An independent security consultant Stefan Esser fame Earlier this year, when the technique he developed for hacking iPhones, was picked up by other dzheylbreykingovymi JailbreakMe and services.
Britain’s The Register was “catch” German researcher at security conference Black Hat in Las Vegas as on the eve of his planned presentation, entitled “Operation of the kernel iOS “. Here are the highlights conversation, including information on undocumented debugger, access to which can be obtained only by means of customized Connector:
In a nutshell, what is your presentation?
The idea is that if the remote code, faced with big problem, because still can not do anything with the iPhone because of all of these protections. To disable these defenses, you need to get to the core. If you can not do that, you can not run a rootkit. Thus, for Rootkit requires nuclear exploits.
I’ll explain how you can actually get into the kernel, and how to use its various parts. I’ll show you what to do in the nucleus, where disabled these security features. Most people do not know how to exploit the kernel. This short course demonstrates how to do it.
Earlier you said that one way to use the kernel is iOS the use of secret features. What is it?
This is a kernel debugger. In fact, it is not used. Developers do not should have access to it. Apple does not even give a normal way of obtaining access to the iOS developer. It is available in Mac OS, as is the case with iOS simply remains in the nucleus. It helps the attacker to make the exploit more stable and easier to create it.
It is approved by Apple debugger, which is used for driver development kernel on Mac OS. On iOS such actions are not included, but Apple has just left its inside, perhaps believing that nobody will be able to use it, the idea the necessary interfaces like Ethernet, serial, no go “on surface “of the iPhone. By default, there is no way to communicate with him iPhone.
How, then, you get access to it?
If you look at the connector iPhone, there are 2 pins that are similar to those used for serial data transfer. Of a cable accessible to all, or something that would use these contacts, no, but you you can make your cable and transmit signals to the iPhone via the serial connection.
Does this mean that the attacker must have physical access to the iPhone, he wants to exploit?
No. This is only for exploit development. It’s much easier to development.
What kind of information provides a debugger? The one that did not receive other ways?
The debugger gives you complete control over the processor at the moment operation, so you can do anything. You can read memory, write memory, read the registers, the registers change. Time development will be reduced, and there will be fishing in the dark. It’s like bright light.
In short, how the operation iOS device?
When you have the kernel debugger, you start with a bug in the kernel. When you’re the bug the first thing to do is write a trigger code that will lead to fail, then you either analiziruesh crash dump, or you take the debugger and trying to get the jump on you the embedded code.
I will also show, as if the heap overflow can be controlled location of the heap, so that you can write an exploit that uses heap overflow area. So, when you initsiiruesh buffer overflow, you can control what you and zap decide how to run the code in this situation.
As these transactions differ from iOS work with Unix, Linux, Windows or OS X?
There are many similarities, especially between iOS and Mac OS. During the presentation, I highlight some differences, which in some cases, complicate and in some Conversely easy operation iOS. There are many known techniques, but they never applied to iOS earlier. There is growing evidence that it is possible, and examples of current practice.
How do you describe the operation of nuclear iOS to others? It is more difficult?
The big difference is that iOS is digitally signed code, so that you can not just put there any shell code or use way Windows – ROP [return-oriented programming] peyloud, which makes memory readable, writable and executable, and then go there. It impossible to iOS. In iOS you have to create whole kernel exploit on the basis of reciprocating-oriented programming, much complicates the creation of actual exploit.
The security features make the iPhone operating core is much more difficult but once you get to the core, inside the core there is no protection from his operation. The kernel is designed to protect the user space, but the kernel is not protected inside.
If you gave Apple board, what would you say: “Remove the debugger from iOS?”
In fact, it makes no sense to keep it inside. I would recommend them in terms security to remove him. There are also other features that are not actually used, but easier to develop exploits. Apple may remove these moments that make operation more difficult.
There is a function of iOS and Mac OS, which provides some information about the state of the heap. With this information, all activities to monitor heap easier. It is possible to do without it, but this feature can exploit make it more stable and reliable.
What links did you have with Apple? Did you talk to someone in the department Security of your work?
Not really. The only thing we talked about it so they offer get a job.
When was this? Are you interested?
Immediately after I published the first exploit to jailbreak the iPhone, somewhere in April. At the moment I am considering other options.