filesize is bigger than vmsize • such segments are now forbidden • they now added a number of other checks that also killed another bypass by accident (will be disclosed in my blog) • it took Apple only 2 years to realise this ;-) 44 • DISCLAIMER: I am absolutely NOT claiming that this is the end
  • 45. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject 45
  • 46. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject • debugging Mach API call • returns kobject associated with a mach port • kobject filled with different values depending on type of port • IOKit object ports: a kernel heap address containing a function table • Host ports: address of realhost variable in kernel • other ports: something else • SECURITY PROBLEM: leaked addresses very useful for exploitation 46 *typep = (unsigned int) ip_kotype(port); kaddr = (mach_vm_address_t)port->ip_kobject; ip_unlock(port); if (0 != kaddr && is_ipc_kobject(*typep)) *addrp = kaddr; else *addrp = 0;
  • 47. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fix 1 47
  • 48. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject in iOS 6.0 • Apple added kernel address obfuscation • random 32 / 64 bit secret vm_kernel_addrperm • added to all returned addresses • should stop leakage of valid kernel pointers 48 *typep = (unsigned int) ip_kotype(port); kaddr = (mach_vm_address_t)port->ip_kobject; ip_unlock(port); if (0 != kaddr && is_ipc_kobject(*typep)) *addrp = VM_KERNEL_ADDRPERM(VM_KERNEL_UNSLIDE(kaddr)); else *addrp = 0;
  • 49. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Weakness of ADD Obfuscation • all returned addresses are obfuscated with the same secret summand • ADDR + SECRET = OBFUSCATED_ADDR • a single pair of ADDR and its OBFUSCATED_ADDR break the security • if SECRET is known all obfuscated addresses can be easily decrypted 49
  • 50. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Houston we have a problem … • Remember this? • kobject filled with different values depending on type of port • IOKit object ports: a kernel heap address containing a function table • Host ports: address of realhost variable in kernel • other ports: something else • SECURITY PROBLEM: 
 we know realhost’s address and can break obfuscation 50 we know plain address of this variable therefore we can break obfuscation
  • 51. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fix 2 51
  • 52. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject in iOS 8.0 • Apple now detects pointers inside kernel and does not obfuscate • stops attack via e.g. host ports 52 *typep = (unsigned int) ip_kotype(port); kaddr = (mach_vm_address_t)port->ip_kobject; ip_unlock(port); if (0 != kaddr && is_ipc_kobject(*typep)) *addrp = VM_KERNEL_UNSLIDE_OR_PERM(kaddr); else *addrp = 0;
  • 53. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Houston we have a problem … • Remember this? • kobject filled with different values depending on type of port • IOKit object ports: a kernel heap address containing a function table • Host ports: address of realhost variable in kernel • other ports: something else • master ports: the value of kobject is 1 • SECURITY PROBLEM:
 Obfuscation secret is mach_port_kobject(master)-1 53
  • 54. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fun Fact • master port attack was taught to Pangu in SektionEins’ iOS training • Pangu used it in their jailbreak in June 2014 • This means this attack was used in public 3 MONTHS before iOS 8.0 release* • TaiG reused this trick in November 2014 for their jailbreak 54 * this means when fix 2 was released to public this was already known to be insufficient
  • 55. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Fix 3 55
  • 56. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  mach_port_kobject in iOS 8.1.3 • Apple released iOS 8.1.3 at end of January • they fixed the problem the Apple’s wayTM • they just removed the function altogether • removing the function took them ONLY 7 MONTHS • This bug was assigned CVE-2014-4496 and Apple wrongly credits TaiG for it 56
  • 57. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request 57
  • 58. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() • Mach API call • allows applications to request information about kernel modules • active operations are locked down (load, unload, start, stop, …) • passive operations partially working from even within the sandbox • Apple fixed it to unslide load addresses to protect against KASLR leaks 58
  • 59. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() - Get Loaded Kext Info • of special interest is a sub request called • Get Loaded Kext Info • returns a serialised dictionary with information about all loaded Kext • information contained includes the mach-o headers • Apple even modifies those headers to protect KASLR 59
  • 60. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() - Get Loaded Kext Info 60 mach_msg_type_number_t reqlen, resplen = 0, loglen = 0; char *request, *response = NULL, *log = NULL; kern_return_t kr; request = "<dict><key>Kext Request Predicate</key><string>Get Loaded Kext Info</string></dict>"; reqlen = strlen(request) + 1; kext_request(mach_host_self(), 0, request, reqlen, &response, &resplen, &log, &loglen, &kr);
  • 61. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() - iPhone 6plus / iOS 8.0.2 61 <dict ID="0"><key>__kernel__</key><dict ID="1"><key>OSBundleMachOHeaders</key><data ID="2">z/rt/gwAAAEAAAAAAgAAAA 8AAABACwAAAQAgAAAAAAAZAAAAOAEAAF9fVEVYVAAAAAAAAAAAAAAAIAACgP///wAgSAAAAAAAAAAAAAAAAAAAIEgAAAAAAAUAAAAFA AAAAwAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAAAAwAAKA////rCJCAAAAAAAAEAAADAAAAAAAAAAAAAAAAAQAgAAAAAA AAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAwFJCAoD///9oYAIAAAAAAMAyQgAFAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAX19jc3RyaW5nAAAAAAAAAF9fVEVYVAAAAAAAAAAAAAAos0QCgP///2h +AwAAAAAAKJNEAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAZAAAAyAIAAF9fREFUQQAAAAAAAAAAAAAAQEgCgP/// wBACwAAAAAAACBIAAAAAAAAwAQAAAAAAAMAAAADAAAACAAAAAAAAABfX21vZF9pbml0X2Z1bmMAX19EQVRBAAAAAAAAAAAAAABASAKA//// CAIAAAAAAAAAIEgAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAF9fbW9kX3Rlcm1fZnVuYwBfX0RBVEEAAAAAAAAAAAAACEJIAoD/// 8AAgAAAAAAAAgiSAADAAAAAAAAAAAAAAAKAAAAAAAAAAAAAAAAAAAAX19jb25zdAAAAAAAAAAAAF9fREFUQQAAAAAAAAAAAAAQREgCgP/// yCWAQAAAAAAECRIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2RhdGEAAAAAAAAAAAAAX19EQVRBAAAAAAAAAAAAAAAASgKA//// aNICAAAAAAAA4EkADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fc2ZpX2NsYXNzX3JlZwBfX0RBVEEAAAAAAAAAAAAAaNJMAoD/// 8AAgAAAAAAAGiyTAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX19zeXNjdGxfc2V0AAAAAF9fREFUQQAAAAAAAAAAAABo1EwCgP/// 3AcAAAAAAAAaLRMAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2JzcwAAAAAAAAAAAAAAX19EQVRBAAAAAAAAAAAAAAAATQKA//// kF8GAAAAAAAAAAAADAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAF9fY29tbW9uAAAAAAAAAABfX0RBVEEAAAAAAAAAAAAAAGBTAoD/// 8YEQAAAAAAAAAAAAAMAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAGQAAACgCAABfX0tMRAAAAAAAAAAAAAAAAIBTAoD/// 8AIAAAAAAAAADwTAAAAAAAACAAAAAAAAADAAAAAwAAAAYAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9fS0xEAAAAAAAAAAAAAAAAgFMCgP/// 1ASAAAAAAAAAPBMAAIAAAAAAAAAAAAAAAAEAIAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19LTEQAAAAAAAAAAAAAAFCSUwKA//// CAcAAAAAAABQAk0AAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAF9fY29uc3QAAAAAAAAAAABfX0tMRAAAAAAAAAAAAAAAWJlTAoD/// 9oAAAAAAAAAFgJTQADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX19tb2RfaW5pdF9mdW5jAF9fS0xEAAAAAAAAAAAAAADAmVMCgP/// wgAAAAAAAAAwAlNAAMAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAAABfX21vZF90ZXJtX2Z1bmMAX19LTEQAAAAAAAAAAAAAAMiZUwKA//// CAAAAAAAAADICU0AAwAAAAAAAAAAAAAACgAAAAAAAAAAAAAAAAAAAF9fYnNzAAAAAAAAAAAAAABfX0tMRAAAAAAAAAAAAAAA0JlTAoD/// 8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAGQAAAOgAAABfX0xBU1QAAAAAAAAAAAAAAKBTAoD/// 8AEAAAAAAAAAAQTQAAAAAAABAAAAAAAAADAAAAAwAAAAIAAAAAAAAAX19tb2RfaW5pdF9mdW5jAF9fTEFTVAAAAAAAAAAAAAAAoFMCgP/// wgAAAAAAAAAABBNAAMAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAAABfX2xhc3QAAAAAAAAAAAAAX19MQVNUAAAAAAAAAAAAAAig8xKA//// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABkAAACYAAAAX19QUkVMSU5LX1RFWFQAAAAwWQKA//// AJDTAAAAAAAAoFIAAAAAAACQ0wAAAAAAAwAAAAMAAAABAAAAAAAAAF9fdGV4dAAAAAAAAAAAAABfX1BSRUxJTktfVEVYVAAAADBZAoD/// 8AkNMAAAAAAACgUgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGQAAAOgAAABfX1BSRUxJTktfU1RBVEUAALDzEoD/// 8AAAAAAAAAAAAgTQAAAAAAAAAAAAAAAAADAAAAAwAAAAIAAAAAAAAAX19rZXJuZWwAAAAAAAAAAF9fUFJFTElOS19TVEFURQAAsPMSgP/// wAAAAAAAAAAACBNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2tleHRzAAAAAAAAAAAAX19QUkVMSU5LX1NUQVRFAACw8xKA//// AAAAAAAAAAAAIE0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABkAAACYAAAAX19QUkVMSU5LX0lORk8AAADAzBOA//// AFAIAAAAAAAAMCYBAAAAAPhPCAAAAAAAAwAAAAMAAAABAAAAAAAAAF9faW5mbwAAAAAAAAAAAABfX1BSRUxJTktfSU5GTwAAAMDME4D//// 4TwgAAAAAAAAwJgEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGQAAAEgAAABfX0xJTktFRElUAAAAAAAAALDzEoD/// 94eQUAAAAAAAAgTQAAAAAAeHkFAAAAAAABAAAAAQAAAAAAAAAAAAAAAgAAABgAAADwnU8AnhAAANCnUACo8QEACwAAAFAAAAAAAAAAAAAAAAAAAACeEAAAn hAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACBNAPVHAAAbAAAAGAAAAPke8gf2KzpJlbujQoICCjclAAAAEAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWIANAoD///8AAAAAAAAAACYAAAAQAAAAqF9PAEg+AAA= </data><key>OSBundleCPUType</key><integer size="32" ID="3">0x100000c</integer><key>OSBundleCPUSubtype</key><integer size="32" ID="4">0x0</ integer><key>CFBundleIdentifier</key><string ID="5">__kernel__</string><key>CFBundleVersion</key><string ID="6">14.0.0</string><key>OSBundleUUID</key><data ID="7">+R7yB/YrOkmVu6NCggIKNw==</data><key>OSKernelResource</ key><true/><key>OSBundleIsInterface</key><false/><key>OSBundlePrelinked</key><false/><key>OSBundleStarted</key><true/ ><key>OSBundleLoadTag</key><integer size="32" ID="8">0x0</integer><key>OSBundleLoadAddress</key><integer size="64" ID="9">0xffffff8002002000</integer><key>OSBundleLoadSize</key>
  • 62. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  kext_request() vs. Mark Dowd • so in October 2012 Mark Dowd disclosed that Apple forgot to unslide addresses in mach-o section defintion • Apple released a fix in iOS 6.0.1 • so KASLR was easy to defeat in iOS 6.0 • at this point everyone was auditing this function 62 I was informed by Mark Dowd that disclosure of bug was actually done by Tarjei Mandt. So I am sorry for crediting it to the wrong person :)
  • 63. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  However … • however there were ADDITIONAL bugs • macro Apple used did only unslide main kernel and pre-loaded kernel extensions • but there are parts in the kernelcache that were in between and therefore not unslid • leaks KASLR slide once again => KASLR broken 63 #define VM_KERNEL_UNSLIDE(_v) ((VM_KERNEL_IS_SLID(_v) || VM_KERNEL_IS_KEXT(_v)) ? (vm_offset_t)(_v) - vm_kernel_slide : (vm_offset_t)(_v)) #define VM_KERNEL_IS_SLID(_o) (((vm_offset_t)(_o) >= vm_kernel_base) && ((vm_offset_t)(_o) < vm_kernel_top)) #define VM_KERNEL_IS_KEXT(_o) (((vm_offset_t)(_o) >= vm_kext_base) && ((vm_offset_t)(_o) < vm_kext_top))
  • 64. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Apple Releases a Fix • end of January 2015 Apple releases iOS 8.1.3 to fix this • fixed it the Apple way: they remove the OSBundleMachOHeaders altogether • but they lie about it in the release announcement (claim it was fixed/not removed) • took them only more than 2 years to realize this 2nd vulnerability • and only 7 months from it being publicly used in a jailbreak • people in training saw this within 10 min when checking out fix for Dowd’s 2012 bug 64 Tarjei Mandt's
  • 65. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  one more thing 65
  • 66. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  one more thing • Of course all of these bugs also apply to OS X • so no surprise that Apple fixed kext_request() in OS X 10.10.2 • but for 10.10.2 they keep the OSBundleMachOHeaders and try to do it correctly 66
  • 67. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  one more thing • at this point it might not surprise the audience anymore • kext_request KASLR info leak is still not fully fixed in Mac OS X 10.10.2 • the slide still leaks through the contained OSBundleMachOHeaders • reason is that they use < instead of <= in the code • therefore __LAST::__last (the last kernel symbol) is not unslid 67 #define VM_KERNEL_UNSLIDE(_v) ((VM_KERNEL_IS_SLID(_v) || VM_KERNEL_IS_KEXT(_v)) ? (vm_offset_t)(_v) - vm_kernel_slide : (vm_offset_t)(_v)) #define VM_KERNEL_IS_SLID(_o) (((vm_offset_t)(_o) >= vm_kernel_base) && ((vm_offset_t)(_o) < vm_kernel_top)) #define VM_KERNEL_IS_KEXT(_o) (((vm_offset_t)(_o) >= vm_kext_base) && ((vm_offset_t)(_o) < vm_kext_top))
  • 68. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China 68
  • 69. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China • there has been a change in guard • recent Jailbreaks are no longer developed by “Westeners” • now Chinese teams seem to rule the scene • but why? 69
  • 70. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - Why? • “Western” Jailbreak developers • shared a lot of tools and techniques • now have to deal with exploit export control regulations • worked hard for nearly nothing (few donations) • while information security companies made millions of their work • on top of that had to deal with greedy JB community 70
  • 71. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - Why? • “Chinese” Jailbreak developers • are paid by Chinese companies with app stores ( e.g. 1 Mio USD ) • use money to buy vulnerabilities / exploits ( from the west ) • use questionable methods like stolen enterprise certificates • use public & non public code ignoring software licenses / copyright 71 at the moment I have no permission to disclose identity of jailbreaker who wrote this if you can offer 100.000 USD for buying a vulnerability / exploit this means you must get a lot for the end product
  • 72. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - and Apple • so far “Chinese” Jailbreakers • had a lucky time because of Apple security’s total lack of QA • have mostly relied on techniques invented by westerners • could reuse the same vulnerabilities over and over 72
  • 73. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Jailbreak made in China - Community • so far “Chinese” Jailbreakers have • not released any code to advance the iOS research community • instead have heavily obfuscated their jailbreaks • intentionally removed patches to hinder work of other researchers • have destructive kernel patches that overwrite part of kernel binary • they are in it for the money and don’t want competition 73
  • 74. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Conclusion 74
  • 75. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Conclusion • looking at how Apple security fails over and over again shows they are not taking it seriously and have no QA on their security fixes AT ALL. • Basically Apple Security’s failed patches made the Chinese jb possible • IMHO the fact that media is celebrating Jailbreaks instead of taking them as what they are: exploits for vulnerabilities is partly the reason why Apple does not take fixing them seriously • media should stress the fact that every unfixed jailbreak makes it CHEAP for state sponsored attackers to spy on people • actually it has been shown that several iOS surveillance tools fully rely on release of public jailbreaks 75
  • 76. Stefan Esser • iOS 678 Security - A Study In Fail • March 2015 •  Questions ? 76