iOS 7 Security Analysis

- 30 mins

Introduction

Recently, I took a look at the old source and a project held my intention (OpenWeb) but sadly, it did not work as I wanted. (PHP / code incorrect, files wrong, no boot tether etc...)

From there I started my research through iOS 7 to go through its security and understand how it works by creating and using my own tool.

The Pangu part was hard to research / explain because "They didn't release any code to advance the iOS research community and removed patches to hinder work of others researchers etc..." (Esser, 2015)
-> conclusion:They willingly had hidden patches and codes, understand it was difficult to find how Pangu7 works :/


Jailbreak

Usually, the process of a jailbreak / how a jailbreak works is by writing below and this, for all iOS versions :

  1. Bypass code signing
    • Exploit vulns in dyld during code load
  2. Escape the sandbox
    • Exploit an unsandboxed process
    • Exploit design flaw in sandbox implementation
    • Override sandbox functions in "libsandbox.dylib"
    • Patching Kernel (obligatory)
  3. Root Privilege Escalation
    • Exploiting vulns in a root daemon
  4. Patching Kernel
    • Disable code signing
    • Disable kernel enforced sandbox
    • Enable kernel debugging -> tfp0 (aka. task_for_pid_0)
  5. Apply Permanent Changes
    • Overwrite root partition
      • Remount with R/W permission (=< iOS 7) / afcd (iOS 7.0.x)
    • Do not change critical parts that are involved in the boot sequence
      • Chaine integrity check could block boot process (bootloop).

This is an analysis about the security so let's see which weakness have been used to jailbreak iOS 7 !


evasi0n7

oof.. does it really matter?

- evasi0n7 internal processus

Geohot made a writeup about it, but let's make a short review of all the weaknesses :P

  create ".evasi0n7_installed" file using AFC in "/var/mobile/Media"

Vuln. N‘1

Build / install a random app. with a modified .plist using "../../../../../../" in the CFBundleExecutable folder.

- Installd will install the app. outside of the container

Vuln. N‘2

As afcd can goto "/var/mobile/Media/Downloads/", we will change the content by "#!/usr/libexec/afcd –S –d / -p 8888".

- Executing afcd by open evasi0n's app.*

                                    uploading jailbreak data...

Vuln. N‘3

As afcd was enabled, access to /tmp is now enable too, afcd will create a symlink to "../../../../../../tmp" to the following directory : "/var/mobile/Media/Downloads/a/a/a/a/a/a".

- The symlink goto the upper directory -> afcd can access to /tmp again.


Vuln. N‘4

Installd comes to install a .zip file, and creates a "/tmp/install_staging.XXXXXX/foo_extracted" where the .zip will be extracts.

symlink("../../../var/mobile/Library/Caches/", "tmp/install_staging.XXXXXX/foo_extracted.new")
move("tmp/install_staging.XXXXXX/foo_extracted", "tmp/install_staging.XXXXXX/foo_extracted.old")
move("tmp/install_staging.XXXXXX/foo_extracted.new", "tmp/install_staging.XXXXXX/foo_extracted")
installd_extract("/var/mobile/Media/pkg.zip", "tmp/install_staging.XXXXXX/foo_extracted")

- afcd symlink at "foo_extracted"


Vuln. N‘5

As we injected gameover.dylib -> afcd will inits the sandbox from inside the binary but by overriding the dylib, the sandbox is never initted and afcd is free to write anywhere.

- The size of the section is 0x00000000000000000 (NULL), dyld will ignore it and will not valid the signature.


Vuln. N‘6

The evasi0n7 app is just to start the process of afcd (so load gameover.dylib), it will killing the AFC sandbox, but still as mobile -> afcd will runs as mobile, outside of the sandbox ;)

~ The app will execute "#!/usr/libexec/afcd -S -d / -p 8888 & gameover.dylib"


Vuln. N‘7

Now AFC is running outside the sandbox, "/dev/rdisk0s1s1" is mobile:mobile -> we can create a symlink anywhere : we call afcd to create a new one to "../../../../../../../../dev/rdisk0s1s1" at "/var/mobile/Library/Logs/AppleSupport"

- CrashHouseKeeping was /dev/rdisk0s1s1 but now R/W by the mobile user.


Vuln. N‘8

As the kernel no longer allows the rootfs to be remounted as R/W, the "-S" option in afcd is very useful -> Using the AFC protocol, a computer can overwrite the root partition.

- Allows to goto /dev/rdisk0s1s1, walk through sub-directories & writing files.


Vuln. N‘9

A kernel exploit is obligatory to finish the jailbreak, here are the the files written :

"/evasi0n7" -> Main binary file which does the kernel exploit.
"/evasi0n7-installed" -> Checking & blank file.
"/System/Library/LaunchDaemons/com.evad3rs.evasi0n7.untether.plist" -> Touched to make launchd load this.
"/System/Library/Caches/com.apple.xpcd/xpcd_cache.dylib" -> Home of the LaunchDaemons, codesign bypass.
"/System/Library/Caches/com.apple.dyld/enable-dylibs-to-override-cache" -> Convinces the system to look on the filesystem before the dyld_cache.
"/usr/lib/libmis.dylib" -> Overrides the symbols in amfid to make the signature check return 0, with above codesign trick.

Conclusion

evasi0n7 was patched in iOS 7.1 by Apple, fixing the Kernel (CVE-2014-1278), the Backup (CVE-2013-5133), the dyld (CVE-2014-1273) & the CrashReporting (CVE-2014-1272).



Pangu7

Markdown

- Pangu7 internal processus (?)

This untether jailbreak was made for iOS 7.1 - 7.1.2 based on some evasi0n7 vulns. (Hence their sentence "we learned the skills of evasi0n7") but I will really more less clear than evasi0n because of some parts hidden, the built - rebuilt and re-rebuilt and only based on the disassembler, I can't explain a lot... let's try to analysis it anyways:

                          Pangu use a revoked entreprise certificate
                          set the date before it was revoked fixes it

Vuln. N‘1

As exploit, Pangu uses early_random, a kernel exploit used to recover arbitrary PRNG outputs on devices running iOS 7 and allows to trivially brute-force the relevant portion of the PRNG’s internal state by observing a very small set of outputs (can be obtained by inferring bits of obfuscated kernel pointer values).

// early_random() in iOS 7
uint64_t
early_random() {
    uint32_t i;
    uint64_t StateArray[4];
    if (!early_random_init) {
        early_random_init  = 1;
        get_entropy_data();
        ovbcopy(&entropy_data, &State, sizeof(uint64_t));
}
    for (i = 0; i < 4; i++) {
        State = StateArray[i] = (State * 1103515245)+12345;
    }
 }
return (StateArray[3] >> 3&0xffff)|
    (((StateArray[2] >> 3) << 16)&0xffff0000)| 
    (((StateArray[1] >> 3) << 32)&0xffff00000000)|
    (((StateArray[0] >> 3) << 48)&0xffff000000000000)16)&0xffff0000)|>
}

- PseudoRandom Number Generator (PRNG)*

Vuln. N‘2

let's continue on cool exploits because Pangu uses "mach_port_kobject" used to recover the permutation value and addresses of kernel / to defeat the kernel address obfuscation mitigation

// mach_port_kobject exploit code
*typep = (unsigned int) ip_kotype(port);
kaddr = (mach_vm_address_t)port->ip_kobject;
ip_unlock(port);
if (0 != kaddr && is_ipc_kobject(*typep))
        *addrp = kaddr;
else
        *addrp = 0;

- "Leaked addresses are very useful for exploitation" (Esser, 2015) (lol)

Vuln. N‘4

Pangu7 will exploiting the "syslogd chown" bug by finding everything invoking chmod / chown in /usr/libexec/ and List all daemons running as root (maybe?)

// syslogd chown bug used into evasi0n7 
grep –E ‘chmod|chown’ -r ./ -> Finding everything that invoke chmod / chown in /usr/libexec/
ps -aux -> List all daemons running as root
chown("/var/mobile/Library/Logs/ CrashReporter”, 501, 501) -> List UID 501 : mobile
chmod("/var/mobile/Library/Logs/CrashReporter”, 755) -> rwxr-xr-x mobile mobile /dev/rdisk0s1s1
Vuln. N‘5

The app binary use "install_staging" but apparently the app binary plants files inside "/private/var/tmp/%@/foo_extracted" (symlink vulnerability but it is not like evasi0n, I did not found more about this).

Vuln. N‘6

A timed .dylib (pangu.dylib) is injected via the DYLD_INSERT_LIBRARIES environment variable to the enterprise app into a system process, but like an app it needs dynamic libraries to be signed

- This .dylib is running in the context of timed & signed by the revoked certificate but I assume it's overriding the same sandbox functions instead of gameover.dylib.

Vuln. N‘7

Once Pangu app will clicked, "com.apple.mobile.diagnostics_relay" will update "com.apple.mobile_installation.plist" and will be overriding by pangu.dylib & a file with an important size will be installed at "/tmp/" (called "bigfile") -> caches are checked and the device should reboot

Markdown

- A big file for improvement of the reliability of a race condition*

Vuln. N‘8

As evasi0n7, some files are written too to complete the jailbreak -> here is the list :

"/var/mobile/Media/Pangu-Install" -> Directory created to install Cydia.tar - pangu.tar - pangu_ex.tar - packagelist.tar & helper.tar.
"/panguaxe.installed" -> Untether file.
"/System/Library/LaunchDaemons/io.pangu.axe.untether.plist" -> Touched to use the untether correctly. 
"/usr/lib/libmis.dylib" -> AMFID codesign trick (jtool -l -v -arch arm libmis.dylib -> maybe?)
"cs_enforcement_disable=1" -> kernel boot argument added after rebooting
Vuln. N‘9

IOSharedDataQueue doesn't override the ::enqueue method, but adds a ::dequeue method to allow the kernel to dequeue objects which userspace has enqueued.
"Pangu noticed that IOSharedDataQueue also had a much more curious change in its overridden version of ::initWithCapacity:" (Ian Beer).
Ian made a writeup about that, check it out.

Vuln. N‘10

Mach-O OSBundleHeaders info leak used in Pangu v1.0.0 but not found in reversing or on internet :/

Vuln. N‘11

AppleKeyStore::initUserClient info leak used in updated versions of Pangu but not found in reversing or on internet :/

Conclusion

Pangu7 use some evasi0n7 techniques / exploits but with differents process, hidden and build lot of times to not help others researchers...

This tool was patched in iOS 8 by Apple, fixing the Kernel (CVE-2014-4461), App Installation (CVE-2014-4386), the SandBox (CVE-2014-4457), the IOKit (CVE-2014-4407; CVE-2014-4388) & the dyld (CVE-2014-4455).



Nemesis - GeekSn0w

Markdown

- Nemesis's home

We just learn how the previous jailbreaks was made, so let's see how can we create our own tool :
Instead of using previous exploit, I'll use a different method and write it in bash:

Vuln. N‘1

Allows the SSH connection by exploiting syringe and limera1n exploit using ssh_rd :

# Create a .sh file to execute ssh_rd by writing : java -jar ssh_rd.jar
chmod +x ssh_rd.sh    # Chomding our ssh_rd.sh file
chmod +x ssh_rd.jar   # Chmoded ssh_rd.jar
open -a terminal.app ssh_rd.sh   # Open a new terminal windows & execute ssh_rd .jar (it will put your phone into restore mode)

- [NOTE]: Nemesis - Geeksn0w can works for all iOS versions supporting Syringe plus iPhone2G - 3G & iPod 1G and boot if these versions are matching with .plist already found... cool jailbreak no ? :D

Vuln. N‘2

Mounting iOS volumes is obligatory to ~interact with device files from the mac to the device

    # Mount iOS 7 volumes
echo "Mounting /dev/disk0s1 on /mnt1..."
  mount_hfs /dev/disk0s1 /mnt1

echo "Mounting /disk0s2 on /mnt2..."
  mount_hfs /dev/disk0s2 /mnt2

- You can also use "mount.sh" (script pre_installed) to mount it easily

Vuln. N‘3

Our device allowing SSH, all volumes are mounted, great !
Let's install a persistant connection even if our device reboot by injecting a SSH server

    # Don't forget to remove fstab and uploading a new one
ssh -p 2022 [email protected] rm -f /mnt1/private/etc/fstab
    # scp is used to transfert files to the device, scp use -P & ssh use -p don't do this mistake.
scp -P 2022 fstab [email protected]:/mnt1/private/etc/
    # Chmoding with all privileges our bundle & uploading it at /mnt1/
chmod -R 755 ssh_bundle/*
scp -P 2022 -rp ssh_bundle/* [email protected]:/mnt1/

- sshpass can be used to enter the passwd automatically when ssh is called

Vuln. N‘4

Let's inject our jailbreak files and install Cydia because haters will hate it if there is not Cydia :v

   # Chmoding our bundle with 755
chmod -R 755 jailbreak/*
    # Injecting files as folder on /mnt1/ because tar is broken :/
scp -P 2022 -rp jailbreak/* [email protected]:/mnt1/
   # Chmoding the cyinstall script 755
chmod 755 cyinstall-1.sh
   # Pushing the cyinstall to the device on /mnt1/ 
scp -P 2022 cyinstall-1.sh [email protected]:/mnt1/
   # Rebooting device using nvram auto boot & reboot_bak
ssh -p 2022 [email protected] nvram auto-boot=true
ssh -p 2022 [email protected] reboot_bak
# As reboot_bak is enabled, our Device should reboot into recovery

- This method is one of a lot solutions, you can use it or try others solutions by different way.

Vuln. N‘5

Even if we try to exit recovery, our device will boot as recoveryloop... one solution : boot tether using opensn0w something like this (not knowing as far I know...)

    # Git cloning opensn0w from my GitHub because winocm repo was deleted ;'(
git clone https://github.com/YumiStar/opensn0w
    # Patching libusb, libusbi & libirecovery
patch -p1 < opensn0w3.diff
    # Chmoding autogen script to make it "executable"
chmod +x autogen.sh
    # Generating & configuring files for opensn0w_cli
./autogen.sh; ./configure
    # Building binaries in src folder (opensn0w_cli; opensn0w_new_api_example)
make; sudo make install
    # Use opensn0w to boot with -p to specify a bundle property list and -i if you have the ipsw of the specify version
./opensn0w -p iPhone3,X_7.X.X_Build.plist -i iPhone3,X_7.X.X_Build_Restore.ipsw
Bonus:

If you just restored your device or if this one is blocked by iCloud or "No SIM", sit down, keep calm and use the following commands:

    # Make sure device volumes are mounted
ssh -p 2022 [email protected] rm -rf /mnt1/Applications/Setup.app/*
    # Rebooting device using nvram auto boot & reboot_bak
ssh -p 2022 [email protected] nvram auto-boot=true
    # omae wa mou shindeiru:nani?!
ssh -p 2022 [email protected] reboot_bak

- Your device will reboot on the lockscreen, enjoy your hacktivation ;)

Conclusion

You just build your own tool based on Nemesis or GeekSn0w, congratulations! For everything else, you need to use your own knowledges and not copy / past and change the name (else it's just too easy if the goal is to make our own tool, you just have to know how your tool will build and you have finish with that) :P

As said above, Nemesis can works for all iOS versions supporting Syringe and can (normally) boot with opensn0w if these versions are matching with .plist already found... be a researcher ;P



Conclusion

Let's make a short review of the techniques we just see :

  • evasi0n7 iOS 7 - 7.1B3 (afcd)
    • Checking file installed using AFC in "/var/mobile/Media"
    • Modified .plist installed using "../../../../../../" method in the CFBundleExecutable.
    • Jailbreaking by using afcd (option -S)
    • symlink created to "../../../../../../tmp"
    • afcd symlink at "foo_extracted"
    • dyld will ignore a section (null) & will not valid the signature.
    • "#!/usr/libexec/afcd -S -d / -p 8888 & gameover.dylib" executed by opening the app
    • CrashHouseKeeping Read/Writed by the mobile user.
    • Allows to goto /dev/rdisk0s1s1, walk through sub-directories & writing files by using AFC
    • Kernel exploit bich (joking I love you all)

  • Pangu7 iOS 7.1 - 7.1.2 (certificate)
    • Revoked entreprise certificate used to sign dylib & others things
    • Kernel exploit to recover arbitrary PRNG outputs [...]
    • mach_port_kobject exploit to defeat the kernel address obfuscation mitigation
    • IOSharedDataQueue notification port overwrite (dequeue objects which userspace has enqueued)
    • Mach-O OSBundleHeaders info leak (unfounded :/)
    • AppleKeyStore::initUserClient info leak (unfounded :/)
    • syslogd chown used into evasi0n7
    • symlink at "foo_extracted"
    • .dylib running in the context of timed & overriding the same sandbox functions as gameover.dylib
    • Attack hidden (Seriously...)

  • Nemesis - GeekSn0w iOS 7.x.x (SSH)
    • SSH connection allowed by exploiting syringe & limera1n using SSH
    • Mounting iOS volumes
    • install a persistant connection / SSH server (scp)
    • Jailbreak files installation using SSH
    • Cydia installation using SSH
    • nvram auto-boot applied
    • Tether booting (fuk...)
    • Removing Setup:Hacktivate device using SSH

3 Jailbreaks, 3 differents methods used ;)
I hope you learnt something new with that, because it was really difficult to research everything here ;_;


This is the end of this LOOONG post, thnks to spend your time to read my annoying post. If you have any questions, feel free to ask me !
Back home to see where you can find me on social medias.

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora