iOS Jailbreak Principles - Undecimus 分析（一）Escape from Sandbox

時間 2019-12-18

標籤 ios jailbreak principles undecimus 分析 escape sandbox 欄目 iOS 简体版

原文原文鏈接

系列文章

前言

在 Sock Port 系列文章中咱們從 0 到 1 的介紹了經過 Socket UAF 拿到 tfp0 的全過程。從這篇文章開始咱們將經過分析 Undecimus 介紹從 tfp0 到 jailbreak 的全過程。html

單單經過 tfp0 能作的事情只是 kread, kwrite 等基礎操做，要實現 rootfs read/write, kexec 等工做還須要很是複雜的步驟，本文將介紹經過 tfp0 逃出沙盒，實現 rootfs 讀寫的原理和過程。git

The Sandbox

在 iOS 中有兩個重要的內核擴展，分別是 AppleMobileFileIntegrity.kext 和 Sandbox.kext。github

Apple Mobile File Integrity

根據 The iPhone Wiki 對 AMFI 的定義[1]:express

AppleMobileFileIntegrity(.kext), which can go by its full name com.apple.driver.AppleMobileFileIntegrity, is an iOS kernel extension which serves as the corner stone of iOS's code entitlements model. It is one of the Sandbox's (com.apple.security.sandbox) dependencies, along with com.apple.kext.AppleMatch (which, like on OS X, is responsible for parsing the Sandbox language rules).數組

即 AMFI.kext 是實現 iOS Code Entitlements 的基礎組件，它和 AppleMatch.kext(用於解析 Sandbox DSL) 都是 Sandbox.kext 的依賴。安全

可能有人對 Entitlements 並不熟悉，它表明着 App 擁有的權限。在正向開發中，若是咱們爲 App 開啓 Capability 就會生成對應的 XML Units 插入到 App.entitlements，某些 Capability 只有特定的證書才能生成合法簽名。經過這種手段能夠限制 Userland App 的權限，從而保證系統安全。數據結構

在運行時，內核擴展會註冊 Mac Policy 並 hook 特定的 Mach Calls[1]:app

Affectionately known as AMFI, this kext can be found in the iOS 5.0 iPod 4,1 kernel around 0x805E499C (start) and 0x805E3EE8 (Initialization function). The latter function registers a MAC policy (using the kernel exported mac_policy_register), which is used to hook various system operations and enforce Apple's tight security policy.iphone

根據 Wiki，AMFI 會 hook 須要 task_for_pid-allow 權限的 Mach Call[1]:ide

This kext recognizes the task_for_pid-allow entitlement (among others) and is responsible for hooking this Mach call, which retrieves the Mach task port associated with a BSD process identifier. Given this port, one can usurp control of the task/PID, reading and writing its memory, debugging, etc. It is therefore enabled only if the binary is digitally signed with a proper entitlement file, specifying task_for_pid-allow.

即 AMFI.kext 會識別 entitlements 中的 task_for_pid-allow，並 Hook 相關 Mach Call，該 Mach Call 會經過 BSD 進程標識符查詢特定進程的任務端口返回給調用者，使得調用者能夠篡改進程的 task 或 PID, 甚至進行目標進程內存的讀寫和調試；而 AMFI.kext 會在調用前檢查調用者的二進制是否擁有包含 task_for_pid-allow 的合法簽名。

Sandbox Kext

Sandbox 的實現與 AMFI.kext 相似，也是經過 Hook 一系列的 Mach Call 並檢查特定的 Policy 來保證訪問的合法性。根據 Dionysus Blazakis 的 Paper: The Apple Sandbox 中的描述[2]：

Once the sandbox is initialized, function calls hooked by the TrustedBSD layer will pass through Sandbox.kext for policy enforcement. Depending on the system call, the extension will consult the list of rules for the current process. Some rules (such as the example given above denying access to files under the /opt/sekret path) will require pattern matching support. Sandbox.kext imports functions from AppleMatch.kext to perform regular expression matching on the system call argument and the policy rule that is being checked. For example, does the file being read match the denied path /opt/sekret/.*? The other small part of the system is the Mach messages used to carry tracing information (such as which operations are being checked) back to userspace for logging.

上述引用主要包含了 3 個關鍵點：

當 Sandbox 被初始化後，被 TrustedBSD layer 所 Hook 的 Mach Call 會經過 Sandbox.kext 執行權限檢查；
Sandbox.kext 會經過 AppleMatch.kext 解析規則 DSL，並生成 checklist；
經過 checklist 進行檢查，例如被讀取的 file path 是否在 denied path 列表中等。

Policy 的內核表示

在進程的 proc 結構中有一個 p_ucred 成員用於存儲進程的 Identifier (Process owner's identity. (PUCL))，它至關於進程的 Passport：

struct proc {
    LIST_ENTRY(proc) p_list; /* List of all processes. */
    
    void * task; /* corresponding task (static)*/
    struct proc *p_pptr; /* Pointer to parent process.(LL) */
    pid_t p_ppid;	
    // ...
    /* substructures: */
    kauth_cred_t p_ucred; /* Process owner's identity. (PUCL) */
複製代碼

PUCL 是一個 ucred 對象：

struct ucred {
    TAILQ_ENTRY(ucred) cr_link; /* never modify this without KAUTH_CRED_HASH_LOCK */
    u_long cr_ref; /* reference count */
    // ..
    struct label *cr_label; /* MAC label */
複製代碼

其中 cr_label 成員指向了存儲 MAC Policies 的數據結構 label:

struct label {
    int	l_flags;
    union {
    	void	*l_ptr;
    	long	 l_long;
    } l_perpolicy[MAC_MAX_SLOTS];
};
複製代碼

l_perpolicy 數組記錄了 MAC Policy 列表，AMFI 和 Sandbox 的 Policy 都會插入到相應進程的 l_perpolicy 中。

根據 Quarkslab Blogs 中的文章 Modern Jailbreaks' Post-Exploitation，AMFI 和 Sandbox 分別插入到了 0 和 1 位置[3]：

Each l_perpolicy "slot" is used by a particular MACF module, the first one being AMFI and the second one the sandbox. LiberiOS calls ShaiHulud2ProcessAtAddr to put 0 in its second label l_perpolicy[1]. Being the label used by the sandbox (processed in the function sb_evaluate), this move will neutralize it while keeping the label used by AMFI (Apple Mobile File Integrity) l_perpolicy[0] untouched (it's more precise and prevent useful entitlement loss).

即每一個 l_perpolicy 插槽都被用於特定的 MACF 模塊，第一個插槽被用於 AMFI，第二個被用於 Sandbox。LiberiOS 經過調用 ShaiHulud2ProcessAtAddr 在不修改第一個插槽的狀況下將第二個插槽的指針置 0 來實現更加精準和穩定的沙盒逃逸。

Escape Now

有了 tfp0 和上面的理論基礎，實現沙盒逃逸的路徑變得清晰了起來，咱們只須要將當前進程的 l_perpolicy[1] 修改成 0，便可逃出沙盒。

首先讀取到當前進程的 label，路徑爲 proc->p_ucred->cr_label，隨後將索引爲 1 的 Policy Slot 置 0：

#define KSTRUCT_OFFSET_PROC_UCRED 0xf8
#define KSTRUCT_OFFSET_UCRED_CR_LABEL 0x78

kptr_t swap_sandbox_for_proc(kptr_t proc, kptr_t sandbox) {
    kptr_t ret = KPTR_NULL;
    _assert(KERN_POINTER_VALID(proc));
    kptr_t const ucred = ReadKernel64(proc + koffset(KSTRUCT_OFFSET_PROC_UCRED));
    _assert(KERN_POINTER_VALID(ucred));
    kptr_t const cr_label = ReadKernel64(ucred + koffset(KSTRUCT_OFFSET_UCRED_CR_LABEL));
    _assert(KERN_POINTER_VALID(cr_label));
    kptr_t const sandbox_addr = cr_label + 0x8 + 0x8;
    kptr_t const current_sandbox = ReadKernel64(sandbox_addr);
    _assert(WriteKernel64(sandbox_addr, sandbox));
    ret = current_sandbox;
out:;
    return ret;
}
複製代碼

這裏說明一下 sandbox_addr 的計算：

kptr_t const sandbox_addr = cr_label + 0x8 + 0x8;
複製代碼

咱們再回顧下 label 結構體：

struct label {
    int	l_flags;
    union {
    	void	*l_ptr;
    	long	 l_long;
    } l_perpolicy[MAC_MAX_SLOTS];
};
複製代碼

雖然 l_flags 自己只有 4 字節，但 l_perpolicy 佔據了 8n 字節，爲了按照最大成員對齊，l_flags 也會佔據 8B，所以 cr_label + 8 指向了 l_perpolicy，再偏移 8B 則指向 Sandbox 的 Policy Slot。

經過上述操做咱們便能躲過 Sandbox.kext 對進程的沙盒相關檢查，實現沙盒逃逸，接下來不管是經過 C 仍是 OC 的 File API 均可以對 rootfs 進行讀寫。在 Undecimus Jailbreak 中以這種方式讀取了 kernelcache 並肯定 Kernel Slide 和關鍵偏移量。

咱們能夠經過簡單實驗驗證沙盒逃逸成功，下面的代碼讀取了 kernelcache 和 Applications 目錄：

NSArray *extractDir(NSString *dirpath) {
    NSError *error = nil;
    NSArray *contents = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:dirpath error:&error];
    if (error) {
        NSLog(@"failed to get application list");
        return nil;
    }
    return contents;
}

void sandbox_escape_test() {
    NSError *error = nil;
    BOOL success = [NSData dataWithContentsOfFile:@"/System/Library/Caches/com.apple.kernelcaches/kernelcache" options:NSDataReadingMappedAlways error:&error];
    if (!success) {
        NSLog(@"error occurred !!! %@", error);
    }
    
    // list applications dir
    error = nil;
    NSFileManager *mgr = [NSFileManager defaultManager];
    NSString *applicationRoot = @"/var/containers/Bundle/Application/";
    NSArray *uuids = [mgr contentsOfDirectoryAtPath:applicationRoot error:&error];
    if (error) {
        NSLog(@"failed to get application list");
        return;
    }
    for (NSString *uuid in uuids) {
        NSString *appPath = [applicationRoot stringByAppendingPathComponent:uuid];
        NSArray *contents = extractDir(appPath);
        for (NSString *content in contents) {
            if ([content hasSuffix:@".app"]) {
                NSLog(@"find %@ at %@ !!!", content, appPath);
            }
        }
    }
}
複製代碼