Page 1 of 1

Running GUI app from root user on iOS 10.1.1?

PostPosted: Sat Dec 17, 2016 9:54 am
by c69c73
Hey,

I am running as root on iOS 10.1.1 using the exploit from Ian Beer.
I can run the various tools from iosbinpack64. However I don't manage to launch any GUI app. For example if I call "/private/var/containers/Bundle/Application/BF20D840-953D-4353-891E-4EAE19AC09CC/TestApp.app/TestApp", this seems to kill the shell and I am forced to reboot.

Did I miss something? I am wondering what is happening and how to solve it.
I tried to spawn the binary but this produced the same result. Should a GUI process only run under the mobile user?

Any tips? Thanks a lot!

Re: Running GUI app from root user on iOS 10.1.1?

PostPosted: Sat Dec 17, 2016 8:00 pm
by Siguza
Does the syslog show anything?

Re: Running GUI app from root user on iOS 10.1.1?

PostPosted: Sat Dec 17, 2016 9:29 pm
by c69c73
I don't see anything interesting in the syslog.

Re: Running GUI app from root user on iOS 10.1.1?

PostPosted: Sun Dec 18, 2016 2:26 pm
by c69c73
I solved my problem. The bash shell is waiting for the process to finish. When you start a GUI app, posix_spawn times out and the shell seems to go in a bad state.
The solution was to create my own command line tool which launches the GUI app using posix_spawn without waiting for the child process.

Re: Running GUI app from root user on iOS 10.1.1?

PostPosted: Tue Dec 20, 2016 3:04 pm
by morpheus
The model of spawning apps in iOS is that launchd is expected to be the one launching; If you do that, however, Beer's sandbox escape won't work. posix_spawning yourself is definitely the better approach, because the app you spawn will then not be sandboxed. A simple workaround is to "&", which will make the shell not wait.

Re: Running GUI app from root user on iOS 10.1.1?

PostPosted: Tue Dec 20, 2016 5:05 pm
by c69c73
The "&" workaround is indeed a simple solution for testing. Thanks!