Post

0x02: Getting started in iOS Security Research using vphone-cli - Solving Challenges

Posted Updated
By jotals3
4 min read
0x02: Getting started in iOS Security Research using vphone-cli - Solving Challenges

For this second post about getting started in iOS security research, we will use the already configured environment to solve some arm64 exploitation challenges.

Playing around with the virtualized iPhone

We will use our virtualized iPhone to solve some simple arm64 exploitation exercises extracted from the 8ksec.io blog posts.

Before getting started…

Before starting with the challenges, we need to do some additional work in order to get our binaries to work on the virtualized iPhone. We will use the binary vuln provided by 8ksec’s in their ARM64 Reversing And Exploitation series, used in Part 1 and 2.

Signing the binary

If we directly copy the vuln binary into the virtualized phone (having previously created the challenges folder):

1

scp -P 2222 vuln mobile@127.0.0.1:/var/mobile/challenges

And try to execute it, we will be prompted with the following error:

1
2

iPhone:/var/mobile/challenges root# ./vuln 
zsh: killed     ./vuln

This is because iOS requires a code signature on every Mach-O, even on our jailbroken vphone. We can use the ldid tool to sign it directly because in this jailbroken variant it won’t be checked.

1

ldid -S vuln

If we now execute the signed version, we will be able to execute it normally:

1
2

iPhone:/var/mobile/challenges root# ./vuln
Better luck next time

There is another issue that I found while playing around with the exploitation exercises: the vuln binary isn’t able to call whoami.

The output looks like this:

1
2
3
4

    iPhone:/var/mobile/challenges root# ./vuln heap helloworld.txt
    Address of main function is 0x1004dbb24
    Heap overflow challenge. Execute a shell command of your choice on the device
    Welcome: from helloworld.txt, printing out the current user

When it should look like this:

1
2
3
4
5

    iPhone:/var/mobile/challenges root# ./vuln heap helloworld.txt
    Address of main function is 0x1004dbb24
    Heap overflow challenge. Execute a shell command of your choice on the device
    Welcome: from helloworld.txt, printing out the current user
>>> root

If we investigate a little bit further, we will see that the whoami binary is located in /var/jb/usr/bin/, and this path is configured in our PATH environment variable so it should be accessible, but for some reason it is not for vuln.

1
2
3
4
5
6
7
8

iPhone:/var/mobile/challenges root# whoami
root

iPhone:/var/mobile/challenges root# which whoami
/var/jb/usr/bin/whoami

iPhone:/var/mobile/challenges root# echo $PATH 
/usr/local/sbin:/var/jb/usr/local/sbin:/usr/local/bin:/var/jb/usr/local/bin:/usr/sbin:/var/jb/usr/sbin:/usr/bin:/var/jb/usr/bin:/sbin:/var/jb/sbin:/bin:/var/jb/bin:/usr/bin/X11:/var/jb/usr/bin/X11:/usr/games:/var/jb/usr/games

To address this issue, I simply decided to create a bunch of softlinks for those expected binaries so that they would be accessible from /bin. Doing this we faced another limitation, the filesystem is read-only:

1
2

iPhone:/var/mobile/challenges root# ln -s /var/jb/usr/bin/whoami /bin/whoami
ln: failed to create symbolic link '/bin/whoami': Read-only file system

Which we can simply solve by remount our root directory as writable:

1

iPhone:/var/mobile/challenges root# mount -u -w /

Creating the softlinks for our desired binaries didn’t work at first, until we reached bash. Linking /var/jb/usr/bin/bash to /bin/sh solved the issue.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

iPhone:/var/mobile/challenges root# ls /bin 
df  ps
iPhone:/var/mobile/challenges root# ./vuln heap helloworld.txt        
Address of main function is 0x104db3b24
Heap overflow challenge. Execute a shell command of your choice on the device
Welcome: from helloworld.txt, printing out the current user
iPhone:/var/mobile/challenges root# which bash                        
/var/jb/usr/bin/bash
iPhone:/var/mobile/challenges root# ln -s /var/jb/usr/bin/bash /bin/sh
iPhone:/var/mobile/challenges root# ls /bin                           
df  ps	sh
iPhone:/var/mobile/challenges root# ./vuln heap helloworld.txt        
Address of main function is 0x1004e3b24
Heap overflow challenge. Execute a shell command of your choice on the device
Welcome: from helloworld.txt, printing out the current user
root

Going a little bit further, if we reverse engineer the binary we will see that in reality, the binary calls whoami via the libc function system. From this function man page we can see that: The system() function hands the argument command to the command interpreter sh(1). The conclusion I arrived at, is that system wasn’t able to reach sh, and the lack of error handling in the binary was causing it to fail silently, which got fixed by adding the /bin/sh softlink.

Now we can finally move on with the challenges!

Heap Overflow

Reference: ARM64 Reversing And Exploitation Part 1 - ARM Instruction Set + Simple Heap Overflow

To be done…

Use After Free

Reference: ARM64 Reversing and Exploitation Part 2 - Use After Free

To be done…

ROP Chain

Reference: ARM64 Reversing and Exploitation Part 3 - A Simple ROP Chain

To be done…

ios-security
blog mobile ios apple security research lldb radare2 vphone-cli
This post is licensed under CC BY 4.0 by the author.