dmitry 'd1g1' evdokimov - blackbox analysis of ios apps
Post on 19-May-2015
1.174 Views
Preview:
TRANSCRIPT
Blackbox analysis of iOS apps
Dmitry 'D1g1' Evdokimov,
Security researcher at Digital Security (ERPScan)
© 2002—2013, Digital Security
#whoami
Blackbox analysis of iOS apps
• Director of DSecRG (ERPScan Research Group)
• Section editor in the Xakep magazine
• Co-organizer of
DEFCON Russia & ZeroNights
• Author of Python arsenal for RE
Specialized in finding vulnerabilities in
binary applications without source code
2
© 2002—2013, Digital Security
Attention please!
It is not rocket science =)
This work is a compilation of public information
and my own experience
Blackbox analysis of iOS apps
3
© 2002—2013, Digital Security
Goals of this workshop
• How iOS and iOS applications work
• The basics of iOS vulnerabilities
• The skill of using common tools to find
vulnerabilities in iOS apps
Blackbox analysis of iOS apps
4
© 2002—2013, Digital Security
Agenda
1. iOS platform
1. How it works, Objective-C, ARM, security
mechanisms, jailbreak
2. Introduction to Objective-C
3. iOS apps
1. Mach-O format, application structure, …
4. iOS vulns
5. Blackbox testing
1. Static and dynamic analysis
Blackbox analysis of iOS apps
5
© 2002—2013, Digital Security
iOS
• iOS is derived from OS X, with which it shares
Darwin • ARM
• The kernel sources remain closed • __arm__, ARM_ARCH
• Touch-based
• SpringBoard
• Security mechanisms
• Sandbox as a jail
• …
Blackbox analysis of iOS apps
6
© 2002—2013, Digital Security
iOS security mechanisms
Blackbox analysis of iOS apps
• Code Signing
- X.509v3 certificates
• Sandboxing (SeatBelt)
- Inability to break the app’s directory
- /var/mobile/Applications/<app-GUID>/
- Inability to access any other process
- Inability to use any hardware devices directly
- Inability to generate code dynamically
• Privilege separation
- Mobile user + Entitlements
7
© 2002—2013, Digital Security
Jailbreak
• Jaibreak depends on SW & HW
• Tethered
• Untethered
• Ability to access file system • Copy/edit any file in the system
• Bypassing sandbox restrictions • Break out of the app’s directory
• Launching unsigned applications • Launch applications that do not belong to App Store
Blackbox analysis of iOS apps
8
© 2002—2013, Digital Security
Apple about jailbreak
http://support.apple.com/kb/HT3743
Blackbox analysis of iOS apps
9
© 2002—2013, Digital Security
ARM
• Advanced RISC Machine
• Load-store architecture
• Fixed-length instructions
• 3-address instruction formats
• Instructions:
• Data transfer
• Data processing
• Control flow
Blackbox analysis of iOS apps
10
© 2002—2013, Digital Security
ARM modes
1. ARM
• Length(Instr) = 4 bytes
2. Thumb
• Length(Instr) = 2 bytes
3. Thumb2
• Length(Instr) = 2/4 bytes
4. Jazzle
• Java bytecode + ARM/Thumb
Blackbox analysis of iOS apps
11
© 2002—2013, Digital Security
ARM32
Blackbox analysis of iOS apps
• Registers:
• General Purpose: r0-r12
• Stack Pointer: r13 (SP)
• Link Register: r14 (LR)
• Program Counter: r15 (PC)
• Current Program Status Register (CPSR)
• Calling Convention:
• Argument Values: r0-r3
• Local Values: r4-r12
• Return Value: r0
12
© 2002—2013, Digital Security
ARM 64-bit Architecture
1. iPhone 5S
2. AArch64 (ARM), ARM64 (Apple)
Blackbox analysis of iOS apps
13
© 2002—2013, Digital Security
Divergences, divergences, divergences...
Blackbox analysis of iOS apps
14
© 2002—2013, Digital Security
Development for iOS
• Mac
• Xcode
• gcc/LLVM/LLVM-gcc compilers
• iPhone Simulator (i386)
• Cocoa Touch
• Objective-C
• Other: HTML, JavaScript, C# & .NET
(Xamarin)
Blackbox analysis of iOS apps
15
© 2002—2013, Digital Security
Objective-C
• Object-oriented language
• Based on:
• Strict superset C
• Smalltalk
Blackbox analysis of iOS apps
16
© 2002—2013, Digital Security
Calling methods
Blackbox analysis of iOS apps
C++ ObjectPointer->MethodName(param1, param2)
Obj-C [ObjectPointer MethodName:param1 param2Name:param2]
objc_msgSend(ObjectPointer, "MethodName“,”param1”, “param2”)
objc_msgSend()
objc_msgSendSuper()
objc_msgSend_fpret()
objc_msgSend_stret()
objc_msgSendSuper_stret()
objc_msgSendSuper2() 17
© 2002—2013, Digital Security
Go to device
• Jailbreak
• Cydia
• SSH/putty
• itunnel_mux
• WinSCP/scp
Blackbox analysis of iOS apps
18
© 2002—2013, Digital Security
Prepare env in device
• otool
• class-dump-z
• APT 0.6 Transitional
• apt-get
• Command line tools
• curl, dpkg, file, grep, netcat, python, sed, …
Blackbox analysis of iOS apps
19
© 2002—2013, Digital Security
Install apps from console
• Debian package
dpkg -i <package.deb>
killall -HUP SpringBoard
• App without developer license or patched scp -r HelloWorld.app/ root@yourIP:/Applications/
uicache
killall -HUP SpringBoard
• IPA: o IPA Installer Console
o iPhone Configuration Utility
Blackbox analysis of iOS apps
20
© 2002—2013, Digital Security
Useful commands
• cd /private/var/mobile/Applications
• find . -name '*Appname*‘
• cd /private/var/mobile/Applications
• ls –l | grep ‘Time’
Blackbox analysis of iOS apps
21
© 2002—2013, Digital Security
Applications
• AppStore
• IPA packages = ZIP files
• On devices • /private/var/mobile/Applications/<UUID>/<AppName>.app/
• Apple apps • /Applications/
Blackbox analysis of iOS apps
22
© 2002—2013, Digital Security
Mach-O file format basic structure
Blackbox analysis of iOS apps
23
© 2002—2013, Digital Security
Mach-O header
1. 32bit (ARMv6,ARMv7)
• 0xFEEDFACE
2. 64bit
• 0xFEEDFACF
3. Universal binaries (FAT)
• 0xCAFEBABE
Blackbox analysis of iOS apps
24
© 2002—2013, Digital Security
Application structure
Blackbox analysis of iOS apps
AppName.app/ App
Documents/ Data files saved by the app
Library/ Miscellaneous app files
iTunesArtwork App icon
iTunesMetadata.plist The property list of the app
tmp/ Directory for temporary files
25
© 2002—2013, Digital Security
Decrypt app from AppStore
1. gdb
• Choosing the right architecture (if FAT) • Breakpoint at start
2. Clutch
3. dumpdecrypted.dylib
Blackbox analysis of iOS apps
26
© 2002—2013, Digital Security
Decrypt
• Clutch
• /var/root/Documents/Cracked/
• dumpdecrypted.dylib
Blackbox analysis of iOS apps
27
© 2002—2013, Digital Security
OWASP Mobile Top 10 Risks
Blackbox analysis of iOS apps
28
© 2002—2013, Digital Security
Traffic analysis
• Passive network traffic monitoring with tcpdump
Then load the *.pcap file into wireshark for analysis
• Gateway method
• BurpSuite
• HTTPS: Import PortSwigger CA to the iDevice
• dnsRedir
• Mallory (by Intrepidus Group)
Blackbox analysis of iOS apps
29
© 2002—2013, Digital Security
Certificate pinning?!
• Pinning is the process of associating a host with
their expected X509 certificate or public key.
• OWASP
• https://www.owasp.org/index.php/Certificate_and_Pu
blic_Key_Pinning#iOS
• Attack
• trustme • SecTrustEvaluate
• ios-ssl-killswitch • SSLCreateContext,SSLSetSessionOption,
SSLHandshake
Blackbox analysis of iOS apps
30
© 2002—2013, Digital Security
Working with SSL certificates
• NSURLConnection class
• Accepting a self-signed certificate or incorrect
error processing • allowsAnyHTTPSCertificateForHost
• setAllowsAnyHTTPSCertificate
• continueWithoutCredentialForAuthentica
tionChallenge
Blackbox analysis of iOS apps
31
© 2002—2013, Digital Security
CFStreams sockets
• kCFStreamPropertySSLSettings
• kCFStreamSSLLevel
• kCFStreamSSLAllowsExpiredCertificates
• kCFStreamSSLAllowsExpiredRoots
• kCFStreamSSLAllowsAnyRoot
• kCFStreamSSLValidatesCertificateChain
• kCFStreamSSLPeerName
Blackbox analysis of iOS apps
32
© 2002—2013, Digital Security
Cross-site scripting
• UIWebView class • stringByEvaluatingJavaScriptFromString
• shouldStartLoadWithRequest
Blackbox analysis of iOS apps
33
© 2002—2013, Digital Security
List of interesting strings
• Don’t use and don’t leak
• UDID
• IMEI
• ICCID
• PII
• OSN-ID
• LID
Blackbox analysis of iOS apps
34
© 2002—2013, Digital Security
XML injections
• XML External Entity (XXE) flaws • NSXMLParser class
• setShouldResolveExternalEntities
• foundExternalEntityDeclarationWithName
• libxml2 library • _xmlParseMemory
• 3rd party libraries and classes
Blackbox analysis of iOS apps
35
© 2002—2013, Digital Security
Directory traversal
• NSFileManager class
• contentsAtPath
• fileHandleForReadingAtPath
• C functions • fopen
• …
Blackbox analysis of iOS apps
© 2002—2013, Digital Security
File storage
• NSFileManager class
• NSFileProtectionKey attribute • NSFileProtectionNone
• NSFileProtectionComplete
• NSFileProtectionCompleteUnlessOpen
• NSFileProtectionCompleteUntilFirstUserAuthe
ntication
• Tools:
• filemon.iOS
• FileDP
Blackbox analysis of iOS apps
37
© 2002—2013, Digital Security
filemon.iOS
Blackbox analysis of iOS apps
38
© 2002—2013, Digital Security
Plist files
• plist – property lists
• Serialized objects
• XML • NSUserDefaults class
• Tools: • Python library: plistlib, bplist
• plist Editor
• plutil • plutil - convert xml1
Blackbox analysis of iOS apps
39
© 2002—2013, Digital Security
SQLite and SQL injections
• SQLite database
• /usr/lib/libsqlite3.dylib
• /<GUID>/Documents/
• *.sqlite, *.db, *.sqlite3
• sqlite3_open
• sqlite3_prepare_v2
• sqlite3_step • Use parameterized queries
• sqlite3_bind_*
Blackbox analysis of iOS apps
40
© 2002—2013, Digital Security
Keychain
• Secure storage
• File /private/var/Keychains/keychain-2.db • SecItemAdd()
• SecItemUpdate()
• SecItemCopyMatching()
• SecItemDelete()
• Tools: • keychain_dumper
• keychain_dump
Blackbox analysis of iOS apps
41
© 2002—2013, Digital Security
Cookies
• Persistent cookies: Cookies.binarycookies
• /private/var/mobile/Library/
• /private/var/mobile/<App GUID>/Library/Cookies
• Tool: BinaryCookieReader.py
Blackbox analysis of iOS apps
42
© 2002—2013, Digital Security
Logs
NSLog()
Blackbox analysis of iOS apps
Tools:
• iPhone Configuration Utility
• syslogd
43
© 2002—2013, Digital Security
Cache
• UIPasteboard class
• generalPasteboard
• Backgrounding • <Application
GUID>/Library/Caches/Snapshots/*/*.png
• applicationDidEnterBackground
• Keyboard cache • /var/mobile/Library/Keyboard/en_GB-dynamic-
text.dat
• secureTextEntry = Yes
• autocorrectionType = UITextAutocorrectionTypeNo
Blackbox analysis of iOS apps
44
© 2002—2013, Digital Security
IPC
• URL schemes
• handleOpenURL
• openURL
• http://wiki.akosma.com/IPhone_URL_Schemes
Blackbox analysis of iOS apps
45
© 2002—2013, Digital Security
Memory corruptions
• Obj-C + C/C++ function =
• Format string • NSLog()
• [NSString stringWithFormat:]
• [NSString initWithFormat:]
• [NSMutableString appendFormat:]
• [NSAlert informativeTextWithFormat:]
• [NSPredicate predicateWithFormat:]
• [NSException format:]
• NSRunAlertPanel
• Buffer overflow
• Use-after-free
Blackbox analysis of iOS apps
© 2002—2013, Digital Security
Check for exploit mitigations
• Stack cookie
• _stack_chk_fail
• _stack_chk_guard
• PIE
• ARC • _objc_release
• _objc_retainAutoreleaseReturnValue
• _objc_autoreleaseReturnValue
• _objc_storeStrong
• _objc_retain
• _objc_retainAutoreleasedReturnValue
Blackbox analysis of iOS apps
© 2002—2013, Digital Security
TOOLS
Blackbox analysis of iOS apps
TOOLS
TOOLS
TOOLS
TOOLS
TOOLS
TOOLS
TOOLS
TOOLS
TOOLS
TOOLS
TOOLS
48
© 2002—2013, Digital Security
IDA Pro
Blackbox analysis of iOS apps
49
© 2002—2013, Digital Security
radare2 ARM64 Mach-O
1. ???
Blackbox analysis of iOS apps
50
© 2002—2013, Digital Security
Hopper
Blackbox analysis of iOS apps
51
© 2002—2013, Digital Security
iNalyzer
Blackbox analysis of iOS apps
52
© 2002—2013, Digital Security
cycript
Blackbox analysis of iOS apps
53
© 2002—2013, Digital Security
Introspy
Blackbox analysis of iOS apps
54
© 2002—2013, Digital Security
Snoop-it
Blackbox analysis of iOS apps
55
© 2002—2013, Digital Security
Q&A
d.evdokimov@dsec.ru
@evdokimovds
Blackbox analysis of iOS apps
56
top related