launchd says Binary is improperly signed when loading dlyb

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

launchd says Binary is improperly signed when loading dlyb

Postby MisTerX » Tue Apr 05, 2016 1:47 pm

Hi,

I'm getting the following error when trying to load a dynamic Library into a plaform binary (using cinject) in iOS 9.X

Is their a way to get arround this error? where should i look for the cause for this error ?
Where in the iOS kernel does this check being performed?

Thanks,
Last edited by MisTerX on Wed Apr 06, 2016 8:05 am, edited 1 time in total.
MisTerX
 
Posts: 3
Joined: Tue Apr 05, 2016 1:38 pm

Re: launchd says Binary is improperly signed when loading dl

Postby morpheus » Wed Apr 06, 2016 12:13 am

hello Itay,

Platform binaries are protected from injection - library validation is on by default for those. Unless they have the entitlement (skip-library-validation), then any dependent dylibs will be validated according to the CODE_SIGNING_DRs. You can check which libs are allowed with jtool --sig , which will also dump the libraries, which should be the same as jtool -L (showing dependencies)

To get around this: self sign the platform binary. It won't be a platform app anymore (though you can re-entitle it with platform-application/true), and you can strip the CODE_SIGNING_DRs (jtool -rC will remove load commands).

Btw, It would help if when referring to errors, etc, you provide more detail, e.g. output of WHICH binary you are referring to, and the exact syslog/asl output. as well as any jtool --whatever output.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: launchd says Binary is improperly signed when loading dl

Postby MisTerX » Wed Apr 06, 2016 8:03 am

Hi,

My Interest is in the binary mediaserverd

According to your reply - if i understand correctly,

I need to do the following:

1. add the entitlement 'skip-library-validation' and self sign (using ldid is ok? ) the binary mediaserverd
2. after step #1 - run the jtool -rC to remove the load command? (won't it break the signature that i self-signed? should i do it before step 1? )

How can i (do i need to?) add LC_LOAD_DYLIB with my own dylib?

another question - does this security mechanism is diffrent for 32 bit platforms?

Thanks,
MisTerX
 
Posts: 3
Joined: Tue Apr 05, 2016 1:38 pm

Re: launchd says Binary is improperly signed when loading dl

Postby MisTerX » Wed Apr 06, 2016 4:00 pm

I tried to self-sign the mediaserverd after removing the old signatures (becuase the --sign signature didn't do override) - this binary doesn't have CODE_SIGNING_DRs load command (see below the LC_list). i removeed the signature load command.
and re-signed it with the new entitlement (based on the old and just added the new com.apple.private.skip-library-validation ent)

Itay Levin, [06.04.16 18:51]
➜ jtool ./jtool -l --curses ../mediaserverd
LC 00: LC_SEGMENT_64 Mem: 0x000000000-0x100000000 __PAGEZERO
LC 01: LC_SEGMENT_64 Mem: 0x100000000-0x10001c000 __TEXT
Mem: 0x100003908-0x1000157e0 __TEXT.__text (Normal)
Mem: 0x1000157e0-0x100015e70 __TEXT.__stubs (Symbol Stubs)
Mem: 0x100015e70-0x100016500 __TEXT.__stub_helper (Normal)
Mem: 0x100016500-0x10001b130 __TEXT.__const
Mem: 0x10001b130-0x10001b5b0 __TEXT.__gcc_except_tab
Mem: 0x10001b5b0-0x10001bb73 __TEXT.__cstring (C-String Literals)
Mem: 0x10001bb73-0x10001bc05 __TEXT.__objc_methname (C-String Literals)
Mem: 0x10001bc05-0x10001bdab __TEXT.__info_plist
Mem: 0x10001bdac-0x10001bff8 __TEXT.__unwind_info
LC 02: LC_SEGMENT_64 Mem: 0x10001c000-0x100020000 __DATA
Mem: 0x10001c000-0x10001c0a0 __DATA.__got (Non-Lazy Symbol Ptrs)
Mem: 0x10001c0a0-0x10001c500 __DATA.__la_symbol_ptr (Lazy Symbol Ptrs)
Mem: 0x10001c500-0x10001cb58 __DATA.__const
Mem: 0x10001cb58-0x10001cb98 __DATA.__cfstring
Mem: 0x10001cb98-0x10001cba0 __DATA.__objc_imageinfo
Mem: 0x10001cba0-0x10001cbe0 __DATA.__objc_selrefs (Literal Pointers)
Mem: 0x10001cbe0-0x10001cbf0 __DATA.__objc_classrefs (Normal)
Mem: 0x10001cbf0-0x10001ce30 __DATA.__data
Mem: 0x10001ce30-0x10001ce60 __DATA.__common (Zero Fill)
Mem: 0x10001ce60-0x10001cee0 __DATA.__bss (Zero Fill)
LC 03: LC_SEGMENT_64 Mem: 0x100020000-0x100028000 __LINKEDIT
LC 04: LC_DYLD_INFO
LC 05: LC_SYMTAB
Symbol table is at offset 0x21440 (136256), 176 entries
String table is at offset 0x223f0 (140272), 3496 bytes
LC 06: LC_DYSYMTAB
1 local symbols at index 0
No external symbols
175 undefined symbols at index 1
No TOC
No modtab
300 Indirect symbols at offset 0x21f40

LC 07: LC_LOAD_DYLINKER /usr/lib/dyld
LC 08: LC_UUID UUID: 53C65C10-31BD-3080-9FE4-B31DDCEBF02F
LC 09: LC_VERSION_MIN_IPHONEOS Minimum iOS version: ****
LC 10: LC_SOURCE_VERSION Source Version: ****
LC 11: LC_MAIN Entry Point: 0x3908 (Mem: 100003908)
LC 12: LC_LOAD_DYLIB /System/Library/Frameworks/MediaToolbox.framework/MediaToolbox
LC 13: LC_LOAD_DYLIB /System/Library/Frameworks/CoreMedia.framework/CoreMedia
LC 14: LC_LOAD_DYLIB /System/Library/Frameworks/Foundation.framework/Foundation
LC 15: LC_LOAD_DYLIB /System/Library/Frameworks/CoreMotion.framework/CoreMotion
LC 16: LC_LOAD_DYLIB /System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices
LC 17: LC_LOAD_DYLIB /System/Library/Frameworks/CoreAudio.framework/CoreAudio
LC 18: LC_LOAD_DYLIB /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
LC 19: LC_LOAD_DYLIB /System/Library/Frameworks/AudioToolbox.framework/AudioToolbox
LC 20: LC_LOAD_DYLIB /usr/lib/libbsm.0.dylib
LC 21: LC_LOAD_DYLIB /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
LC 22: LC_LOAD_DYLIB /System/Library/Frameworks/Security.framework/Security
LC 23: LC_LOAD_DYLIB /System/Library/PrivateFrameworks/AssetsLibraryServices.framework/AssetsLibraryServices
LC 24: LC_LOAD_DYLIB /usr/lib/libc++.1.dylib
LC 25: LC_LOAD_DYLIB /usr/lib/libSystem.B.dylib
LC 26: LC_LOAD_DYLIB /usr/lib/libobjc.A.dylib
LC 27: LC_FUNCTION_STARTS Offset: 136048, Size: 208 (0x21370-0x21440) with 145 functions
LC 28: LC_DATA_IN_CODE Offset: 136256, Size: 0 (0x21440-0x21440)
LC 29: LC_CODE_SIGNATURE Offset: 143776, Size: 5152 (0x231a0-0x245c0)



the mediaserverd keeps crashing on the device (receiving signal : killed : 9)

seems like it didn't like that I self-signed the binary. (it says something about Binary in trust cache, but has no platform-entitlement. Adding it. -- but the orignal entitlment (and the new one) already contain <platform-application> entitlement entry.
so i'm not sure why he is complaining.

see log file:


Apr 6 18:39:00 iPhone kernel[0] <Notice>: Binary in trust cache, but has no platform entitlement. Adding it.
Apr 6 18:39:00 iPhone kernel[0] <Notice>: AMFI: <key><get-task-allow> not found
Apr 6 18:39:00 iPhone kernel[0] <Notice>: AMFI: <key><com.apple.rootless.install> not found
Apr 6 18:39:00 iPhone kernel[0] <Notice>: AMFI: allowing pid 441 to inherit IPC ports (platform binary)
Apr 6 18:39:00 iPhone kernel[0] <Notice>: AMFI: _proc_check_inherit_ipc_ports returning 0 for pid 441

Apr 6 18:39:00 iPhone com.apple.xpc.launchd[1] (com.apple.mediaserverd[441]) <Notice>: Service exited due to signal: Killed: 9
Apr 6 18:39:00 iPhone com.apple.xpc.launchd[1] (com.apple.mediaserverd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 5 seconds.

the [itallic] lines exists in the log also when i return the original binary and it then managed to run successfully - so i don't think they can tell me much.
MisTerX
 
Posts: 3
Joined: Tue Apr 05, 2016 1:38 pm

Re: launchd says Binary is improperly signed when loading dl

Postby morpheus » Wed Apr 13, 2016 2:30 pm

So, first jtool --inplace will override.

Second, AMFI is actually very descriptive. When you re-signed, you dropped some of the entitlements, which it adds

Apr 6 18:39:00 iPhone kernel[0] <Notice>: Binary in trust cache, but has no platform entitlement. Adding it.
Apr 6 18:39:00 iPhone kernel[0] <Notice>: AMFI: <key><get-task-allow> not found
Apr 6 18:39:00 iPhone kernel[0] <Notice>: AMFI: <key><com.apple.rootless.install> not found
Apr 6 18:39:00 iPhone kernel[0] <Notice>: AMFI: allowing pid 441 to inherit IPC ports (platform binary)
Apr 6 18:39:00 iPhone kernel[0] <Notice>: AMFI: _proc_check_inherit_ipc_ports returning 0 for pid 441

platform entitlement = <key>platform-application</key><true/> - which it insists is not there. I would check again.
get-task-allow = <key>get-task-allow</key><true/>

Puzzled about rootless install being shown here. And further about why it was killed. I need more info. You might actually need to *invalidate* your self signed media server, so its CDHash differs from the original - what happens is that AMFI.kext somehow still recognizes this as an adhoc binary. Also, you can try to attach the binary itself. That could help.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest