Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fried Apples: Jailbreak DIY

Fried Apples: Jailbreak DIY

BlackHat Asia 2017

52de428e5d6112f5d989187bb89d82c4?s=128

Max Bazaliy

March 30, 2017
Tweet

More Decks by Max Bazaliy

Other Decks in Programming

Transcript

  1. March 28-31, 2017 1 2 3 4 5 6 7

    8 9 10 11 12 Fried Apples: Jailbreak DIY Alex Hude Max Bazaliy Vlad Putin
  2. March 28-31, 2017 Who we are ? 1 2 3

    4 5 6 7 8 9 10 11 12 o  Security research group o  Focused on hardware and software exploitation o  Made a various jailbreaks for iOS, tvOS, watchOS o  Contributors to jailbreak community
  3. March 28-31, 2017 o  Secure Boot Chain o  Mandatory Code

    Signing o  Sandbox o  Exploit Mitigations o  Data Protection o  Secure Enclave Processor 1 2 3 4 5 6 7 8 9 10 11 12 iOS Security Overview
  4. March 28-31, 2017 o  Disable OS restrictions o  Gain full

    access to device o  Install 3-rd party tools and apps o  Exploit chain required 1 2 3 4 5 6 7 8 9 10 11 12 What is jailbreak ?
  5. March 28-31, 2017 1 2 3 4 5 6 7

    8 9 10 11 12 Jailbreak types o  Tethered - Re-exploit device on each boot manually o  Untethered - Re-exploit device on each boot automatically
  6. March 28-31, 2017 1 2 3 4 5 6 7

    8 9 10 11 12 Initial attack vector strategies o  Application archive (IPA) based o  USB payload based o  WebKit\SMS\baseband based
  7. March 28-31, 2017 1 2 3 4 5 6 7

    8 9 10 11 12 Making jailbreak if you have bugs o  Write an exploit chain o  Patch OS security restrictions o  Install persistent binary o  Add Cydia\ssh\remote shell
  8. March 28-31, 2017 1 2 3 4 5 6 7

    8 9 10 11 12 Making jailbreak if you don't have bugs o  Write an exploit chain Use public write-ups o  Patch OS security restrictions o  Install persistent binary o  Add Cydia\ssh\remote shell
  9. March 28-31, 2017 Implementation 1 2 3 4 5 6

    7 8 9 10 11 12
  10. March 28-31, 2017 o  ROP o  Binary with Mach-O bug

    o  JavaScriptCore JIT region o  Sign with dev\ent certificate Arbitrary code execution strategies 1 2 3 4 5 6 7 8 9 10 11 12
  11. March 28-31, 2017 Bypassing sandbox strategies o  TOCTOU \ Symlinks

    o  XPC o  Kernel patch 1 2 3 4 5 6 7 8 9 10 11 12
  12. March 28-31, 2017 Escalating privileges strategies o  Code injection in

    system service o  Kernel patch 1 2 3 4 5 6 7 8 9 10 11 12
  13. March 28-31, 2017 13 14 15 16 17 18 19

    20 21 22 23 24 Bypassing KASLR strategies o  Information leak o  Brute force
  14. March 28-31, 2017 Bypassing DEP strategies o  JavaScriptCore JIT o 

    Userland mmap\mprotect bug o  Kernel patch o  ROP chain 13 14 15 16 17 18 19 20 21 22 23 24
  15. March 28-31, 2017 Seeking for patches in kernel o  Static

    patchfinder (memmem) memmem string\pattern, xref + instruction analysis o  Dynamic patchfinder syscall, sysctl, mach location, known structs + emulation 13 14 15 16 17 18 19 20 21 22 23 24
  16. March 28-31, 2017 Kernel patches in detail o  root o 

    task_for_pid(0) o  amfi o  sandbox o  __mac_mount o  _mapForIO 13 14 15 16 17 18 19 20 21 22 23 24
  17. March 28-31, 2017 Escalate privileges o  Interesting APIs are restricted

    o  task_for_pid, mount etc 13 14 15 16 17 18 19 20 21 22 23 24
  18. March 28-31, 2017 Escalate privileges patch o  Find setreuid o 

    Find ruid/euid checks o  Patch to skip reuid checks condition 13 14 15 16 17 18 19 20 21 22 23 24
  19. March 28-31, 2017 Escalate privileges patch detailed 13 14 15

    16 17 18 19 20 21 22 23 24
  20. March 28-31, 2017 Kernel task o  Easy access to kernel

    memory o  Required for some kern utilities 13 14 15 16 17 18 19 20 21 22 23 24
  21. March 28-31, 2017 Kernel task patch o  Patch task_for_pid o 

    Re-implement task_for_pid in ROP o  Find kernel task in memory 13 14 15 16 17 18 19 20 21 22 23 24
  22. March 28-31, 2017 Kernel task patch detailed 13 14 15

    16 17 18 19 20 21 22 23 24
  23. March 28-31, 2017 Kernel task patch detailed 13 14 15

    16 17 18 19 20 21 22 23 24
  24. March 28-31, 2017 Apple Mobile File Integrity (AMFI) o  Run

    unsigned code o  Fake entitlements o  Get other process tasks o  Restrictions on mmap, mprotect etc 13 14 15 16 17 18 19 20 21 22 23 24
  25. March 28-31, 2017 AMFI patch o  Patch amfi_get_out_of_my_way o  Patch

    PE_i_can_has_debugger o  Patch amfi mac policies 25 26 27 28 29 30 31 32 33 34 35 36
  26. March 28-31, 2017 AMFI patch detailed 25 26 27 28

    29 30 31 32 33 34 35 36
  27. March 28-31, 2017 AMFI policy patch detailed 25 26 27

    28 29 30 31 32 33 34 35 36
  28. March 28-31, 2017 AMFI policy patch detailed 25 26 27

    28 29 30 31 32 33 34 35 36
  29. March 28-31, 2017 AMFI policies to patch 25 26 27

    28 29 30 31 32 33 34 35 36
  30. March 28-31, 2017 Sandbox o  Access files out of mobile

    container o  Unrestrict usage of system APIs 25 26 27 28 29 30 31 32 33 34 35 36
  31. March 28-31, 2017 Sandbox patch o  Patch sb_evaluate (allow all)

    o  Hook sb_evaluate o  Patch sandbox mac policies 25 26 27 28 29 30 31 32 33 34 35 36
  32. March 28-31, 2017 Sandbox patch detailed 25 26 27 28

    29 30 31 32 33 34 35 36
  33. March 28-31, 2017 Sandbox patch detailed 25 26 27 28

    29 30 31 32 33 34 35 36
  34. March 28-31, 2017 Sandbox policies 25 26 27 28 29

    30 31 32 33 34 35 36
  35. March 28-31, 2017 __mac_mount o  Remount system partition o  Get

    write access to system partition 25 26 27 28 29 30 31 32 33 34 35 36
  36. March 28-31, 2017 __mac_mount patch o  Patch __mac_mount o  Call

    mount_common from kernel 25 26 27 28 29 30 31 32 33 34 35 36
  37. March 28-31, 2017 __mac_mount patch detailed 37 38 39 40

    41 42 43 44 45 46 47 48
  38. March 28-31, 2017 _mapForIO lock o  “/” is mounted as

    read only o  only “/private/var” can be written 37 38 39 40 41 42 43 44 45 46 47 48
  39. March 28-31, 2017 _mapForIO lock patch o  Patch _mapForIO o 

    Patch PE_i_can_has_kernel_configuartion 37 38 39 40 41 42 43 44 45 46 47 48
  40. March 28-31, 2017 _mapForIO lock patch detailed 37 38 39

    40 41 42 43 44 45 46 47 48
  41. March 28-31, 2017 Kernel Patch Protection 37 38 39 40

    41 42 43 44 45 46 47 48
  42. March 28-31, 2017 Bypassing KPP strategies o  Checks for kernel

    pages, MMU, sysregs o  Execution on EL3 o  Can’t disable, can race or … 37 38 39 40 41 42 43 44 45 46 47 48
  43. March 28-31, 2017 How KPP works? 37 38 39 40

    41 42 43 44 45 46 47 48
  44. March 28-31, 2017 Original translation table 37 38 39 40

    41 42 43 44 45 46 47 48
  45. March 28-31, 2017 Create fake Level 1 table 37 38

    39 40 41 42 43 44 45 46 47 48
  46. March 28-31, 2017 Create fake Level 2 table 37 38

    39 40 41 42 43 44 45 46 47 48
  47. March 28-31, 2017 Create fake Level 3 table 37 38

    39 40 41 42 43 44 45 46 47 48
  48. March 28-31, 2017 Create fake pages 37 38 39 40

    41 42 43 44 45 46 47 48
  49. March 28-31, 2017 49 50 51 52 53 54 55

    56 57 58 59 60 BBQit Framework
  50. March 28-31, 2017 KPP bypass technique 49 50 51 52

    53 54 55 56 57 58 59 60
  51. March 28-31, 2017 KPP bypass technique (continue) 49 50 51

    52 53 54 55 56 57 58 59 60
  52. March 28-31, 2017 Achieving persistence strategies o  Find service that

    spawns on boot o  Check if it is running as root (optional) o  Find userland codesign bug o  Symlink system service to exec cs bypass 49 50 51 52 53 54 55 56 57 58 59 60
  53. March 28-31, 2017 Achieving persistence example o  JavaScriptCore jsc interpreter

    o  Signed by Apple o  Can execute code on RWX segment o  Copy as system service to spawn on boot 49 50 51 52 53 54 55 56 57 58 59 60
  54. March 28-31, 2017 Achieving persistence details 49 50 51 52

    53 54 55 56 57 58 59 60
  55. March 28-31, 2017 SSH o  Copy dropbear or install Cydia

    o  tcprelay.py -t 22:4222 o  Password ‘alpine’ 49 50 51 52 53 54 55 56 57 58 59 60
  56. March 28-31, 2017 Cydia o  Copy tar to /bin/tar o 

    tar -xvfp cydia.tar o  Optional /.cydia_no_stash o  Flush uicache using /usr/bin/uicache 49 50 51 52 53 54 55 56 57 58 59 60
  57. March 28-31, 2017 o  New heap layout o  AMFI and

    Sandbox hardening o  KPP enhancements iOS 10 security enhancements 49 50 51 52 53 54 55 56 57 58 59 60
  58. March 28-31, 2017 o  MISValidateSignatureAndCopyInfo Replace with CFEqual or similar

    will not work o  validateCodeDirectoryHashInDaemon possible race condition fixed o  Policy patches still work iOS 10 amfi mitigations 49 50 51 52 53 54 55 56 57 58 59 60
  59. March 28-31, 2017 o  New operations boot-arg-set, fs-snapshot*, system-package-check, ...

    o  New hooks _hook_iokit_check_nvram_get, _hook_proc_check_set_host_special_port, _hook_proc_check_get_cs_info ... iOS 10 sandbox mitigations 49 50 51 52 53 54 55 56 57 58 59 60
  60. March 28-31, 2017 o  New kernelcache layout o  Now _got

    segments are protected o  New hardware migrations on iPhone 7/Plus iOS 10 KPP enhancements 49 50 51 52 53 54 55 56 57 58 59 60
  61. March 28-31, 2017 KPP hardware mitigations o  AMCC o  Watch

    memory region for any access o  Prevents writing inside region o  Prevents exec outside region 61 62 63 64 65 66 67 68 69 70 71 72
  62. March 28-31, 2017 KPP hardware mitigations 61 62 63 64

    65 66 67 68 69 70 71 72
  63. March 28-31, 2017 Future of jailbreaks o  iOS is more

    secure on each release o  More security on hardware side o  Exploits will be more valuable o  But there will be bugs and write-ups 61 62 63 64 65 66 67 68 69 70 71 72
  64. March 28-31, 2017 Black Hat Sound Bytes o  Jailbreak is

    doable with public bug info o  Patches and KPP bypass from this talk o  May the XNU source be with you 61 62 63 64 65 66 67 68 69 70 71 72
  65. March 28-31, 2017 @FriedAppleTeam @mbazaliy @getorix @in7egral 61 62 63

    64 65 66 67 68 69 70 71 72