This document discusses a proof of concept iPhone rootkit developed by reverse engineering the JailbreakMe exploit and jailbreak tools. It describes patching the tools to remove security checks and pop-ups, and preparing a custom "wad.bin" filesystem containing backdoored system utilities and apps to enable remote access and control of an infected device without the user's knowledge. A demo is proposed using a Ruby Sinatra server to serve the exploit to a vanilla iOS device and install the rootkit via the existing JailbreakMe vulnerability. The rootkit aims to remain hidden using techniques like disguising process names and removing GUI indicators of running services.

1. iPhoneRootkit? There’s an App for That!Eric Monti – Sr. Security Researcheremonti@trustwave.com

2. OverviewUnderstanding JailbreaksSecurity hurdlesBackgroundApplying security attack patterns for “good”… to modify and leverage them for some “mayhem” Reverse Engineering iPhone jailbreaks and appsRepurposing and patching available tools“Malicious” PoCRootkits - also in the PoC sense ... please don’t root my phone “for reals”Not 0-day, the real “star” of the show isn’t even mineJailbreak community are the real rockstars!!!The bug is patched and fully disclosed since research beganBut… I did some tinkering and am still covering relatively new subject-matter and hopefully interesting attack patterns

3. My MotivationI am not a iPhone Jailbreak team member but I’m a fanJailbreakMe.com 2.0 Launched around BH/Defcon 2010Whole security community got intriguedI’ve been focused on product engineering last several months Really enjoy it (not knocking it!!!) but sometimes I miss embedded stuffAnd… defcon had me all “fired up” for reversing and vuln researchSpiderLabs pen-testers officially propose an exploit“It’d be cool to demo a nefarious jailbreak to clients”!!! \o/ !!! Sounds fun!Drop everything. Start reverse engineering jailbreakme.com

4. AgendaiPhone Security OverviewJailbreaking BackgroundReversing ReduxWeaponizationDemo

5. iPhone/iOS Security Overview

6. History

7. iOS Security From 10,000 MetersBootloader verifies…Signed firmware, verifies…Signed kernel, verifies…Signed Applications installed from the app storeApple signed everything!Actually a sound design on paper (barring implementation problems)

8. Architecture OverviewApplications ProcessorARM (6 or 7 depending on idevice/version)XNU Based Kernel (think OS X lite on ARM)Implements Kernel and Application Signing from bootloader down.Baseband ModemARMLargely separated from App. processorMostly interesting to carrier unlock, but not rootkit (yet?)Hardware Encryption Introduced in iPhone 3GSLow-level data encryption on NAND storage

9. OS EnvironmentTwo partitions make upfilesystemRoot partition at / (read-only from factory)Kernel, Base OS, Core APIsUser Partition at /private/var (read-write)All third party appsUser dataTwo users for pretty much everything“root” - system services, kernel“mobile” - apps and data running as you, the userBasic Unix security rules applySystem libraries and APIs approximate OS X / Darwin

10. Application Security Code signingAll apps must be signed by AppleSignatures stored in mach-o header sectionCheck implemented in kernel as an enhanced execv()SandboxApplications run as “mobile”Chroot sandbox ostensibly restricts apps to their own dataCan’t alter the OS or other appsReality:Apple’s .app authorization process plays the biggest role in iOS securityPrivate APIs are accessible but apps using them are usually rejectedAdvanced functionality is all there, just not “approved of”Exploit code running in signed apps or on jailbroken devices can still do lots of interesting things with and to the underlying system.

11. Jailbreaks

12. Jailbreak LandscapeRemote client-sides have been few and far betweenObviously more exciting for security researchObviously more potential for abusePar for exploits is in restore and FW updates over USBFertile territory for jailbreaks, JB nerds, and still very coolSecurity impact for ‘evil maid’ style bad-guy attacksVery impressive work is consistent from the JB communityIt takes a real !$$-hole to taint their awesome efforts…

13. But this is just how I do adoration and idolizationInternets have loads of tech details for learningPatience!Gotta wade through lots of fanboi noise to find the good stuffJB teams have cool info on wikis, but it’s not always up to dateGithub!!! Jailbreak-team stalker’s paradise!

14. Jailbreakme.com: A Thing to BeholdAuthor: Comex backed up by other jailbreak teamExploit and jailbreak package dubbed “star”

15. Every iDevice Apple makes, almost all modern versions affected

16. Handled like pros

17. Implementation, to presentation, to disclosure, to the timing of the release

18. Jailbreak released around BH / Defcon

19. iPhone 4G out for just a month or so.

20. Jailbreakers had been waiting patiently and were not disappointed

21. Released right after a crucial US legal decision on jailbreaking

22. Now officially legal in US

23. Prior status was fuzzy

24. Source for exploit released after Apple releases security fix (iOS 4.0.2)

25. See http://github.com/comex/starWhat?http://jailbreakme.comStar exploit executionFinished. Pretty safe and easy!

26. How?The “star” PDF Exploit – Code executionClassic stack overflowBoF in CoreGraphicsCFF(Compact Font Format) handling long stringsOverwrites $pc (EIP for ARM)Code still runs as “mobile” at this pointLeverages IOSurface (IOKit) bug for privilege escalation and sandbox escapeThe IOKit Vulnerability – Priv. escalation / escaping the sandboxKernel integer overflow in handling of IOSurface propertiesCalls setuid(0) inside Safari getting rootDominoes all fall down from thereThe Jailbreak Phase – Set up residence on the iDevicePatches out Kernel code signingInstalls a basic jailbreak filesystem along with Cydia (apt-get)“Polite” and clean - Even calls setuid(501) back to “mobile” once it’s finished.

27. Reversing the Binary “star” Exploit

28. Reversing the Exploit Binaries (pre-source)First few weeks, no source was released for JailbreakMe.comCurious and impatient. Not sure if Comex would releaseBegan reversing the binaries within a few days of the JB releaseStaring at opaque hex-dumps and peeling the onion one layer at a timeFun and soothing – Like catnip for my O.C.D.

29. All for Naught?Got a patch working. Was happy! Turned out to be a total waste of timeComex released the source about a week after I’d finished testing my PoCNo use crying over spilled code. Better to smarter and proceed by branching his github project and working source for the demo in this presentation. “star” turned out to be pretty awesome as a source package too and patching was much easier. Bonus: Been meaning to apply some objective-C reading I’d done months back.Maybe not a total waste?Got to dabble in iPhone reversing and ARM assemblyWas fun and I scratched an itch I’d needed to. Pure source patching was too easyProcess makes for a more interesting talk

30. Reversing StepsAnalyzed the PDFBarebones PDF. Viewer shows one “empty” pageCompare PDFs between iOS device/versionA single zlib deflated font section is the only differenceDeflate this chunk Strings and investigation show an un-stripped Mach-O DYLIB lives hereWrote a quick file splitter “extract_payload”Found 3 partsCFF Font eggMacho_1Macho_2

31. … continued: egg Malformed Times-Roman CFF Font...

32. … continued: Exploit ARM Code* extract from comex/star source

33. IOKit Integer Overflow XML Extract

34. installui.dylibEntrypointiui_go initializes the installer environment and calls the objective-C [Dude start] method

35. class-dump on installui.dylib (aka macho_1)

36. Wad.binWhat gets downloaded and installed for the jailbroken device?Wad.bin pseudo-code structureXZ’edtarball contents Stripped down Unix dir structure and CLI programs (bash et al) Cydia.app for downloading more packages

37. Weaponizing