Well, I finally started working with mobile-devices from the newer era, namely iOS (as you might know with older Windows Mobile devices I did some hacking back in 2010 at Hacktivity – a presentation that was a complete disaster, but I learned a lot from) , and my first finding is related to MobileSafari in some way, so I decided to have a look at the exploit code which is behind JailbreakMe.com 3.0.
Of course first of all I needed a device that is compatible with JailbreakMe.com, which isn’t as easy as it sounds. Why? Because of the way Apple deploys firmware to its devices.Every single time you would like to restore your iOS device to a certain iOS version iTunes (for beginners: the program you use to initiate and manage the restore process from your computer) makes a request to Apple’s server to ask for a cryptographic signature that is specific to your iOS device.
After it gets the signature it passes it to the device, together with the firmware image. The device checks the signature and if everything is OK it starts the restore process. There is also some encryption involved in the background, but to keep things simple I will say that without Apple’s signature you can not flash any firmware on the device. Many people tried to circumvent this, but it is not possible (yet), so what most people do is they save the signature for later use (the signature is not protected against replay-attacks and the request which needs to be sent to Apple is easy to understand) meaning that once you have a signature for a certain device and a certain iOS version you can always restore to that version (signature files are known as SHSH blobs).
This means that once Apple rolled out a new version of iOS it simply stops signing any requests that are for older versions, forcing anyone who tries to restore to an older version to upgrade. Since the last version of JailbreakMe.com (v3.0) works only on iOS 4.3-4.3.3 I needed a device with SHSH blobs saved for such iOS version.
Somehow I always have a little bit of fortune in these situations, because only after looking on the internet for some hours I found an iPod Touch 3G, which has been jailbroken and was running iOS 5.0.1. Good news, but I need something older, so I met the guy and had a look at the device. You can’t imagine my joy and happiness when I saw his Cydia homescreen: “SHSH blobs are available for: iOS 4.3.3, iOS 5.0, iOS 5.0.1”
I bought the iTouch immediately.
OK, having the device itself is great, I restored it to 4.3.3 and went to JailbreakMe.com, clicked “Install” and it worked. So far so good, but I want to do more, I want to customize the payload of the jailbreak. How can I do that? Well, let’s start with understanding what JailbreakMe.com is doing:
1. Based on your User Agent it decides which exploit you need (there is one main exploit which has been compiled for all the compatible devices and iOS versions)
2. When you hit install it hits you with a crafted PDF file that has a special font embedded in it, basically (as far as I understand) the font-parser engine has the vulnerability in it that allows comex (the creator of the exploit) to posix_spawn() a process with root privileges
3. posix_spawn() runs a binary that was extracted from the PDF to /tmp (it is called locutus) and that binary takes care of the rest: downloading necessary files, and installing them onto the device
4. Comex is a real Apple guy, so he worked some time on the eye-candy stuff: he hooks into the Springboard process of iOS (Springboard is responsible for the UI of iOS) to show a Cydia icon and a progress bar under it which imitates what you can see when you install something from the AppStore (that is quite funny to me, it truly looks like I am just installing something from the AppStore :D)
So, after knowing this I decided to go on and change locutus, since it is the process which can do anything, it has root privileges, so it is really a jackpot. I don’t even need to know what exactly the exploit does if I can change its payload, right? (kind of Metasploit idea :D).
How can I change what locutus does? Well all the source-code of the exploit is online:
So, first would be downloading all the code and make a trial-run to see if I can at all reproduce the same PDF-files comex is hosting @JailbreakMe. In the next episode I will show, why isn’t this so easy as ‘git clone && ./configure && make’ and profit.