Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Story of a RCE on Apple through hot jar swapping

Frans Rosén
December 17, 2022

Story of a RCE on Apple through hot jar swapping

These are the slides from Frans Rosén's talk "Story of a RCE on Apple through hot jar swapping" from NahamCon 2022 EU.

Youtube: https://www.youtube.com/watch?v=A-O-irpqUWQ

Frans Rosén

December 17, 2022
Tweet

More Decks by Frans Rosén

Other Decks in Research

Transcript

  1. Frans Rosén NahamCon 2022 EU Story of a RCE on

    Apple through hot jar swapping
  2. PUBLIC Rundown 2 • Intro • Prior research • Transporter/Author

    flow • This is not possible • Wait AAAAAA minute… • AAAAAAAAAAAAA! • Demo • Conclusions
  3. PUBLIC Introduction 3 • Security advisor @ Detectify • Bug

    hunter since 2012 • Killed TLS-SNI-01 • Deleted everyone’s Apple Shortcuts • 2 x H1-MVH
  4. PUBLIC Flow 18 1. Check md5 of: 
 
 if

    not matching remote, download new /tmp/.itmstransporter/lib/osgibootstrapper.jar
  5. PUBLIC Flow 22 1. Check md5 of: 
 
 if

    not matching remote, download new 2. .epub + manifest in ZIP called .itmsp, manifest contains md5 of epub, md5 + size must match /tmp/.itmstransporter/lib/osgibootstrapper.jar
  6. PUBLIC Flow 24 1. Check md5 of: 
 
 if

    not matching remote, download new 2. .epub + manifest in ZIP called .itmsp, manifest contains md5 of epub, md5 + size must match 3. epubtoolkit will then extract and validate epub-ZIP before uploading /tmp/.itmstransporter/lib/osgibootstrapper.jar
  7. PUBLIC Flow 27 1. Check md5 of: 
 
 if

    not matching remote, download new 2. .epub + manifest in ZIP called .itmsp, manifest contains md5 of epub, md5 + size must match 3. epubtoolkit will then extract and validate epub-ZIP before uploading 4. If we find a vuln locally, we can trigger it on authors.apple.com /tmp/.itmstransporter/lib/osgibootstrapper.jar
  8. PUBLIC iTMSTransporter -m upload -DDataCenters=contentdelivery.itunes.apple.com \ -Dtransporter.client=BooksPortal -Duser.home=/tmp \ -Dcom.apple.transporter.updater.disable=true

    -v "eXtreme" \ -Dcom.transporter.client.version="1.0" \ -itc_provider "<provider>" -u <email> -p <password> \ -f <file.itmsp> -distribution DeveloperId -primaryBundleId <bundle> -t HTTP; Running iTMSTransporter locally 28 https://help.apple.com/itc/transporteruserguide/#/apdATD1E1288-D1E1A1303-D1E1288A1126
  9. PUBLIC Final conclusions after 2 days time 39 • Cron

    were not writable • Only /tmp/ found to be writable • We know app works with files in /tmp/ • App only runs using JAR:s • JAR:s are already loaded when unpacking ZIP
  10. PUBLIC Let’s mimic osgibootstrapper.jar 44 Idea: • Let’s decompile a

    .class in osgibootstrapper • Modify it, then compile into .class • Repack into JAR • Put JAR in .epub to replace 
 ../../../tmp/.itmstransporter/lib/osgibootstrapper.jar
  11. PUBLIC Let’s mimic osgibootstrapper.jar 62 New idea: • Let’s decompile

    a .class in osgibootstrapper • Modify the inner class, then compile into .class • Make sure size + compression is the same • Repack into JAR • Put JAR in .epub to replace 

  12. PUBLIC Deflate compression 65 • Ex: "AAAAA" compresses more than

    "AADAF" • This allows us to iterate from an original size 
 and lower or higher the compression rate by 
 injecting non-consecutive letters • We will use System.out.println since we see output
  13. PUBLIC Add print of PATH-env + AAAA-padding 68 Original length

    is good Compressed length is compressing too much
  14. PUBLIC Conclusions 86 • This is absolutely exploitable elsewhere •

    Prerequisites: 1. URLClassLoader is used 2. JAR can have been loaded prior to replacing 
 but class from loaded JAR has not been triggered 3. Class needs to have inner-classes
  15. PUBLIC Example 88 This is the only thing that needs

    to happen after replacing JAR to trigger it