iOS 7 Security Analysis- 30 mins
Recently, I took a look at the old source and a project held my intention (OpenWeb) but sadly, it did not work as I wanted. (PHP / code incorrect, files wrong, no boot tether etc...)
From there I started my research through iOS 7 to go through its security and understand how it works by creating and using my own tool.
The Pangu part was hard to research / explain because "They didn't release any code to advance the iOS research community and removed patches to hinder work of others researchers etc..." (Esser, 2015)
-> conclusion:They willingly had hidden patches and codes, understand it was difficult to find how Pangu7 works :/
Usually, the process of a jailbreak / how a jailbreak works is by writing below and this, for all iOS versions :
- Bypass code signing
- Exploit vulns in dyld during code load
- Exploit an unsandboxed process
- Exploit design flaw in sandbox implementation
- Override sandbox functions in "libsandbox.dylib"
- Patching Kernel (obligatory)
- Exploiting vulns in a root daemon
- Disable code signing
- Disable kernel enforced sandbox
- Enable kernel debugging -> tfp0 (aka. task_for_pid_0)
- Overwrite root partition
- Remount with R/W permission (=< iOS 7) / afcd (iOS 7.0.x)
- Do not change critical parts that are involved in the boot sequence
- Chaine integrity check could block boot process (bootloop).
This is an analysis about the security so let's see which weakness have been used to jailbreak iOS 7 !
- evasi0n7 internal processus
Geohot made a writeup about it, but let's make a short review of all the weaknesses :P
create ".evasi0n7_installed" file using AFC in "/var/mobile/Media"
Build / install a random app. with a modified .plist using "../../../../../../" in the CFBundleExecutable folder.
- Installd will install the app. outside of the container
As afcd can goto "/var/mobile/Media/Downloads/", we will change the content by "#!/usr/libexec/afcd –S –d / -p 8888".
- Executing afcd by open evasi0n's app.*
uploading jailbreak data...
As afcd was enabled, access to /tmp is now enable too, afcd will create a symlink to "../../../../../../tmp" to the following directory : "/var/mobile/Media/Downloads/a/a/a/a/a/a".
- The symlink goto the upper directory -> afcd can access to /tmp again.
Installd comes to install a .zip file, and creates a "/tmp/install_staging.XXXXXX/foo_extracted" where the .zip will be extracts.
symlink("../../../var/mobile/Library/Caches/", "tmp/install_staging.XXXXXX/foo_extracted.new") move("tmp/install_staging.XXXXXX/foo_extracted", "tmp/install_staging.XXXXXX/foo_extracted.old") move("tmp/install_staging.XXXXXX/foo_extracted.new", "tmp/install_staging.XXXXXX/foo_extracted") installd_extract("/var/mobile/Media/pkg.zip", "tmp/install_staging.XXXXXX/foo_extracted")
- afcd symlink at "foo_extracted"
As we injected gameover.dylib -> afcd will inits the sandbox from inside the binary but by overriding the dylib, the sandbox is never initted and afcd is free to write anywhere.
- The size of the section is 0x00000000000000000 (NULL), dyld will ignore it and will not valid the signature.
The evasi0n7 app is just to start the process of afcd (so load gameover.dylib), it will killing the AFC sandbox, but still as mobile -> afcd will runs as mobile, outside of the sandbox ;)
~ The app will execute "#!/usr/libexec/afcd -S -d / -p 8888 & gameover.dylib"
Now AFC is running outside the sandbox, "/dev/rdisk0s1s1" is mobile:mobile -> we can create a symlink anywhere : we call afcd to create a new one to "../../../../../../../../dev/rdisk0s1s1" at "/var/mobile/Library/Logs/AppleSupport"
- CrashHouseKeeping was /dev/rdisk0s1s1 but now R/W by the mobile user.
As the kernel no longer allows the rootfs to be remounted as R/W, the "-S" option in afcd is very useful -> Using the AFC protocol, a computer can overwrite the root partition.
- Allows to goto /dev/rdisk0s1s1, walk through sub-directories & writing files.
A kernel exploit is obligatory to finish the jailbreak, here are the the files written :
"/evasi0n7" -> Main binary file which does the kernel exploit. "/evasi0n7-installed" -> Checking & blank file. "/System/Library/LaunchDaemons/com.evad3rs.evasi0n7.untether.plist" -> Touched to make launchd load this. "/System/Library/Caches/com.apple.xpcd/xpcd_cache.dylib" -> Home of the LaunchDaemons, codesign bypass. "/System/Library/Caches/com.apple.dyld/enable-dylibs-to-override-cache" -> Convinces the system to look on the filesystem before the dyld_cache. "/usr/lib/libmis.dylib" -> Overrides the symbols in amfid to make the signature check return 0, with above codesign trick.
evasi0n7 was patched in iOS 7.1 by Apple, fixing the Kernel (CVE-2014-1278), the Backup (CVE-2013-5133), the dyld (CVE-2014-1273) & the CrashReporting (CVE-2014-1272).
- Pangu7 internal processus (?)
This untether jailbreak was made for iOS 7.1 - 7.1.2 based on some evasi0n7 vulns. (Hence their sentence "we learned the skills of evasi0n7") but I will really more less clear than evasi0n because of some parts hidden, the built - rebuilt and re-rebuilt and only based on the disassembler, I can't explain a lot... let's try to analysis it anyways:
Pangu use a revoked entreprise certificate
set the date before it was revoked fixes it
As exploit, Pangu uses early_random, a kernel exploit used to recover arbitrary PRNG outputs on devices running iOS 7 and allows to trivially brute-force the relevant portion of the PRNG’s internal state by observing a very small set of outputs (can be obtained by inferring bits of obfuscated kernel pointer values).
- PseudoRandom Number Generator (PRNG)*
let's continue on cool exploits because Pangu uses "mach_port_kobject" used to recover the permutation value and addresses of kernel / to defeat the kernel address obfuscation mitigation
- "Leaked addresses are very useful for exploitation" (Esser, 2015) (lol)
Pangu7 will exploiting the "syslogd chown" bug by finding everything invoking chmod / chown in /usr/libexec/ and List all daemons running as root (maybe?)
// syslogd chown bug used into evasi0n7 grep –E ‘chmod|chown’ -r ./ -> Finding everything that invoke chmod / chown in /usr/libexec/ ps -aux -> List all daemons running as root chown("/var/mobile/Library/Logs/ CrashReporter”, 501, 501) -> List UID 501 : mobile chmod("/var/mobile/Library/Logs/CrashReporter”, 755) -> rwxr-xr-x mobile mobile /dev/rdisk0s1s1
The app binary use "install_staging" but apparently the app binary plants files inside "/private/var/tmp/%@/foo_extracted" (symlink vulnerability but it is not like evasi0n, I did not found more about this).
A timed .dylib (pangu.dylib) is injected via the DYLD_INSERT_LIBRARIES environment variable to the enterprise app into a system process, but like an app it needs dynamic libraries to be signed
- This .dylib is running in the context of timed & signed by the revoked certificate but I assume it's overriding the same sandbox functions instead of gameover.dylib.
Once Pangu app will clicked, "com.apple.mobile.diagnostics_relay" will update "com.apple.mobile_installation.plist" and will be overriding by pangu.dylib & a file with an important size will be installed at "/tmp/" (called "bigfile") -> caches are checked and the device should reboot
- A big file for improvement of the reliability of a race condition*
As evasi0n7, some files are written too to complete the jailbreak -> here is the list :
"/var/mobile/Media/Pangu-Install" -> Directory created to install Cydia.tar - pangu.tar - pangu_ex.tar - packagelist.tar & helper.tar. "/panguaxe.installed" -> Untether file. "/System/Library/LaunchDaemons/io.pangu.axe.untether.plist" -> Touched to use the untether correctly. "/usr/lib/libmis.dylib" -> AMFID codesign trick (jtool -l -v -arch arm libmis.dylib -> maybe?) "cs_enforcement_disable=1" -> kernel boot argument added after rebooting
IOSharedDataQueuedoesn't override the
::enqueue method, but adds a
::dequeuemethod to allow the kernel to dequeue objects which userspace has enqueued.
"Pangu noticed that IOSharedDataQueue also had a much more curious change in its overridden version of
::initWithCapacity:" (Ian Beer).
Ian made a writeup about that, check it out.
Mach-O OSBundleHeaders info leak used in Pangu v1.0.0 but not found in reversing or on internet :/
AppleKeyStore::initUserClient info leak used in updated versions of Pangu but not found in reversing or on internet :/
Pangu7 use some evasi0n7 techniques / exploits but with differents process, hidden and build lot of times to not help others researchers...
This tool was patched in iOS 8 by Apple, fixing the Kernel (CVE-2014-4461), App Installation (CVE-2014-4386), the SandBox (CVE-2014-4457), the IOKit (CVE-2014-4407; CVE-2014-4388) & the dyld (CVE-2014-4455).
Nemesis - GeekSn0w
- Nemesis's home
We just learn how the previous jailbreaks was made, so let's see how can we create our own tool :
Instead of using previous exploit, I'll use a different method and write it in bash: