iOS 8.1.2 jailbreak process in detail and the associated vulnerability analysis-vulnerability warning-the black bar safety net

2016-01-11T00:00:00
ID MYHACK58:62201670899
Type myhack58
Reporter 佚名
Modified 2016-01-11T00:00:00

Description

This paper mainly introduces: Yourself to escape the understanding of iOS 8.1.2 jailbreak tool working process The jailbreak process using the vulnerability Each vulnerability using the method Hope through this article to let everyone know about the jailbreak process, the jailbreak required vulnerability types, and the use of some skills, specific content is as follows. 0x01 what is jailbreak To explain what is jailbreaking, we must first look at the jailbreak can do what the original can't do things: The installation of any signature of normal application and system application Install SSH Add command-line program Add Daemon Any add, delete files Get any Mach Task Falsification of Entitlements Make the memory page at the same time having a writable and executable properties ...... The above list shows the jailbreak before they can be in the iDevice to do things, if the single from the appearance up a list, this list can be very long, below we from the technical aspects to do the following induction, specific look at the destruction of the iOS system which protection mechanisms can do the above things: Break the code signature mechanism Damage to the memory page protection mechanism, W+X Damage to the disk partition/dev/disk0s1s1 protection Destruction of the Rootless protection mechanism, mainly used to protect the integrity of the system; and Therefore, the escape to“hell”just refers to iOS as on the three protection mechanisms, jailbreak refers to the destruction of these protective mechanisms. 0x02 determine the target Jailbreak process is actually to attack the iOS system in the process, in initiating the attack before we first need to determine the target of the attack, of course, from the big aspect to target is iOS system, but this goal is too big inadequate to guide the attack process, we need more precise goals. How to determine the exact target of the attack it? As long as we find the system of which part is responsible for the relevant protection mechanisms can determine the final target of the attack, the following is a personal summary of the attack goals: Kernel, amfid, a libmiss. dylib: three persons with the realization of the code signature Kernel: memory page attributes of the protection completely in the kernel to achieve Get root access: re-mount the disk partition require root permissions Of course, in the attack end before the goal, we will encounter some obstacle the system has multi-line of Defense, and these obstacles can be used as phase target, different attack paths encountered in the phase of the target is also different, but via USB to initiate the attack first needs to break through the sandbox, so The Sandbox is also an important goal. As on is a personal on the jailbreak of Understanding, the following will be to iOS 8.1.2 jailbreak as an example to describe in detail the attack process, the use of the vulnerability, and the vulnerability of the use of the method. 0x03 attack overview For via USB to initiate the attack first of all to solve a problem is how to break the sandbox. Here The Sandbox is not a single finger by the Sandbox. kext constraints of the process behavior, but in the broad sense of the concept, such as can be the entire iOS construed as a sandbox. The default sandbox just open the following services: ! Figure 1: The Sandbox open service iOS 8.1.2 jailbreak tool is the use of Mobile Backup, the vulnerability, the CVE-2 0 1 5-1 0 8 7 with the AFC Vulnerability, CVE-2 0 1 4-4 4 8 to sand box, and then use Image Mounter of the vulnerability, CVE-2 0 1 5-1 0 6 2 To for user-space to arbitrary code execution. If you want to in the user space execution of arbitrary code, The need to address the code signature verification problem, the jailbreak tool uses dyld's vulnerability, CVE-2 0 1 4-4 4 5 5 solve let afmid loaded fake libmiss. dylib problem, so through out the code signature. So the user space arbitrary code execution conditions are met, the next jailbreak tool by an auxiliary tool root permissions to perform Untecher, to Untether the main work content is to first re-mount the disk read-only partition to a writable state, then the /var/mobile/Media in the Payload copied to the system directory. The next Untether acts primarily attack the kernel, here are two main ways: Way: The first use of a kernel Vulnerability, CVE-2 0 1 4-4 4 9 1 Get kernel start address, KASLR of the Slide, and then combined with a kernel Vulnerability, CVE-2 0 1 4-4 4 9 6 and IOHIDFamily of Vulnerability, CVE-2 0 1 4-4 4 8 7, to manufacture the kernel space arbitrary code execution, the kernel is written, the next use of the Kernel Patch Finder to find the above mentioned protection mechanisms in the Code of points as well as some of the ROP Gadgets and construct a ROP Chain to Patch the kernel. The second way: The first use of a kernel Vulnerability, CVE-2 0 1 4-4 4 9 6 get KASLR of the Slide, and then use the IOHIDFamily of Vulnerability, CVE-2 0 1 4-4 4 8 7) to construct a kernel of any size Read use read a known object's virtual function table, and then calculate the kernel loads the base address, the next with way of a same. Equivalent to the second way can be less the use of a vulnerability. As for the whole jailbreak process is roughly described, in order to let everyone have a General impression, the following will introduce the details of jailbreaking the attack process. 0x04 during the attack One, break the sandbox Vulnerabilities related to the CVE-2 0 1 4-4 4 8 0

! bash

AppleFileConduit – Fixed in iOS 8.1.3 Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A maliciously crafted afc command may allow access to protected parts of the filesystem Description: A vulnerability existed in the symbolic linking mechanism of afc. This issue was addressed by adding additional path checks. CVE-ID CVE-2 0 1 4-4 4 8 0 : TaiG Jailbreak Team Table 1: CVE-2 0 1 4-4 4 8 0 CVE-2 0 1 5-1 0 8 7

! bash

Backup – Fixed in iOS 8.3 Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker may be able to use the backup system to access restricted areas of the file system Description: An issue existed in the relative path evaluation logic of the backup system. This issues was addressed through improved path evaluation. CVE-ID CVE-2 0 1 5-1 0 8 7 : TaiG Jailbreak Team Table 2: CVE-2 0 1 5-1 0 8 7 Prepare the directory structure Using the AFC service to create directories, files, soft-link: Create a directory:

! bash

PublicStaging/cache/mmap is situated in_ex/a/b/c is situated in_ex/var/mobile/Media/PublicStaging/cache is situated in_mx/a/b/c/d/e/f/g is situated in_mxto/private/var Create an empty file:

! bash

is situated in_ex/var/mobile/Media/PublicStaging/cache/mmap is situated in_mxto/private/var/run Create a soft link:

! bash

is situated in_ex/a/b/c/c -> ../../../var/mobile/Media/PublicStaging/cache/mmap is situated in_mx/a/b/c/d/e/f/g/c -> ../../../../../../../private/var/run

[1] [2] [3] [4] [5] [6] [7] [8] [9] next