Jailbreak iOS 8.1.2 and Analyze Related Exploits

Published
Credit
Risk
2016.01.21
Proteas@360涅槃团队
Medium
CWE
CVE
Local
Remote
N/A
N/A
Yes
No

0x00 Introduction

This post mainly introduces:

1 my understanding on jailbreak
2 the working process of an iOS 8.1.2 jailbreak tool
3 the exploits used in a jailbreak
4 the exploitation method for each exploit

I wish that you could learn the process of a jailbreak, the exploits required for a jailbreak and some exploitation methods through this article. The specific content is as follows.

0x01 What is Jailbreak

To illustrate what jailbreak is, let’s first check out the things that we are not able to do without jailbreak:

Install ordinary apps with arbitrary signature and system apps
Install SSH
Add command line apps
Add a Daemon
Add or delete any files
Obtain any Mach Task
Forge Entitlements
Enable memory page to be writeable and executable

This list concludes the things that can only be done after a jailbreak on an iDevice. If you just scratch from the surface, the list can be very long. Here, we’ll conclude from a technical aspect and see what protection mechanisms of the iOS need to be compromised to achieve the aforementioned things:

fail the code signing mechanism
fail the protection to memory page (W+X)
fail the protection to disk partition (/dev/disk0s1s1)
fail the protection to Rootless, which is used to ensure system integrity;
Therefore, iOS jailbreak generally means to break the above three protection mechanisms.

0x02 Set a Target

The process of a jailbreak is actually the process to attack an iOS. Before we launch an attack, we have to set a target. In general, it is the iOS system, but this target is too broad to guide an attack. So we need a more specific one. But how do we determine a specific target? All we need is to find the parts that are responsible for corresponding protection methods in the system. Here are the targets that I conclude:

Kernel, amfid, libmiss.dylib:
Kernel: the protection mechanism to memory page is implemented solely in kernel.
Get root permission: it requires root permission to mount a disk partition.
Before we attack the final target, we’ll meet more obstacles (The system has multiple stages of defense) and these obstacles can be considered as stage goals. You’ll confront different obstacles on choosing different attack paths. However, if you start your attack through USB, the first one to bypass is a sandbox. So the sandbox is also a very important target.

The above is my interpretation on a jailbreak. Next I’ll illustrate the attacking flow, the exploits and exploitation used in the case of iOS 8.1.2.

More:
http://en.wooyun.io/2016/01/18/38.html

References:

http://en.wooyun.io/2016/01/18/38.html


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com