Fried Apples: Jailbreak DIY

Transcript

1. March 28-31, 2017 1 2 3 4 5 6 7

   8 9 10 11 12 Fried Apples: Jailbreak DIY Alex Hude Max Bazaliy Vlad Putin

2. March 28-31, 2017 Who we are ? 1 2 3

   4 5 6 7 8 9 10 11 12 o  Security research group o  Focused on hardware and software exploitation o  Made a various jailbreaks for iOS, tvOS, watchOS o  Contributors to jailbreak community

3. March 28-31, 2017 o  Secure Boot Chain o  Mandatory Code

   Signing o  Sandbox o  Exploit Mitigations o  Data Protection o  Secure Enclave Processor 1 2 3 4 5 6 7 8 9 10 11 12 iOS Security Overview

4. March 28-31, 2017 o  Disable OS restrictions o  Gain full

   access to device o  Install 3-rd party tools and apps o  Exploit chain required 1 2 3 4 5 6 7 8 9 10 11 12 What is jailbreak ?

5. March 28-31, 2017 1 2 3 4 5 6 7

   8 9 10 11 12 Jailbreak types o  Tethered - Re-exploit device on each boot manually o  Untethered - Re-exploit device on each boot automatically

6. March 28-31, 2017 1 2 3 4 5 6 7

   8 9 10 11 12 Initial attack vector strategies o  Application archive (IPA) based o  USB payload based o  WebKit\SMS\baseband based

7. March 28-31, 2017 1 2 3 4 5 6 7

   8 9 10 11 12 Making jailbreak if you have bugs o  Write an exploit chain o  Patch OS security restrictions o  Install persistent binary o  Add Cydia\ssh\remote shell

8. March 28-31, 2017 1 2 3 4 5 6 7

   8 9 10 11 12 Making jailbreak if you don't have bugs o  Write an exploit chain Use public write-ups o  Patch OS security restrictions o  Install persistent binary o  Add Cydia\ssh\remote shell

9. March 28-31, 2017 Implementation 1 2 3 4 5 6

   7 8 9 10 11 12

10. March 28-31, 2017 o  ROP o  Binary with Mach-O bug

    o  JavaScriptCore JIT region o  Sign with dev\ent certificate Arbitrary code execution strategies 1 2 3 4 5 6 7 8 9 10 11 12

11. March 28-31, 2017 Bypassing sandbox strategies o  TOCTOU \ Symlinks

    o  XPC o  Kernel patch 1 2 3 4 5 6 7 8 9 10 11 12

12. March 28-31, 2017 Escalating privileges strategies o  Code injection in

    system service o  Kernel patch 1 2 3 4 5 6 7 8 9 10 11 12

13. March 28-31, 2017 13 14 15 16 17 18 19

    20 21 22 23 24 Bypassing KASLR strategies o  Information leak o  Brute force

14. March 28-31, 2017 Bypassing DEP strategies o  JavaScriptCore JIT o 

    Userland mmap\mprotect bug o  Kernel patch o  ROP chain 13 14 15 16 17 18 19 20 21 22 23 24

15. March 28-31, 2017 Seeking for patches in kernel o  Static

    patchfinder (memmem) memmem string\pattern, xref + instruction analysis o  Dynamic patchfinder syscall, sysctl, mach location, known structs + emulation 13 14 15 16 17 18 19 20 21 22 23 24

16. March 28-31, 2017 Kernel patches in detail o  root o 

    task_for_pid(0) o  amfi o  sandbox o  __mac_mount o  _mapForIO 13 14 15 16 17 18 19 20 21 22 23 24

17. March 28-31, 2017 Escalate privileges o  Interesting APIs are restricted

    o  task_for_pid, mount etc 13 14 15 16 17 18 19 20 21 22 23 24

18. March 28-31, 2017 Escalate privileges patch o  Find setreuid o 

    Find ruid/euid checks o  Patch to skip reuid checks condition 13 14 15 16 17 18 19 20 21 22 23 24

19. March 28-31, 2017 Escalate privileges patch detailed 13 14 15

    16 17 18 19 20 21 22 23 24

20. March 28-31, 2017 Kernel task o  Easy access to kernel

    memory o  Required for some kern utilities 13 14 15 16 17 18 19 20 21 22 23 24

21. March 28-31, 2017 Kernel task patch o  Patch task_for_pid o 

    Re-implement task_for_pid in ROP o  Find kernel task in memory 13 14 15 16 17 18 19 20 21 22 23 24

22. March 28-31, 2017 Kernel task patch detailed 13 14 15

    16 17 18 19 20 21 22 23 24

23. March 28-31, 2017 Kernel task patch detailed 13 14 15

    16 17 18 19 20 21 22 23 24

24. March 28-31, 2017 Apple Mobile File Integrity (AMFI) o  Run

    unsigned code o  Fake entitlements o  Get other process tasks o  Restrictions on mmap, mprotect etc 13 14 15 16 17 18 19 20 21 22 23 24

25. March 28-31, 2017 AMFI patch o  Patch amfi_get_out_of_my_way o  Patch

    PE_i_can_has_debugger o  Patch amfi mac policies 25 26 27 28 29 30 31 32 33 34 35 36

26. March 28-31, 2017 AMFI patch detailed 25 26 27 28

    29 30 31 32 33 34 35 36

27. March 28-31, 2017 AMFI policy patch detailed 25 26 27

    28 29 30 31 32 33 34 35 36

28. March 28-31, 2017 AMFI policy patch detailed 25 26 27

    28 29 30 31 32 33 34 35 36

29. March 28-31, 2017 AMFI policies to patch 25 26 27

    28 29 30 31 32 33 34 35 36

30. March 28-31, 2017 Sandbox o  Access files out of mobile

    container o  Unrestrict usage of system APIs 25 26 27 28 29 30 31 32 33 34 35 36

31. March 28-31, 2017 Sandbox patch o  Patch sb_evaluate (allow all)

    o  Hook sb_evaluate o  Patch sandbox mac policies 25 26 27 28 29 30 31 32 33 34 35 36

32. March 28-31, 2017 Sandbox patch detailed 25 26 27 28

    29 30 31 32 33 34 35 36

33. March 28-31, 2017 Sandbox patch detailed 25 26 27 28

    29 30 31 32 33 34 35 36

34. March 28-31, 2017 Sandbox policies 25 26 27 28 29

    30 31 32 33 34 35 36

35. March 28-31, 2017 __mac_mount o  Remount system partition o  Get

    write access to system partition 25 26 27 28 29 30 31 32 33 34 35 36

36. March 28-31, 2017 __mac_mount patch o  Patch __mac_mount o  Call

    mount_common from kernel 25 26 27 28 29 30 31 32 33 34 35 36

37. March 28-31, 2017 __mac_mount patch detailed 37 38 39 40

    41 42 43 44 45 46 47 48

38. March 28-31, 2017 _mapForIO lock o  “/” is mounted as

    read only o  only “/private/var” can be written 37 38 39 40 41 42 43 44 45 46 47 48

39. March 28-31, 2017 _mapForIO lock patch o  Patch _mapForIO o 

    Patch PE_i_can_has_kernel_configuartion 37 38 39 40 41 42 43 44 45 46 47 48

40. March 28-31, 2017 _mapForIO lock patch detailed 37 38 39

    40 41 42 43 44 45 46 47 48

41. March 28-31, 2017 Kernel Patch Protection 37 38 39 40

    41 42 43 44 45 46 47 48

42. March 28-31, 2017 Bypassing KPP strategies o  Checks for kernel

    pages, MMU, sysregs o  Execution on EL3 o  Can’t disable, can race or … 37 38 39 40 41 42 43 44 45 46 47 48

43. March 28-31, 2017 How KPP works? 37 38 39 40

    41 42 43 44 45 46 47 48

44. March 28-31, 2017 Original translation table 37 38 39 40

    41 42 43 44 45 46 47 48

45. March 28-31, 2017 Create fake Level 1 table 37 38

    39 40 41 42 43 44 45 46 47 48

46. March 28-31, 2017 Create fake Level 2 table 37 38

    39 40 41 42 43 44 45 46 47 48

47. March 28-31, 2017 Create fake Level 3 table 37 38

    39 40 41 42 43 44 45 46 47 48

48. March 28-31, 2017 Create fake pages 37 38 39 40

    41 42 43 44 45 46 47 48

49. March 28-31, 2017 49 50 51 52 53 54 55

    56 57 58 59 60 BBQit Framework

50. March 28-31, 2017 KPP bypass technique 49 50 51 52

    53 54 55 56 57 58 59 60

51. March 28-31, 2017 KPP bypass technique (continue) 49 50 51

    52 53 54 55 56 57 58 59 60

52. March 28-31, 2017 Achieving persistence strategies o  Find service that

    spawns on boot o  Check if it is running as root (optional) o  Find userland codesign bug o  Symlink system service to exec cs bypass 49 50 51 52 53 54 55 56 57 58 59 60

53. March 28-31, 2017 Achieving persistence example o  JavaScriptCore jsc interpreter

    o  Signed by Apple o  Can execute code on RWX segment o  Copy as system service to spawn on boot 49 50 51 52 53 54 55 56 57 58 59 60

54. March 28-31, 2017 Achieving persistence details 49 50 51 52

    53 54 55 56 57 58 59 60

55. March 28-31, 2017 SSH o  Copy dropbear or install Cydia

    o  tcprelay.py -t 22:4222 o  Password ‘alpine’ 49 50 51 52 53 54 55 56 57 58 59 60

56. March 28-31, 2017 Cydia o  Copy tar to /bin/tar o 

    tar -xvfp cydia.tar o  Optional /.cydia_no_stash o  Flush uicache using /usr/bin/uicache 49 50 51 52 53 54 55 56 57 58 59 60

57. March 28-31, 2017 o  New heap layout o  AMFI and

    Sandbox hardening o  KPP enhancements iOS 10 security enhancements 49 50 51 52 53 54 55 56 57 58 59 60

58. March 28-31, 2017 o  MISValidateSignatureAndCopyInfo Replace with CFEqual or similar

    will not work o  validateCodeDirectoryHashInDaemon possible race condition fixed o  Policy patches still work iOS 10 amfi mitigations 49 50 51 52 53 54 55 56 57 58 59 60

59. March 28-31, 2017 o  New operations boot-arg-set, fs-snapshot*, system-package-check, ...

    o  New hooks _hook_iokit_check_nvram_get, _hook_proc_check_set_host_special_port, _hook_proc_check_get_cs_info ... iOS 10 sandbox mitigations 49 50 51 52 53 54 55 56 57 58 59 60

60. March 28-31, 2017 o  New kernelcache layout o  Now _got

    segments are protected o  New hardware migrations on iPhone 7/Plus iOS 10 KPP enhancements 49 50 51 52 53 54 55 56 57 58 59 60

61. March 28-31, 2017 KPP hardware mitigations o  AMCC o  Watch

    memory region for any access o  Prevents writing inside region o  Prevents exec outside region 61 62 63 64 65 66 67 68 69 70 71 72

62. March 28-31, 2017 KPP hardware mitigations 61 62 63 64

    65 66 67 68 69 70 71 72

63. March 28-31, 2017 Future of jailbreaks o  iOS is more

    secure on each release o  More security on hardware side o  Exploits will be more valuable o  But there will be bugs and write-ups 61 62 63 64 65 66 67 68 69 70 71 72

64. March 28-31, 2017 Black Hat Sound Bytes o  Jailbreak is

    doable with public bug info o  Patches and KPP bypass from this talk o  May the XNU source be with you 61 62 63 64 65 66 67 68 69 70 71 72

65. March 28-31, 2017 @FriedAppleTeam @mbazaliy @getorix @in7egral 61 62 63

    64 65 66 67 68 69 70 71 72