Asia 17 Bazaliy Fried Apples Jailbreak DIY

1
Fried Apples: 3
Jailbreak DIY
5
10
Max Bazaliy Alex Hude Vlad Putin 11
March 28-31, 2017 12

Who we are ? 1
o  Security research group

4
o  Focused on hardware and software exploitation 6
Made a various jailbreaks for iOS, tvOS, watchOS

7
o  8
o  Contributors to jailbreak community 9
10
11
12
March 28-31, 2017
iOS Security Overview 1
o  Secure Boot Chain 4
o  Mandatory Code Signing 5
Sandbox
6
o  7
o  Exploit Mitigations 8
o  Data Protection 9
10
o  Secure Enclave Processor 11
12
March 28-31, 2017
What is jailbreak ? 1
o  Disable OS restrictions
4
o  Gain full access to device 6
o  Install 3-rd party tools and apps 8
o  Exploit chain required

9
10
11
12
March 28-31, 2017
Jailbreak types 1
o  Tethered
4
- Re-exploit device on each boot manually 6
o  Untethered 8
- Re-exploit device on each boot automatically 10
11
12
March 28-31, 2017
Initial attack vector strategies 1
o  Application archive (IPA) based

4
o  USB payload based 6
o  WebKit\SMS\baseband based 8
10
11
12
March 28-31, 2017
Making jailbreak if you have bugs 1
o  Write an exploit chain

4
o  Patch OS security restrictions 6
o  Install persistent binary 8
o  Add Cydia\ssh\remote shell

9
10
11
12
March 28-31, 2017
Making jailbreak if you don't have bugs 1
o  Write an exploit chain Use public write-ups

4
o  Patch OS security restrictions 6
o  Install persistent binary 8
o  Add Cydia\ssh\remote shell

9
10
11
12
March 28-31, 2017
1
Implementation 5
10
11
12
March 28-31, 2017
Arbitrary code execution strategies 1
o  ROP 5
o  Binary with Mach-O bug

6
o  JavaScriptCore JIT region 8
o  Sign with dev\ent certificate 10
11
12
March 28-31, 2017
Bypassing sandbox strategies 1
o  TOCTOU \ Symlinks 4
o  XPC 6
o  Kernel patch
7
10
11
12
March 28-31, 2017
Escalating privileges strategies 1
o  Code injection in system service

4
o  Kernel patch 6
10
11
12
March 28-31, 2017
Bypassing KASLR strategies 13
14
15
o  Information leak
16
17
o  Brute force 18
19
20
21
22
23
24
March 28-31, 2017
Bypassing DEP strategies 13
14
15
o  JavaScriptCore JIT
16
17
o  Userland mmap\mprotect bug 18
19
o  Kernel patch 20
o  ROP chain
21
22
23
24
March 28-31, 2017
Seeking for patches in kernel 13
14
15
o  Static patchfinder (memmem)

16
17
memmem string\pattern, xref + instruction analysis 18
19
o  Dynamic patchfinder
20
21
syscall, sysctl, mach location, known structs + emulation 22
23
24
March 28-31, 2017
Kernel patches in detail 13
14
15
o  root o  sandbox 16
17
o  task_for_pid(0) o  __mac_mount 18
o  _mapForIO
19
o  amfi 20
21
22
23
24
March 28-31, 2017
Escalate privileges 13
14
15
o  Interesting APIs are restricted

16
17
o  task_for_pid, mount etc

18
19
20
21
22
23
24
March 28-31, 2017
Escalate privileges patch 13
14
15
o  Find setreuid
16
17
o  Find ruid/euid checks 18
19
o  Patch to skip reuid checks condition 20
21
22
23
24
March 28-31, 2017
Escalate privileges patch detailed 13
14
15
16
17
18
19
20
21
22
23
24
March 28-31, 2017
Kernel task 13
14
15
o  Easy access to kernel memory

16
17
o  Required for some kern utilities 18
19
20
21
22
23
24
March 28-31, 2017
Kernel task patch 13
14
15
o  Patch task_for_pid
16
17
o  Re-implement task_for_pid in ROP 18
19
o  Find kernel task in memory 20
21
22
23
24
March 28-31, 2017
Kernel task patch detailed 13
14
15
16
17
18
19
20
21
22
23
24
March 28-31, 2017
Kernel task patch detailed 13
14
15
16
17
18
19
20
21
22
23
24
March 28-31, 2017
Apple Mobile File Integrity (AMFI) 13
14
15
o  Run unsigned code

16
17
o  Fake entitlements 18
19
o  Get other process tasks 20
o  Restrictions on mmap, mprotect etc

21
22
23
24
March 28-31, 2017
AMFI patch 25
26
27
o  Patch amfi_get_out_of_my_way
28
29
o  Patch PE_i_can_has_debugger 30
31
o  Patch amfi mac policies 32
33
34
35
36
March 28-31, 2017
AMFI patch detailed 25
26
27
28
29
30
31
32
33
34
35
36
March 28-31, 2017
AMFI policy patch detailed 25
26
27
28
29
30
31
32
33
34
35
36
March 28-31, 2017
AMFI policy patch detailed 25
26
27
28
29
30
31
32
33
34
35
36
March 28-31, 2017
AMFI policies to patch 25
26
27
28
29
30
31
32
33
34
35
36
March 28-31, 2017
Sandbox 25
26
27
o  Access files out of mobile container

28
29
o  Unrestrict usage of system APIs 30
31
32
33
34
35
36
March 28-31, 2017
Sandbox patch 25
26
27
o  Patch sb_evaluate (allow all)

28
29
o  Hook sb_evaluate 30
31
o  Patch sandbox mac policies 32
33
34
35
36
March 28-31, 2017
Sandbox patch detailed 25
26
27
28
29
30
31
32
33
34
35
36
March 28-31, 2017
Sandbox patch detailed 25
26
27
28
29
30
31
32
33
34
35
36
March 28-31, 2017
Sandbox policies 25
26
27
28
29
30
31
32
33
34
35
36
March 28-31, 2017
__mac_mount 25
26
27
o  Remount system partition

28
29
o  Get write access to system partition 30
31
32
33
34
35
36
March 28-31, 2017
__mac_mount patch 25
26
27
o  Patch __mac_mount
28
29
o  Call mount_common from kernel 30
31
32
33
34
35
36
March 28-31, 2017
__mac_mount patch detailed 37
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
_mapForIO lock 37
38
39
o  “/” is mounted as read only

40
41
o  only “/private/var” can be written 42
43
44
45
46
47
48
March 28-31, 2017
_mapForIO lock patch 37
38
39
o  Patch _mapForIO
40
41
o  Patch PE_i_can_has_kernel_configuartion 42
43
44
45
46
47
48
March 28-31, 2017
_mapForIO lock patch detailed 37
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
37
38
39
40
Kernel Patch Protection 41
42
43
44
45
46
47
48
March 28-31, 2017
Bypassing KPP strategies 37
38
39
o  Checks for kernel pages, MMU, sysregs

40
41
o  Execution on EL3 42
43
o  Can’t disable, can race or … 44
45
46
47
48
March 28-31, 2017
How KPP works? 37
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
Original translation table 37
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
Create fake Level 1 table 37
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
Create fake pages 37
38
39
40
41
42
43
44
45
46
47
48
March 28-31, 2017
BBQit Framework 49
50
51
52
53
54
55
56
57
58
59
60
March 28-31, 2017
KPP bypass technique 49
50
51
52
53
54
55
56
57
58
59
60
March 28-31, 2017
KPP bypass technique (continue) 49
50
51
52
53
54
55
56
57
58
59
60
March 28-31, 2017
Achieving persistence strategies 49
50
51
o  Find service that spawns on boot

52
53
o  Check if it is running as root (optional) 54
55
o  Find userland codesign bug 56
o  Symlink system service to exec cs bypass

57
58
59
60
March 28-31, 2017
Achieving persistence example 49
50
51
o  JavaScriptCore jsc interpreter

52
53
o  Signed by Apple 54
55
o  Can execute code on RWX segment 56
o  Copy as system service to spawn on boot

57
58
59
60
March 28-31, 2017
Achieving persistence details 49
50
51
52
53
54
55
56
57
58
59
60
March 28-31, 2017
SSH 49
50
51
o  Copy dropbear or install Cydia

52
53
o  tcprelay.py -t 22:4222 54
55
o  Password ‘alpine’ 56
57
58
59
60
March 28-31, 2017
Cydia 49
50
51
o  Copy tar to /bin/tar

52
53
o  tar -xvfp cydia.tar 54
55
o  Optional /.cydia_no_stash 56
o  Flush uicache using /usr/bin/uicache

57
58
59
60
March 28-31, 2017
iOS 10 security enhancements 49
50
51
o  New heap layout

52
53
o  AMFI and Sandbox hardening 54
55
o  KPP enhancements 56
57
58
59
60
March 28-31, 2017
iOS 10 amfi mitigations 49
50
o  MISValidateSignatureAndCopyInfo
51
52
Replace with CFEqual or similar will not work 53
54
o  validateCodeDirectoryHashInDaemon 55
possible race condition fixed

56
57
o  Policy patches still work 58
59
60
March 28-31, 2017
iOS 10 sandbox mitigations 49
50
51
o  New operations 52
53
boot-arg-set, fs-snapshot*, system-package-check, ... 54
o  New hooks 55
_hook_iokit_check_nvram_get,
56
57
_hook_proc_check_set_host_special_port, 58
_hook_proc_check_get_cs_info ... 59
60
March 28-31, 2017
iOS 10 KPP enhancements 49
50
51
o  New kernelcache layout

52
53
o  Now _got segments are protected 54
55
o  New hardware migrations on iPhone 7/Plus 56
57
58
59
60
March 28-31, 2017
KPP hardware mitigations 61
62
63
o  AMCC
64
65
o  Watch memory region for any access 66
67
o  Prevents writing inside region 68
o  Prevents exec outside region

69
70
71
72
March 28-31, 2017
KPP hardware mitigations 61
62
63
64
65
66
67
68
69
70
71
72
March 28-31, 2017
Future of jailbreaks 61
62
63
o  iOS is more secure on each release

64
65
o  More security on hardware side 66
67
o  Exploits will be more valuable 68
o  But there will be bugs and write-ups

69
70
71
72
March 28-31, 2017
Black Hat Sound Bytes 61
62
63
o  Jailbreak is doable with public bug info

64
65
o  Patches and KPP bypass from this talk 66
67
o  May the XNU source be with you 68
69
70
71
72
March 28-31, 2017
61
62
63
@FriedAppleTeam
64
65
66
67
68
69
70
@mbazaliy @getorix @in7egral 71
72
March 28-31, 2017

Asia 17 Bazaliy Fried Apples Jailbreak DIY

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Asia 17 Bazaliy Fried Apples Jailbreak DIY

Загружено:

Авторское право:

Доступные форматы

1

Max Bazaliy Alex Hude Vlad Putin 11

March 28-31, 2017 12

o Security research group

o Focused on hardware and software exploitation 6

Made a various jailbreaks for iOS, tvOS, watchOS

o Contributors to jailbreak community 9

o Secure Boot Chain 4

o Mandatory Code Signing 5

o Secure Enclave Processor 11

o Gain full access to device 6

o Install 3-rd party tools and apps 8

o Exploit chain required

- Re-exploit device on each boot manually 6

- Re-exploit device on each boot automatically 10

o Application archive (IPA) based

o USB payload based 6

o Write an exploit chain

o Patch OS security restrictions 6

o Install persistent binary 8

o Add Cydia\ssh\remote shell

o Write an exploit chain Use public write-ups

o Patch OS security restrictions 6

o Install persistent binary 8

o Add Cydia\ssh\remote shell

o Binary with Mach-O bug

o JavaScriptCore JIT region 8

o Sign with dev\ent certificate 10

o Code injection in system service

o Userland mmap\mprotect bug 18

o Static patchfinder (memmem)

memmem string\pattern, xref + instruction analysis 18

syscall, sysctl, mach location, known structs + emulation 22

o Interesting APIs are restricted

o task_for_pid, mount etc

o Find ruid/euid checks 18

o Patch to skip reuid checks condition 20

o Easy access to kernel memory

o Required for some kern utilities 18

o Re-implement task_for_pid in ROP 18

o Find kernel task in memory 20

o Run unsigned code

o Get other process tasks 20

o Restrictions on mmap, mprotect etc

o Patch amfi mac policies 32

o Access files out of mobile container

o Unrestrict usage of system APIs 30

o Patch sb_evaluate (allow all)

o Patch sandbox mac policies 32

o Remount system partition

o Get write access to system partition 30

o Call mount_common from kernel 30

o “/” is mounted as read only

o only “/private/var” can be written 42

Kernel Patch Protection 41

o Checks for kernel pages, MMU, sysregs

o Can’t disable, can race or … 44

o Find service that spawns on boot

o Check if it is running as root (optional) 54

o Find userland codesign bug 56

o Symlink system service to exec cs bypass

o JavaScriptCore jsc interpreter

o Can execute code on RWX segment 56

o Copy as system service to spawn on boot

o  Security research group

o  Focused on hardware and software exploitation 6

o  Contributors to jailbreak community 9

o  Secure Boot Chain 4

o  Mandatory Code Signing 5

o  Secure Enclave Processor 11

o  Gain full access to device 6

o  Install 3-rd party tools and apps 8

o  Exploit chain required

o  Application archive (IPA) based

o  USB payload based 6

o  Write an exploit chain

o  Patch OS security restrictions 6

o  Install persistent binary 8

o  Add Cydia\ssh\remote shell

o  Write an exploit chain Use public write-ups

o  Patch OS security restrictions 6

o  Install persistent binary 8

o  Add Cydia\ssh\remote shell

o  Binary with Mach-O bug

o  JavaScriptCore JIT region 8

o  Sign with dev\ent certificate 10

o  Code injection in system service

o  Userland mmap\mprotect bug 18

o  Static patchfinder (memmem)

o  Interesting APIs are restricted

o  task_for_pid, mount etc

o  Find ruid/euid checks 18

o  Patch to skip reuid checks condition 20

o  Easy access to kernel memory

o  Required for some kern utilities 18

o  Re-implement task_for_pid in ROP 18

o  Find kernel task in memory 20

o  Run unsigned code

o  Get other process tasks 20

o  Restrictions on mmap, mprotect etc

o  Patch amfi mac policies 32

o  Access files out of mobile container

o  Unrestrict usage of system APIs 30

o  Patch sb_evaluate (allow all)

o  Patch sandbox mac policies 32

o  Remount system partition

o  Get write access to system partition 30

o  Call mount_common from kernel 30

o  “/” is mounted as read only

o  only “/private/var” can be written 42

o  Checks for kernel pages, MMU, sysregs

o  Can’t disable, can race or … 44

o  Find service that spawns on boot

o  Check if it is running as root (optional) 54

o  Find userland codesign bug 56

o  Symlink system service to exec cs bypass

o  JavaScriptCore jsc interpreter

o  Can execute code on RWX segment 56

o  Copy as system service to spawn on boot

o  Copy dropbear or install Cydia

o  Copy tar to /bin/tar

o  tar -xvfp cydia.tar 54

o  Flush uicache using /usr/bin/uicache

o  New heap layout

o  AMFI and Sandbox hardening 54

o  Policy patches still work 58

o  New kernelcache layout

o  Now _got segments are protected 54

o  New hardware migrations on iPhone 7/Plus 56

o  Watch memory region for any access 66

o  Prevents writing inside region 68

o  Prevents exec outside region

o  iOS is more secure on each release

o  More security on hardware side 66

o  Exploits will be more valuable 68

o  But there will be bugs and write-ups

o  Jailbreak is doable with public bug info

o  Patches and KPP bypass from this talk 66

o  May the XNU source be with you 68