zeronights: automating ios blackbox security scanning
TRANSCRIPT
ME!
“leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints”
Employer!
- SYNACK.com
Our privacy. Our money.Our freedoms.
Wouldn’t want to lose any of those things!
For those that don’t know Aarch64IdaRef documentation plugin: https://github.com/nologic/idaref
In-process•••
••
External
••
••••
•
•••
1. Allocate a page - a jump page
2. Set objc_msgSend readable and writable
3. Copy preamble bytes from objc_msgSend
4. Check for branch instructions in preamble
5. Modify objc_msgSend preamble
6. Set jump page to readable and executable
7. Set objc_msgSend readable and executable
Objc_Trace
Call Sequence
Hook Steps
void* hook_callback64_pre(id self, SEL op, void* a1, ...) {
Class cls = object_getClass(self);
if(cls != NULL && op != NULL)
cacheImp = c_cache_getImp(cls, op);
if(!cacheImp) {
// not in cache, never been called, record the call.
…
const struct mach_header* libobjc_base = libobjc_dylib_base();
c_cache_getImp = (p_cache_getImp)((uint8_t*)libobjc_base) + 97792 + 0x4000;
Only record unseen method calls
Find the cache check function cache_getImp
{ '_payload': { '_payload': { '_msg': '\x00\x00\x08\x00\x00\x00subsystem\x00\x00\x00\x00@\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00ha', 'type': 2048},
'magic': '!CPX',
'version': 5},
'msgh_bits': 1250579,
'msgh_id': 268435456,
'msgh_local_port': '0x30b',
'msgh_remote_port': '0x10b',
'msgh_reserved': 2819,
'msgh_size': 256}
Machshark
“A little engine for driving the UI while doing
blackbox testing of an iOS App”
- CHAOTICMARCH
● Simulate the user ● Read and understand the UI
cy# UIApp.keyWindow
<UIWindow; frame = (0 0; 320 568); gestureRecognizers = <NSArray>;>
| <TiRootViewNeue; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer>>
...
<TiUITableViewCell; baseClass = UITableViewCell; text = 'Log On';
| <TiGradientLayer;> (layer)
| <UITableViewCellContentView; frame = (0 0; 256 43.5); layer = <CALayer>>
| | <UITableViewLabel; frame = (74 0; 167 43.5); text = 'Log On'>
| | <UIImageView; frame = (15 0; 44 43.5); layer = <CALayer>>
| <_UITableViewCellSeparatorView; frame = (74 43.5; 182 0.5); layer = <CALayer>>
● Lua Scriptable Logic● Standard functions for touching the device● Options for record/replay● Finding UI Components● Regulating speed of execution● Support for multiple targets● Mechanisms for generic logic● Lightweight injected module
Source
•••
while true dolocal button = getButton(clickedButtons)
-- put some info in.fill_all_fields()click_button(button)
if(button["text"] ~= nil) thenclickedButtons[button["text"]] = 1
endusleep(2 * 1000000)
end
•••
•
•••
MITM Proxy
Request
Fuzz
Parse
Mutator
1 - Make a post
2 - Get exploited binary/XSS with phish
3 - Steal creds or tokens
4 - Put up a draft
5 - Request messages
6 - respond with attack content
AttackerUser
We focus on this
while true do
local inputs = findOfTypes("UITextField", "")
for index, inputField in pairs(inputs) do
click_button(inputField)
inputText("SomeInput!!")
end
-- touch login
touchDown(3, 138, 619);
usleep(83148.83);
touchUp(3, 141, 615);
check_alert()
end
Source
••
••
••
• Apps are important!• Automation of the UI• Collection of coverage information• Fuzzing of responses messages
, blog: debugtrap.comTwitter: @hexlogic
Source:CHAOTICMARCH: https://github.com/synack/chaoticmarch
Machshark: https://github.com/nologic/machshark
Objc_trace: https://github.com/nologic/objc_trace
Images: http://iconmonstr.com/