HitB2012Ams iPhone Jailbreak part 2: Absinthe Jailbreak for iOS

Untitled – A CC John Steven Fernandez
By Joshua Hill (@p0sixninja), Cyril (@pod2g) David Wang ( @planetbeing) & Nikias Bassen (@pimskeks)

Why could A5 iOS version not be jailbroken, yet? Because there is not public boot level exploit for it.

The team, however did it. They found out the VPN Settings weren't validated by configd before they were passed to raccoon. Unfortunately this injection was limited to 255 characters. Not enough for the payload, but the “include” command could be injected.

But in order for this exploit to work, a VPN has to be started. How can this be triggered? Fortunately there is an on demand feature that allows the VPN to be autostarted. The jailbreak even includes a webclib that makes this a single tap action on the device.

This still left the hurdle of bypassing ASLR. The crash reporting tool of iOS comes to the rescue. It can be triggered by a NULL pointer exception in the MobileBackup2 service. This can then be copied from the device in the same way iTunes gathers crash reports.

Since the crash reports contain the addresses of the libraries this is useful getting the base addresses used by ASLR.

But, the stock copy of raccoon is still sandboxed, how to escape this sandbox. The iOS framework consists of Sandbelt (the brains) and BSD Mandatory Access Control (MAC, the muscles). This even restricts process run by root. However apple made a mistake in the protection of the entitlements sections, this area can be patches so that the file becomes unavailable. And this profile is not protected by code signing.

So Raccoon can be patch to not have a sandbox, but, how to get out patched version on the phone and executed?

The default configuration can be convinced to run with a patched configuration file. So another way to break out of the sandbox is needed.

the ptrace system call is actually unrestricted, it turns out it can be used to control an unsandboxed process by controlling the program counter of any other process.

The victim process for this exploit is notifyd because is uses shared memory and has a fixed memory point it can be used to overload buffers yet another process.

The exploit was written with a ROP generation program written by the team that has macros for a lot of common ROP operations.

The exploit works with these steps:
  • Creates a non-sandboxed version of raccoon in a writeable/chmod-able location
  • Find notifyd PID
  • Out notifyd’s main thread on the IPC thread
  • Block notifyd with exploit IPC messages
  • Write rest op ROP stack to shm
  • Launch the exploit

david explained these steps in great detail.

Presentation materials available from http://conference.hitb.org/hitbsecconf2012ams/materials/

ABOUT JOSHUA HILL (@p0sixninja)

Joshua Hill (@p0sixninja) is an independent Security Researcher for zImperium, as well as leader of the Chronic Dev Team and chief architect behind GreenPois0n, a cross-platform toolkit used by millions of people around the world to jailbreak their iOS mobile devices.

ABOUT CYRIL (@pod2g)

Cyril (@pod2g) is an iPhone hacker who has discovered and exploited several bootrom exploits on iDevices, including 24kpwn, steaks4uce, and SHAtter, as well as several userland and kernel exploits that have been used in various jailbreak tools. He’s a member of Chronic-Dev Team and the original author the of Corona untether jailbreak.

ABOUT DAVID WANG (@planetbeing)

David Wang (@planetbeing) is a member of the iPhone Dev Team and former developer of many iOS jailbreak tools including redsn0w, xpwn, and QuickPwn. He is also the first to have ported the Linux kernel and Android to iOS devices.


Nikias Bassen (@pimskeks) is a Chronic-Dev Team member and main developer of libimobiledevice, usbmuxd, and other related projects that form an open source implementation of communication and service protocols for iDevices. He found several flaws in the iDevice service protocols that also helped creating Absinthe.


Not Published

0/1000 characters
Go Top