Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fried Apples: Jailbreak DIY

Fried Apples: Jailbreak DIY

BlackHat Asia 2017

Max Bazaliy

March 30, 2017
Tweet

More Decks by Max Bazaliy

Other Decks in Programming

Transcript

  1. March 28-31, 2017
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    Fried Apples:
    Jailbreak DIY
    Alex Hude
    Max Bazaliy Vlad Putin

    View full-size slide

  2. March 28-31, 2017
    Who we are ? 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    o  Security research group
    o  Focused on hardware and software exploitation
    o  Made a various jailbreaks for iOS, tvOS, watchOS
    o  Contributors to jailbreak community

    View full-size slide

  3. March 28-31, 2017
    o  Secure Boot Chain
    o  Mandatory Code Signing
    o  Sandbox
    o  Exploit Mitigations
    o  Data Protection
    o  Secure Enclave Processor
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    iOS Security Overview

    View full-size slide

  4. March 28-31, 2017
    o  Disable OS restrictions
    o  Gain full access to device
    o  Install 3-rd party tools and apps
    o  Exploit chain required
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    What is jailbreak ?

    View full-size slide

  5. March 28-31, 2017
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    Jailbreak types
    o  Tethered
    - Re-exploit device on each boot manually
    o  Untethered
    - Re-exploit device on each boot automatically

    View full-size slide

  6. March 28-31, 2017
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    Initial attack vector strategies
    o  Application archive (IPA) based
    o  USB payload based
    o  WebKit\SMS\baseband based

    View full-size slide

  7. March 28-31, 2017
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    Making jailbreak if you have bugs
    o  Write an exploit chain
    o  Patch OS security restrictions
    o  Install persistent binary
    o  Add Cydia\ssh\remote shell

    View full-size slide

  8. March 28-31, 2017
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    Making jailbreak if you don't have bugs
    o  Write an exploit chain Use public write-ups
    o  Patch OS security restrictions
    o  Install persistent binary
    o  Add Cydia\ssh\remote shell

    View full-size slide

  9. March 28-31, 2017
    Implementation
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

    View full-size slide

  10. March 28-31, 2017
    o  ROP
    o  Binary with Mach-O bug
    o  JavaScriptCore JIT region
    o  Sign with dev\ent certificate
    Arbitrary code execution strategies 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

    View full-size slide

  11. March 28-31, 2017
    Bypassing sandbox strategies
    o  TOCTOU \ Symlinks
    o  XPC
    o  Kernel patch
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

    View full-size slide

  12. March 28-31, 2017
    Escalating privileges strategies
    o  Code injection in system service
    o  Kernel patch
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

    View full-size slide

  13. March 28-31, 2017
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    Bypassing KASLR strategies
    o  Information leak
    o  Brute force

    View full-size slide

  14. March 28-31, 2017
    Bypassing DEP strategies
    o  JavaScriptCore JIT
    o  Userland mmap\mprotect bug
    o  Kernel patch
    o  ROP chain
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View full-size slide

  15. March 28-31, 2017
    Seeking for patches in kernel
    o  Static patchfinder (memmem)
    memmem string\pattern, xref + instruction analysis
    o  Dynamic patchfinder
    syscall, sysctl, mach location, known structs + emulation
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View full-size slide

  16. March 28-31, 2017
    Kernel patches in detail
    o  root
    o  task_for_pid(0)
    o  amfi
    o  sandbox
    o  __mac_mount
    o  _mapForIO
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View full-size slide

  17. March 28-31, 2017
    Escalate privileges
    o  Interesting APIs are restricted
    o  task_for_pid, mount etc
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View full-size slide

  18. March 28-31, 2017
    Escalate privileges patch
    o  Find setreuid
    o  Find ruid/euid checks
    o  Patch to skip reuid checks condition
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View full-size slide

  19. March 28-31, 2017
    Escalate privileges patch detailed 13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View full-size slide

  20. March 28-31, 2017
    Kernel task
    o  Easy access to kernel memory
    o  Required for some kern utilities
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View full-size slide

  21. March 28-31, 2017
    Kernel task patch
    o  Patch task_for_pid
    o  Re-implement task_for_pid in ROP
    o  Find kernel task in memory
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View full-size slide

  22. March 28-31, 2017
    Kernel task patch detailed 13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View full-size slide

  23. March 28-31, 2017
    Kernel task patch detailed 13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View full-size slide

  24. March 28-31, 2017
    Apple Mobile File Integrity (AMFI)
    o  Run unsigned code
    o  Fake entitlements
    o  Get other process tasks
    o  Restrictions on mmap, mprotect etc
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View full-size slide

  25. March 28-31, 2017
    AMFI patch
    o  Patch amfi_get_out_of_my_way
    o  Patch PE_i_can_has_debugger
    o  Patch amfi mac policies
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View full-size slide

  26. March 28-31, 2017
    AMFI patch detailed 25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View full-size slide

  27. March 28-31, 2017
    AMFI policy patch detailed 25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View full-size slide

  28. March 28-31, 2017
    AMFI policy patch detailed 25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View full-size slide

  29. March 28-31, 2017
    AMFI policies to patch 25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View full-size slide

  30. March 28-31, 2017
    Sandbox
    o  Access files out of mobile container
    o  Unrestrict usage of system APIs
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View full-size slide

  31. March 28-31, 2017
    Sandbox patch
    o  Patch sb_evaluate (allow all)
    o  Hook sb_evaluate
    o  Patch sandbox mac policies
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View full-size slide

  32. March 28-31, 2017
    Sandbox patch detailed 25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View full-size slide

  33. March 28-31, 2017
    Sandbox patch detailed 25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View full-size slide

  34. March 28-31, 2017
    Sandbox policies 25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View full-size slide

  35. March 28-31, 2017
    __mac_mount
    o  Remount system partition
    o  Get write access to system partition
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View full-size slide

  36. March 28-31, 2017
    __mac_mount patch
    o  Patch __mac_mount
    o  Call mount_common from kernel
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View full-size slide

  37. March 28-31, 2017
    __mac_mount patch detailed 37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View full-size slide

  38. March 28-31, 2017
    _mapForIO lock
    o  “/” is mounted as read only
    o  only “/private/var” can be written
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View full-size slide

  39. March 28-31, 2017
    _mapForIO lock patch
    o  Patch _mapForIO
    o  Patch PE_i_can_has_kernel_configuartion
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View full-size slide

  40. March 28-31, 2017
    _mapForIO lock patch detailed 37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View full-size slide

  41. March 28-31, 2017
    Kernel Patch Protection
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View full-size slide

  42. March 28-31, 2017
    Bypassing KPP strategies
    o  Checks for kernel pages, MMU, sysregs
    o  Execution on EL3
    o  Can’t disable, can race or …
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View full-size slide

  43. March 28-31, 2017
    How KPP works? 37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View full-size slide

  44. March 28-31, 2017
    Original translation table 37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View full-size slide

  45. March 28-31, 2017
    Create fake Level 1 table 37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View full-size slide

  46. March 28-31, 2017
    Create fake Level 2 table 37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View full-size slide

  47. March 28-31, 2017
    Create fake Level 3 table 37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View full-size slide

  48. March 28-31, 2017
    Create fake pages 37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View full-size slide

  49. March 28-31, 2017
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    BBQit Framework

    View full-size slide

  50. March 28-31, 2017
    KPP bypass technique 49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60

    View full-size slide

  51. March 28-31, 2017
    KPP bypass technique (continue) 49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60

    View full-size slide

  52. March 28-31, 2017
    Achieving persistence strategies
    o  Find service that spawns on boot
    o  Check if it is running as root (optional)
    o  Find userland codesign bug
    o  Symlink system service to exec cs bypass
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60

    View full-size slide

  53. March 28-31, 2017
    Achieving persistence example
    o  JavaScriptCore jsc interpreter
    o  Signed by Apple
    o  Can execute code on RWX segment
    o  Copy as system service to spawn on boot
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60

    View full-size slide

  54. March 28-31, 2017
    Achieving persistence details 49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60

    View full-size slide

  55. March 28-31, 2017
    SSH
    o  Copy dropbear or install Cydia
    o  tcprelay.py -t 22:4222
    o  Password ‘alpine’
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60

    View full-size slide

  56. March 28-31, 2017
    Cydia
    o  Copy tar to /bin/tar
    o  tar -xvfp cydia.tar
    o  Optional /.cydia_no_stash
    o  Flush uicache using /usr/bin/uicache
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60

    View full-size slide

  57. March 28-31, 2017
    o  New heap layout
    o  AMFI and Sandbox hardening
    o  KPP enhancements
    iOS 10 security enhancements 49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60

    View full-size slide

  58. March 28-31, 2017
    o  MISValidateSignatureAndCopyInfo
    Replace with CFEqual or similar will not work
    o  validateCodeDirectoryHashInDaemon
    possible race condition fixed
    o  Policy patches still work
    iOS 10 amfi mitigations 49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60

    View full-size slide

  59. March 28-31, 2017
    o  New operations
    boot-arg-set, fs-snapshot*, system-package-check, ...
    o  New hooks
    _hook_iokit_check_nvram_get,
    _hook_proc_check_set_host_special_port,
    _hook_proc_check_get_cs_info ...
    iOS 10 sandbox mitigations 49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60

    View full-size slide

  60. March 28-31, 2017
    o  New kernelcache layout
    o  Now _got segments are protected
    o  New hardware migrations on iPhone 7/Plus
    iOS 10 KPP enhancements 49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60

    View full-size slide

  61. March 28-31, 2017
    KPP hardware mitigations
    o  AMCC
    o  Watch memory region for any access
    o  Prevents writing inside region
    o  Prevents exec outside region
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72

    View full-size slide

  62. March 28-31, 2017
    KPP hardware mitigations 61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72

    View full-size slide

  63. March 28-31, 2017
    Future of jailbreaks
    o  iOS is more secure on each release
    o  More security on hardware side
    o  Exploits will be more valuable
    o  But there will be bugs and write-ups
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72

    View full-size slide

  64. March 28-31, 2017
    Black Hat Sound Bytes
    o  Jailbreak is doable with public bug info
    o  Patches and KPP bypass from this talk
    o  May the XNU source be with you
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72

    View full-size slide

  65. March 28-31, 2017
    @FriedAppleTeam
    @mbazaliy @getorix @in7egral
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72

    View full-size slide