Fried Apples: Jailbreak DIY

Slide 1

Slide 1 text

March 28-31, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Fried Apples: Jailbreak DIY Alex Hude Max Bazaliy Vlad Putin

Slide 2

Slide 2 text

March 28-31, 2017 Who we are ? 1 2 3 4 5 6 7 8 9 10 11 12 o  Security research group o  Focused on hardware and software exploitation o  Made a various jailbreaks for iOS, tvOS, watchOS o  Contributors to jailbreak community

Slide 3

Slide 3 text

March 28-31, 2017 o  Secure Boot Chain o  Mandatory Code Signing o  Sandbox o  Exploit Mitigations o  Data Protection o  Secure Enclave Processor 1 2 3 4 5 6 7 8 9 10 11 12 iOS Security Overview

Slide 4

Slide 4 text

March 28-31, 2017 o  Disable OS restrictions o  Gain full access to device o  Install 3-rd party tools and apps o  Exploit chain required 1 2 3 4 5 6 7 8 9 10 11 12 What is jailbreak ?

Slide 5

Slide 5 text

March 28-31, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Jailbreak types o  Tethered - Re-exploit device on each boot manually o  Untethered - Re-exploit device on each boot automatically

Slide 6

Slide 6 text

March 28-31, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Initial attack vector strategies o  Application archive (IPA) based o  USB payload based o  WebKit\SMS\baseband based

Slide 7

Slide 7 text

March 28-31, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Making jailbreak if you have bugs o  Write an exploit chain o  Patch OS security restrictions o  Install persistent binary o  Add Cydia\ssh\remote shell

Slide 8

Slide 8 text

March 28-31, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Making jailbreak if you don't have bugs o  Write an exploit chain Use public write-ups o  Patch OS security restrictions o  Install persistent binary o  Add Cydia\ssh\remote shell

Slide 9

Slide 9 text

March 28-31, 2017 Implementation 1 2 3 4 5 6 7 8 9 10 11 12

Slide 10

Slide 10 text

March 28-31, 2017 o  ROP o  Binary with Mach-O bug o  JavaScriptCore JIT region o  Sign with dev\ent certificate Arbitrary code execution strategies 1 2 3 4 5 6 7 8 9 10 11 12

Slide 11

Slide 11 text

March 28-31, 2017 Bypassing sandbox strategies o  TOCTOU \ Symlinks o  XPC o  Kernel patch 1 2 3 4 5 6 7 8 9 10 11 12

Slide 12

Slide 12 text

March 28-31, 2017 Escalating privileges strategies o  Code injection in system service o  Kernel patch 1 2 3 4 5 6 7 8 9 10 11 12

Slide 13

Slide 13 text

March 28-31, 2017 13 14 15 16 17 18 19 20 21 22 23 24 Bypassing KASLR strategies o  Information leak o  Brute force

Slide 14

Slide 14 text

March 28-31, 2017 Bypassing DEP strategies o  JavaScriptCore JIT o  Userland mmap\mprotect bug o  Kernel patch o  ROP chain 13 14 15 16 17 18 19 20 21 22 23 24

Slide 15

Slide 15 text

March 28-31, 2017 Seeking for patches in kernel o  Static patchfinder (memmem) memmem string\pattern, xref + instruction analysis o  Dynamic patchfinder syscall, sysctl, mach location, known structs + emulation 13 14 15 16 17 18 19 20 21 22 23 24

Slide 16

Slide 16 text

March 28-31, 2017 Kernel patches in detail o  root o  task_for_pid(0) o  amfi o  sandbox o  __mac_mount o  _mapForIO 13 14 15 16 17 18 19 20 21 22 23 24

Slide 17

Slide 17 text

March 28-31, 2017 Escalate privileges o  Interesting APIs are restricted o  task_for_pid, mount etc 13 14 15 16 17 18 19 20 21 22 23 24

Slide 18

Slide 18 text

March 28-31, 2017 Escalate privileges patch o  Find setreuid o  Find ruid/euid checks o  Patch to skip reuid checks condition 13 14 15 16 17 18 19 20 21 22 23 24

Slide 19

Slide 19 text

March 28-31, 2017 Escalate privileges patch detailed 13 14 15 16 17 18 19 20 21 22 23 24

Slide 20

Slide 20 text

March 28-31, 2017 Kernel task o  Easy access to kernel memory o  Required for some kern utilities 13 14 15 16 17 18 19 20 21 22 23 24

Slide 21

Slide 21 text

March 28-31, 2017 Kernel task patch o  Patch task_for_pid o  Re-implement task_for_pid in ROP o  Find kernel task in memory 13 14 15 16 17 18 19 20 21 22 23 24

Slide 22

Slide 22 text

March 28-31, 2017 Kernel task patch detailed 13 14 15 16 17 18 19 20 21 22 23 24

Slide 23

Slide 23 text

March 28-31, 2017 Kernel task patch detailed 13 14 15 16 17 18 19 20 21 22 23 24

Slide 24

Slide 24 text

March 28-31, 2017 Apple Mobile File Integrity (AMFI) o  Run unsigned code o  Fake entitlements o  Get other process tasks o  Restrictions on mmap, mprotect etc 13 14 15 16 17 18 19 20 21 22 23 24

Slide 25

Slide 25 text

March 28-31, 2017 AMFI patch o  Patch amfi_get_out_of_my_way o  Patch PE_i_can_has_debugger o  Patch amfi mac policies 25 26 27 28 29 30 31 32 33 34 35 36

Slide 26

Slide 26 text

March 28-31, 2017 AMFI patch detailed 25 26 27 28 29 30 31 32 33 34 35 36

Slide 27

Slide 27 text

March 28-31, 2017 AMFI policy patch detailed 25 26 27 28 29 30 31 32 33 34 35 36

Slide 28

Slide 28 text

March 28-31, 2017 AMFI policy patch detailed 25 26 27 28 29 30 31 32 33 34 35 36

Slide 29

Slide 29 text

March 28-31, 2017 AMFI policies to patch 25 26 27 28 29 30 31 32 33 34 35 36

Slide 30

Slide 30 text

March 28-31, 2017 Sandbox o  Access files out of mobile container o  Unrestrict usage of system APIs 25 26 27 28 29 30 31 32 33 34 35 36

Slide 31

Slide 31 text

March 28-31, 2017 Sandbox patch o  Patch sb_evaluate (allow all) o  Hook sb_evaluate o  Patch sandbox mac policies 25 26 27 28 29 30 31 32 33 34 35 36

Slide 32

Slide 32 text

March 28-31, 2017 Sandbox patch detailed 25 26 27 28 29 30 31 32 33 34 35 36

Slide 33

Slide 33 text

March 28-31, 2017 Sandbox patch detailed 25 26 27 28 29 30 31 32 33 34 35 36

Slide 34

Slide 34 text

March 28-31, 2017 Sandbox policies 25 26 27 28 29 30 31 32 33 34 35 36

Slide 35

Slide 35 text

March 28-31, 2017 __mac_mount o  Remount system partition o  Get write access to system partition 25 26 27 28 29 30 31 32 33 34 35 36

Slide 36

Slide 36 text

March 28-31, 2017 __mac_mount patch o  Patch __mac_mount o  Call mount_common from kernel 25 26 27 28 29 30 31 32 33 34 35 36

Slide 37

Slide 37 text

March 28-31, 2017 __mac_mount patch detailed 37 38 39 40 41 42 43 44 45 46 47 48

Slide 38

Slide 38 text

March 28-31, 2017 _mapForIO lock o  “/” is mounted as read only o  only “/private/var” can be written 37 38 39 40 41 42 43 44 45 46 47 48

Slide 39

Slide 39 text

March 28-31, 2017 _mapForIO lock patch o  Patch _mapForIO o  Patch PE_i_can_has_kernel_configuartion 37 38 39 40 41 42 43 44 45 46 47 48

Slide 40

Slide 40 text

March 28-31, 2017 _mapForIO lock patch detailed 37 38 39 40 41 42 43 44 45 46 47 48

Slide 41

Slide 41 text

March 28-31, 2017 Kernel Patch Protection 37 38 39 40 41 42 43 44 45 46 47 48

Slide 42

Slide 42 text

March 28-31, 2017 Bypassing KPP strategies o  Checks for kernel pages, MMU, sysregs o  Execution on EL3 o  Can’t disable, can race or … 37 38 39 40 41 42 43 44 45 46 47 48

Slide 43

Slide 43 text

March 28-31, 2017 How KPP works? 37 38 39 40 41 42 43 44 45 46 47 48

Slide 44

Slide 44 text

March 28-31, 2017 Original translation table 37 38 39 40 41 42 43 44 45 46 47 48

Slide 45

Slide 45 text

March 28-31, 2017 Create fake Level 1 table 37 38 39 40 41 42 43 44 45 46 47 48

Slide 46

Slide 46 text

March 28-31, 2017 Create fake Level 2 table 37 38 39 40 41 42 43 44 45 46 47 48

Slide 47

Slide 47 text

March 28-31, 2017 Create fake Level 3 table 37 38 39 40 41 42 43 44 45 46 47 48

Slide 48

Slide 48 text

March 28-31, 2017 Create fake pages 37 38 39 40 41 42 43 44 45 46 47 48

Slide 49

Slide 49 text

March 28-31, 2017 49 50 51 52 53 54 55 56 57 58 59 60 BBQit Framework

Slide 50

Slide 50 text

March 28-31, 2017 KPP bypass technique 49 50 51 52 53 54 55 56 57 58 59 60

Slide 51

Slide 51 text

March 28-31, 2017 KPP bypass technique (continue) 49 50 51 52 53 54 55 56 57 58 59 60

Slide 52

Slide 52 text

March 28-31, 2017 Achieving persistence strategies o  Find service that spawns on boot o  Check if it is running as root (optional) o  Find userland codesign bug o  Symlink system service to exec cs bypass 49 50 51 52 53 54 55 56 57 58 59 60

Slide 53

Slide 53 text

March 28-31, 2017 Achieving persistence example o  JavaScriptCore jsc interpreter o  Signed by Apple o  Can execute code on RWX segment o  Copy as system service to spawn on boot 49 50 51 52 53 54 55 56 57 58 59 60

Slide 54

Slide 54 text

March 28-31, 2017 Achieving persistence details 49 50 51 52 53 54 55 56 57 58 59 60

Slide 55

Slide 55 text

March 28-31, 2017 SSH o  Copy dropbear or install Cydia o  tcprelay.py -t 22:4222 o  Password ‘alpine’ 49 50 51 52 53 54 55 56 57 58 59 60

Slide 56

Slide 56 text

March 28-31, 2017 Cydia o  Copy tar to /bin/tar o  tar -xvfp cydia.tar o  Optional /.cydia_no_stash o  Flush uicache using /usr/bin/uicache 49 50 51 52 53 54 55 56 57 58 59 60

Slide 57

Slide 57 text

March 28-31, 2017 o  New heap layout o  AMFI and Sandbox hardening o  KPP enhancements iOS 10 security enhancements 49 50 51 52 53 54 55 56 57 58 59 60

Slide 58

Slide 58 text

March 28-31, 2017 o  MISValidateSignatureAndCopyInfo Replace with CFEqual or similar will not work o  validateCodeDirectoryHashInDaemon possible race condition fixed o  Policy patches still work iOS 10 amfi mitigations 49 50 51 52 53 54 55 56 57 58 59 60

Slide 59

Slide 59 text

March 28-31, 2017 o  New operations boot-arg-set, fs-snapshot*, system-package-check, ... o  New hooks _hook_iokit_check_nvram_get, _hook_proc_check_set_host_special_port, _hook_proc_check_get_cs_info ... iOS 10 sandbox mitigations 49 50 51 52 53 54 55 56 57 58 59 60

Slide 60

Slide 60 text

March 28-31, 2017 o  New kernelcache layout o  Now _got segments are protected o  New hardware migrations on iPhone 7/Plus iOS 10 KPP enhancements 49 50 51 52 53 54 55 56 57 58 59 60

Slide 61

Slide 61 text

March 28-31, 2017 KPP hardware mitigations o  AMCC o  Watch memory region for any access o  Prevents writing inside region o  Prevents exec outside region 61 62 63 64 65 66 67 68 69 70 71 72

Slide 62

Slide 62 text

March 28-31, 2017 KPP hardware mitigations 61 62 63 64 65 66 67 68 69 70 71 72

Slide 63

Slide 63 text

March 28-31, 2017 Future of jailbreaks o  iOS is more secure on each release o  More security on hardware side o  Exploits will be more valuable o  But there will be bugs and write-ups 61 62 63 64 65 66 67 68 69 70 71 72

Slide 64

Slide 64 text

March 28-31, 2017 Black Hat Sound Bytes o  Jailbreak is doable with public bug info o  Patches and KPP bypass from this talk o  May the XNU source be with you 61 62 63 64 65 66 67 68 69 70 71 72

Slide 65

Slide 65 text

March 28-31, 2017 @FriedAppleTeam @mbazaliy @getorix @in7egral 61 62 63 64 65 66 67 68 69 70 71 72