iOS 11 Security Analysis

- 20 mins

Introduction

After I released my previous Analysis about iOS 7, the current iOS security fascinates me as always but I admit that its complexity is one of the things I hate (CoolStar, I admire your talent).

So this time, we will take a look on iOS 11 exploit released, Jailbreaks and the potentials fixes proposed for it being more relevant this time '^'

PS: Sorry for the time, I did my best to give you a right and complete analysis and if you don't see correctly code screens :/



iOS 11.0 - 11.1.2

async_wake

The 11 Dec 2017, Ian Beer released async_wake_ios, a tfp0task_for_pid() exploit "providing a SEND right to the kernel_task in user space, thereby paving the way to complete control over kernel memory, and a complete jailbreak." (J.Levin)

Recently, Ian tweeted something new about async_wake saying:
"Here's an updated version of async_wake with a more usable KDP-based kernel debugger: here"
A future analysis about kdp & why it should works in 11.3.1 will come later
(The debugger should works if code & headers are correctly implemented).

Oh and the name is based on two things: async function & wake_port (utility: 0 but it was funny to specify it xD).


Bugs

Two bugs are exploited:

- IOSurface Memory Corruption (CVE-2017-13865),
- Kernel memory disclosure in proc_info (UaF, CVE-2017-13861).


- "The information leak is a result of a bug in proc_pidlistuptrs that is the result of improper bounds checking that enables the reading of 7 extra bytes, which are copied directly from kernel mode to user mode, enabling the bypass of KASLR via enumeration of a large number of address.

- Next, the UaF bug results from UISyrfaceRootUserClient improperly handling references once an error has occurred in its sub- functions, which can be triggered if a previous call to it, allowing a dangling pointer to freed memory in the kernel.
This, coupled with some innovative heap feng shui allows for the creation of an arbitrary kernel read and write, which Ian wrangles into a pointer to the kernel task process, tfp0.

- In order to properly exploit the UaF a bunch of kalloc allocations are made pointing to the target port, then a number of mach ports are allocated to ensure the current page only contains mach ports owned by our PID.
Then the IOSurface dangling pointer bug is triggered by slowly reallocating memory until the garbage collector collects the page that the IOSurface pointer references.

- The reallocations contain crafted ipc_kmsg messages with a fake IKOT_TASK task port which points to a process block structure (bsd_info) that contains a fake task structure.
This can then be leveraged into an arbitrary read primitive Once the read primitive has been used to find the kernel’s vm_map and ipc_space then the task port is overwritten via reallocating the previous kalloc.4096"
(Bryce Bearchell).


Electra

Electra the first complete Jailbreak toolkit for iOS 11.0 to 11.1.2 using Ian Beer's async_wake exploit.

Once Electrawill run, it will install Cydia, an SSH server and inject code into applications and processes using Substitute.

The firsts betas versions was released with freezes, bugs etc... And the Tweak Installation was over SSH (in others words manually).
Electra RC code is similar to electra1131 except the exploit and the R/W method change.

In our case, we will look the remount RootFS as R/W part, the exploit Analysis is above (see electra1131 below).


RootFS

The remount as Read/Write is similar (but not really) to the 11.2.x method below, it is honestly very short and basic to understand how this thing works.
Here is the code used in fun.c by coolstar and xerub:


- This remount will allow to mount the disk disk0s1s1 at /dev/disk0s1s1,
and Electra will initialize fd and tell "open /.bit_of_fun file"
then if fd is equal to -1 then it will create a the /.bit_of_fun file and applying a chmod 0644.
Else it will return the follwing alert: "File already exists!" and close fd.



iOS 11.2 - 11.3.1

empty_list

empty_list is an arm64 tfp0task_for_pid(0) exploit exploiting a simple bug that lacks a simple check (getvolattrlist function used to takes a user controlled bufferSize argument via the fgetattrlist syscall).
I mean if the size of the memory allocated buffer is less than the minimum size required, the program will pass the various checks and continue its path and trigger a heap overflow...

Also called VFS (Virtual File-System), here is the PoC:


aldebaran have made a writeup, look his post to know more about it.


multi_path

multi_path (or MPTCP) is an arm64 tfp0task_for_pid(0) exploit exploiting a heap overflow due to the bad checking of limits in the MPTCP protocol, allowing the same TCP connection to be used across multiple network interfaces.

If this exploit was released for developers (≈  developer account requiered), the success rate is much higher than empty_list (~80 - 90%) and works from iOS 11.0 → 11.3.1 (used in eletra1131, it will stay in the 11.3.1 section).

Been here from iOS 7 (used by Siri (cellular data + WiFi) but the protocol is public (developers only) from iOS 11) and was implemented in XNU from xnu-2422.1.72.

KeenLab have already made a writeup about it, anyways here is the vuln:


"The code does not validate the sa_len field if srcsa_family is neither AF_INET nor AF_INET6 so the function directly falls through to memcpy with a user specified sa_len value up to 255 bytes" (bsd/netinet/mptcp_usrreq.c).

Unfortunaly, Apple will patch multi_path with the release of iOS 11.4... anyways again here the patch:



Electra1131

This 2nd version of Electra is a KPPless Jailbreak (KPPless means it will do things before KPP is aware and then immediately unpatch the kernel) & was initially a jailbreak from iOS 11.0 to 11.1.2 versions using Ian Beer's async_wake exploit.

Once Electrawill run, it will install Cydia, an SSH server and inject code into applications and processes using Substitute.

But in this versions, Electra will supports iOS 11.2 → 11.3.1 & iOS 11.4 Beta versions using two exploits: multi_path and empty_list.

@oakle took some notes about inject_criticald, you can find it here.


setuid(0); | UID: 0

So, the uid0 is used to prevent the setuid(0) function from crashing and according to this following code used in electra.c by using kexecute
(ROP function used to execute from the kernel).

set yumi's face

Then, pid0 is configured by using setuid() and the daemon jailbreakd.dylib is used to patch setuid(0).


RootFS

Min Spark and Xiaolong Bai have published a first writeup about it, but without persistence (It means components must be reinstalled after a reboot).
Secondo, Electra was then released with a functional and persisted 0day APFS (Apple File-System) bypass.
If we look into Electra, we can notice 2 functions in rootfs_remount.c

remountRootAsRW_old() → iOS 11.2.X
remountRootAsRW() → iOS 11.3.X

Let's start with iOS 11.2.X remount:



Now, let's take a look on the 11.3.X part:

- All you need to know is write aside the //


CyInstallation

The installation of Cydia didn't change since saurik released it: APT, dpkg, MobileSubstrate (replaced by Substitute) [...] are required by Cydia to work, that's why a bootstrap.tar is used to install theses components at / proposed by saurik.

Here is the process of the installation used in electra:

Insert Yumi's waifuInsert Yumi's waifu

The most part of the installation is explained aside the //.

The only thing I didn't explained is the .cydia_no_stash (created at / used to prevent Cydia from moving the directories in the system partition to the mobile partition) because it's not useful anymore since that partitions are in the same storage.


Jailbreaks Detection

"Electra also has a third-party jailbreak detection system to remove potential jailbreaks that modify the system files" (matteyeux).
For that, a function called removePotentialJailbreak() removes files and directories created by others tools that are not Electra.

Here is the Remover code used in electra:

Insert Yumi's waifu

An other function called unLiberiOS is also including to remove LiberiOS.
Here is the unliberiOS code used in electra:

Insert Yumi's waifuInsert Yumi's waifu

The most part of the remove is explained aside the // again.

The only thing I didn't explained is the .cydia_no_stash (created at / used to prevent Cydia from moving the directories in the system partition to the mobile partition) because it's not useful anymore since that partitions are in the same storage.



Conclusion

Let's make a short review of everything wrote here:

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora