Some questions about code signing

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Some questions about code signing

Postby littlelailo » Sun Oct 01, 2017 3:50 pm

So I recently started to play around with Ian Beer's triple fetch exploit. I've an iPad mini gen. 4 on 10.3.2 and everything was working fine.
The triple fetch Xcode project includes an amfid patch, which gets executed when the exploit won the race and got a privilege taskport.
After that I can then run any self-signed binary I want without any problems.
Now the problem:
I tried to load a dylib, which was fake-signed into another app while the triple fetch exploit was still running (was able to verify that amfid hook is still active by using the debug log).
I did this by creating a dylib using xcrun (arm64) and then signed it using jtool --sign or ldid -S, put it into a dir in the app container and tried to load it using dlopen.
This gave me the following error (queried with dlerror):
dlopen('<PATH>', 1) failed: no suitable image found. Did find: '<PATH>': code signing blocked mmap() of '<PATH>'

Additonal information: <PATH> is under the app directory, not in $HOME or somewhere where the IOS 10 sandbox would block loading.

Thanks to Volume III (it's really an amazing book) I was able to narrow down the issue to the libary_validation hook in AMFI's kext.
The loading is failing because the dylib hasn't a Teamid and is not a system binary.
This is because jtool and ldid -S fake signing the binary with version 0x20001, which doesn't have those fields at all.
So my question is:
is it possible to create a dylib, which will pass the libary validation in kernelland? And if so, do I have to write my own code or does jtool supports something like this?

And one more questions: will Volume I or II cover the code signing format in more depth,
for example with explanation of the new fields added with version 0x20200 (which value must the platform marker have that the system recognices the binary as a system dylib)
or is there already a good explanation, which I just overlooked?


Thank you in advanced,
littlelailo
littlelailo
 
Posts: 7
Joined: Thu Sep 28, 2017 6:48 pm

Re: Some questions about code signing

Postby morpheus » Sun Oct 01, 2017 6:54 pm

So, first thanks for the kind words.

Second, you're totally right about 20001. I never bothered to implement team ids since all the JB systems I work with fully disable the hook. Ian Beer's exploit doesn't.

Im updating jtool now to count for teamids. Ill post in this thread when ready.

And Volume III does cover it in depth - especially the latest v1.4.2 in which I caught up all the way to 0x20400
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Some questions about code signing

Postby littlelailo » Sun Oct 01, 2017 7:04 pm

Thank you! Is it then possible to create a dylib which can be loaded into a system application like amfid or "only" into thrid party apps?
littlelailo
 
Posts: 7
Joined: Thu Sep 28, 2017 6:48 pm

Re: Some questions about code signing

Postby morpheus » Sun Oct 01, 2017 7:05 pm

You won't be able to touch amfid without a proper jailbreak. And the hook will still deny you platform apps. But a teamID fix will enable you to add a matching team ID for third party ones.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Some questions about code signing

Postby littlelailo » Sun Oct 01, 2017 7:34 pm

Ok and why? (I hope you don't mind if I leak information of the book, if this is a problem feel free to edit
the post). From page 123 (v1.4) libary_validation: it first checks if we have a cdhash (passed), then if we have a team id or if this is a platfrom binary (we can pass this by setting the platform marker in the blob?), after that we check if the process is ok (Won't go into detail here, if you want to know how this works buy the book), check if the process is a platform binary and if so, check if the lib is also one (pass because the marker is set?) and in the end compare both team ids (pass). For me it seems like we can pass all of those checks, what have I missed?

But this is still amazing! I can hook and play around thrid party apps, will try this as soon as the new version of jtool is availbale...
littlelailo
 
Posts: 7
Joined: Thu Sep 28, 2017 6:48 pm

Re: Some questions about code signing

Postby morpheus » Sun Oct 01, 2017 8:09 pm

So, first, the forum is here for people who haven't bought the book, so no need to censor (I mean, don't get carried away and show all the pages, either).

Platform binaries are "immune" to team IDs. Team IDs were devised by Apple to allow third parties to inject code into third parties. (for example, a shared library which you want to add in all your program, like Microsoft Office common tools).

Apple has been shamed time and time again by various injections. So it's restricted, and you won't be able to inject to it (by DYLD vars) nor any other platform binary. You will be able to only get mmap executable if The teamIDs match, meaning your target process also must be with a Team ID - i.e. third party or from App Store.

Attached is afternoon build of jtool where I put in teamIDs - --teamid XYZ as argument to jtool --sign . Test away. Not putting in main download page since I haven't checked all use cases and that it doesn't break anything else. You also get credit in the WhatsNew.txt for the idea :-)
Attachments
jtool.tar
(1.71 MiB) Downloaded 12 times
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Some questions about code signing

Postby littlelailo » Sun Oct 01, 2017 8:22 pm

morpheus wrote:So, first, the forum is here for people who haven't bought the book, so no need to censor (I mean, don't get carried away and show all the pages, either).

Ok good to know, wondered if it's ok to show something like this.

morpheus wrote:Apple has been shamed time and time again by various injections. So it's restricted, and you won't be able to inject to it (by DYLD vars) nor any other platform binary.

Yeah, I knew that it was not possible using the enviroment varibales but I thought I could still use Beer's call_remote api (it uses task_ports) to dlopen...
Didn't knew that all system binarys are independet from any dylibs.

morpheus wrote:Attached is afternoon build of jtool where I put in teamIDs - --teamid XYZ as argument to jtool --sign .
[...] You also get credit in the WhatsNew.txt for the idea :-)

I'll report if I encounter any bugs, thank you and thank you for the credit :)
littlelailo
 
Posts: 7
Joined: Thu Sep 28, 2017 6:48 pm

Re: Some questions about code signing

Postby morpheus » Sun Oct 01, 2017 8:25 pm

Even with the task port, mmapping won't work. Like I said, fool them once, shame on them . Shame them five times, enough already. Even with a task port - it ain't happening UNLESS you get a kernel exploit of any type - then even with KPP/KTRR, it's all inconsequential.

What you could and should do is follow Beer's ingenious method of controlling AMFId via exceptions. Apple still haven't fixed this in iOS 11 and likely won't do so for a while since it requires reengineering of the code signing mechanism to apply to and lock __DATA .

You are most welcome!
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Some questions about code signing

Postby littlelailo » Sun Oct 01, 2017 8:35 pm

Yeah the problem is that I'm dependend on the application life cycle when doing something like this. But I can do the following: hook amfid, load all the dylibs I want to use, unhook, load them whenever I want because their signature is cached...
littlelailo
 
Posts: 7
Joined: Thu Sep 28, 2017 6:48 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest