zeronights: automating ios blackbox security scanning

ME!

“leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints”

Employer!

- SYNACK.com

Our privacy. Our money.Our freedoms.

Wouldn’t want to lose any of those things!

Pangu TaiG

For those that don’t know Aarch64IdaRef documentation plugin: https://github.com/nologic/idaref

In-process•••

••

External

••

••••

•

•••

1. Allocate a page - a jump page

2. Set objc_msgSend readable and writable

3. Copy preamble bytes from objc_msgSend

4. Check for branch instructions in preamble

5. Modify objc_msgSend preamble

6. Set jump page to readable and executable

7. Set objc_msgSend readable and executable

Objc_Trace

Call Sequence

Hook Steps

void* hook_callback64_pre(id self, SEL op, void* a1, ...) {

Class cls = object_getClass(self);

if(cls != NULL && op != NULL)

cacheImp = c_cache_getImp(cls, op);

if(!cacheImp) {

// not in cache, never been called, record the call.

…

const struct mach_header* libobjc_base = libobjc_dylib_base();

c_cache_getImp = (p_cache_getImp)((uint8_t*)libobjc_base) + 97792 + 0x4000;

Only record unseen method calls

Find the cache check function cache_getImp

{ '_payload': { '_payload': { '_msg': '\x00\x00\x08\x00\x00\x00subsystem\x00\x00\x00\x00@\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00ha', 'type': 2048},

'magic': '!CPX',

'version': 5},

'msgh_bits': 1250579,

'msgh_id': 268435456,

'msgh_local_port': '0x30b',

'msgh_remote_port': '0x10b',

'msgh_reserved': 2819,

'msgh_size': 256}

Machshark

••

•••

••

••

•

“A little engine for driving the UI while doing

blackbox testing of an iOS App”

- CHAOTICMARCH

••••

••

● Simulate the user ● Read and understand the UI

cy# UIApp.keyWindow

<UIWindow; frame = (0 0; 320 568); gestureRecognizers = <NSArray>;>

| <TiRootViewNeue; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer>>

...

<TiUITableViewCell; baseClass = UITableViewCell; text = 'Log On';

| <TiGradientLayer;> (layer)

| <UITableViewCellContentView; frame = (0 0; 256 43.5); layer = <CALayer>>

| | <UITableViewLabel; frame = (74 0; 167 43.5); text = 'Log On'>

| | <UIImageView; frame = (15 0; 44 43.5); layer = <CALayer>>

| <_UITableViewCellSeparatorView; frame = (74 43.5; 182 0.5); layer = <CALayer>>

● Lua Scriptable Logic● Standard functions for touching the device● Options for record/replay● Finding UI Components● Regulating speed of execution● Support for multiple targets● Mechanisms for generic logic● Lightweight injected module

Source

•••

while true dolocal button = getButton(clickedButtons)

-- put some info in.fill_all_fields()click_button(button)

if(button["text"] ~= nil) thenclickedButtons[button["text"]] = 1

endusleep(2 * 1000000)

end

•••

•

•••

MITM Proxy

Request

Fuzz

Parse

Mutator

1 - Make a post

2 - Get exploited binary/XSS with phish

3 - Steal creds or tokens

4 - Put up a draft

5 - Request messages

6 - respond with attack content

AttackerUser

We focus on this

while true do

local inputs = findOfTypes("UITextField", "")

for index, inputField in pairs(inputs) do

click_button(inputField)

inputText("SomeInput!!")

end

-- touch login

touchDown(3, 138, 619);

usleep(83148.83);

touchUp(3, 141, 615);

check_alert()

end

Source

••

••

••

• Apps are important!• Automation of the UI• Collection of coverage information• Fuzzing of responses messages

, blog: debugtrap.comTwitter: @hexlogic

Source:CHAOTICMARCH: https://github.com/synack/chaoticmarch

Machshark: https://github.com/nologic/machshark

Objc_trace: https://github.com/nologic/objc_trace

Images: http://iconmonstr.com/