Story of a RCE on Apple through hot jar swapping

Transcript

1. Frans Rosén NahamCon 2022 EU Story of a RCE on

   Apple through hot jar swapping

2. PUBLIC Rundown 2 • Intro • Prior research • Transporter/Author

   flow • This is not possible • Wait AAAAAA minute… • AAAAAAAAAAAAA! • Demo • Conclusions

3. PUBLIC Introduction 3 • Security advisor @ Detectify • Bug

   hunter since 2012 • Killed TLS-SNI-01 • Deleted everyone’s Apple Shortcuts • 2 x H1-MVH

4. PUBLIC /hɑt d ͡ ʒɑɹ ˈswɑpɪŋ/ 4

5. Prior research

6. Want to hack Apple? *cue epic blog post*

7. PUBLIC The gold mine of knowledge 7 https://samcurry.net/hacking-apple/

8. PUBLIC Author’s ePublisher 8 https://samcurry.net/hacking-apple/

9. PUBLIC Author’s ePublisher 9 https://samcurry.net/hacking-apple/

10. PUBLIC Author’s ePublisher 10 https://samcurry.net/hacking-apple/

11. PUBLIC Transporter 11 https://help.apple.com/itc/transporteruserguide/#/apdAbeb95d60

12. PUBLIC iTMSTransporter java wrapper 12 https://help.apple.com/itc/transporteruserguide/#/apdAbeb95d60

13. Disclaimer: I suck at Java

14. PUBLIC <3 JD-GUI 14 https://java-decompiler.github.io/

15. PUBLIC itmstransporter-launcher.jar 15

16. PUBLIC itmstransporter-launcher.jar 16

17. PUBLIC osgibootstrapper.jar 17

18. PUBLIC Flow 18 1. Check md5 of: 
 
 if

    not matching remote, download new /tmp/.itmstransporter/lib/osgibootstrapper.jar

19. PUBLIC .itmsp (pre-gen store package) 19 https://help.apple.com/itc/transporteruserguide/#/apdATD1E1288-D1E1A1303-D1E1288A1126

20. PUBLIC .itmsp (pre-gen store package) 20 https://help.apple.com/itc/transporteruserguide/#/apdATD1E1288-D1E1A1303-D1E1288A1126

21. PUBLIC .itmsp (pre-gen store package) 21 https://help.apple.com/itc/transporteruserguide/#/apdATD1E1288-D1E1A1303-D1E1288A1126

22. PUBLIC Flow 22 1. Check md5 of: 
 
 if

    not matching remote, download new 2. .epub + manifest in ZIP called .itmsp, manifest contains md5 of epub, md5 + size must match /tmp/.itmstransporter/lib/osgibootstrapper.jar

23. PUBLIC epubtoolkit-2.4.0.jar 23

24. PUBLIC Flow 24 1. Check md5 of: 
 
 if

    not matching remote, download new 2. .epub + manifest in ZIP called .itmsp, manifest contains md5 of epub, md5 + size must match 3. epubtoolkit will then extract and validate epub-ZIP before uploading /tmp/.itmstransporter/lib/osgibootstrapper.jar

25. PUBLIC authors.apple.com iTMSTransporter client running server-side 25

26. PUBLIC authors.apple.com iTMSTransporter client running server-side 26

27. PUBLIC Flow 27 1. Check md5 of: 
 
 if

    not matching remote, download new 2. .epub + manifest in ZIP called .itmsp, manifest contains md5 of epub, md5 + size must match 3. epubtoolkit will then extract and validate epub-ZIP before uploading 4. If we find a vuln locally, we can trigger it on authors.apple.com /tmp/.itmstransporter/lib/osgibootstrapper.jar

28. PUBLIC iTMSTransporter -m upload -DDataCenters=contentdelivery.itunes.apple.com \ -Dtransporter.client=BooksPortal -Duser.home=/tmp \ -Dcom.apple.transporter.updater.disable=true

    -v "eXtreme" \ -Dcom.transporter.client.version="1.0" \ -itc_provider "<provider>" -u <email> -p <password> \ -f <file.itmsp> -distribution DeveloperId -primaryBundleId <bundle> -t HTTP; Running iTMSTransporter locally 28 https://help.apple.com/itc/transporteruserguide/#/apdATD1E1288-D1E1A1303-D1E1288A1126

29. Let’s exploit!

30. PUBLIC Let’s try path-traverse when unzipping 30

31. PUBLIC Let’s try path-traverse when unzipping 31 error: (No such

    file or directory)

32. PUBLIC Let’s try path-traverse when unzipping 32

33. PUBLIC Let’s try path-traverse when unzipping 33 no error

34. PUBLIC We can write to /tmp/ 34 no error

35. PUBLIC Different tmp-dirs btw Linux / macOS 35

36. PUBLIC Different tmp-dirs btw Linux / macOS 36

37. PUBLIC authors.apple.com uses /tmp/.itmstransporter 37

38. *2 days of attempts*

39. PUBLIC Final conclusions after 2 days time 39 • Cron

    were not writable • Only /tmp/ found to be writable • We know app works with files in /tmp/ • App only runs using JAR:s • JAR:s are already loaded when unpacking ZIP

40. One interesting discovery

41. PUBLIC When I replaced osgibootstrapper.jar 41

42. PUBLIC When I replaced osgibootstrapper.jar 42

43. PUBLIC When I replaced osgibootstrapper.jar 43

44. PUBLIC Let’s mimic osgibootstrapper.jar 44 Idea: • Let’s decompile a

    .class in osgibootstrapper • Modify it, then compile into .class • Repack into JAR • Put JAR in .epub to replace 
 ../../../tmp/.itmstransporter/lib/osgibootstrapper.jar

45. PUBLIC Let’s mimic osgibootstrapper.jar 45 Only .java files Only .class

    files

46. PUBLIC Let’s mimic osgibootstrapper.jar 46

47. PUBLIC Let’s mimic osgibootstrapper.jar 47

48. PUBLIC Let’s mimic osgibootstrapper.jar 48

49. PUBLIC Let’s mimic osgibootstrapper.jar 49

50. Foiled again…

51. Foiled again… 
 RTFM

52. PUBLIC RTFM 52

53. PUBLIC RTFM 53

54. PUBLIC RTFM 54

55. PUBLIC RTFM 55

56. PUBLIC We have a few things to play with 56

57. PUBLIC Length before compress Compressed size Compression rate CRC-32 We

    have a few things to play with 57

58. PUBLIC Also, remember the error: 58

59. PUBLIC Also, remember the error: 59 $1 ?

60. PUBLIC Inner classes! 60 $1 ? https://stackoverflow.com/questions/11388840/java-compiled-classes-contain-dollar-signs/11388863#11388863

61. PUBLIC Inner class of BootstrapUtil 61 $1 ?

62. PUBLIC Let’s mimic osgibootstrapper.jar 62 New idea: • Let’s decompile

    a .class in osgibootstrapper • Modify the inner class, then compile into .class • Make sure size + compression is the same • Repack into JAR • Put JAR in .epub to replace 


63. PUBLIC 63

64. *cue AAAAAAAAAA*

65. PUBLIC Deflate compression 65 • Ex: "AAAAA" compresses more than

    "AADAF" • This allows us to iterate from an original size 
 and lower or higher the compression rate by 
 injecting non-consecutive letters • We will use System.out.println since we see output

66. PUBLIC Add print of PATH-env + AAAA-padding 66

67. PUBLIC Add print of PATH-env + AAAA-padding 67

68. PUBLIC Add print of PATH-env + AAAA-padding 68 Original length

    is good Compressed length is compressing too much

69. PUBLIC AAAAFAAAAA 69 Original length is good Compressed length is

    compressing too little

70. PUBLIC FFAAAAAAAAAA 70

71. PUBLIC FFAAAAAAAAAA 71 Original length is good Compressed length is

    good

72. PUBLIC AAAAAAAAAAAA 72

73. PUBLIC AAAAAAAAAAAA 73

74. PUBLIC AAAAAAAAAAAA 74

75. PUBLIC Report to Apple 75

76. PUBLIC Report to Apple 76

77. PUBLIC Confirming RCE 77

78. PUBLIC Confirming RCE 78

79. PUBLIC Apple team joins shared code 79

80. PUBLIC authors.apple.com goes down 80

81. PUBLIC Obligatory avlidienbrunn reaction 81

82. PUBLIC Demo time!

83. PUBLIC Demo time! 83

84. PUBLIC Conclusions

85. PUBLIC Conclusions 85 • This is absolutely exploitable elsewhere

86. PUBLIC Conclusions 86 • This is absolutely exploitable elsewhere •

    Prerequisites: 1. URLClassLoader is used 2. JAR can have been loaded prior to replacing 
 but class from loaded JAR has not been triggered 3. Class needs to have inner-classes

87. PUBLIC Example 87

88. PUBLIC Example 88 This is the only thing that needs

    to happen after replacing JAR to trigger it

89. PUBLIC Example code on GitHub 89 https://github.com/fransr/hot-jar-swapping-urlclassloader

90. twitter @fransrosen www.detectify.com Thank you!