SecElf cyOS Jailbreak was a pwn challenge at Cybears CTF at BSides Canberra 2019.
The goal of the challenge was to develop a PoC “jailbreak” for the fictional cyOS. Given to players was a collection of files, which included the OS’s ELF loader, both source and compiled. A web service existed for players to upload their binaries, and hope for success. A sample binary was provided, which would successfully run when sent to the web service. A public key and a code signing python script was also provided.
The Auditing: I opened the loader code and studied it…
AppleIDAuthAgent is a service that exists on iOS that appears to handle actions regarding a users Apple ID, including iCloud information linked to that account. It runs an XPC service known as
com.apple.coreservices.appleid.authentication, which could be accessed by any application.
When looking around how the service was handling incoming XPC messages, I noticed that there was some log messages left behind. One of them was “DoGetMyInfo”, and was occurring when the
0x130. When I sent a message with that as part of the message.
What I got back was very interesting. The components that were easy to spot…
About 4 weeks ago, Hacker1 held their h1702ctf as a qualifier for the main h1702 event in Las Vegas later this month. The theme of this CTF was mobile applications, specifically applications on iOS and Android. I managed to be the 6th person to complete all the challenges. I managed to be invited to the actual event as a finalist, but am unfortunately unable to go.
As a bit of background of my experience, I mainly specialise in iOS and have barely touched on Android before.
I was wondering on GitHub one day when I saw this project called Electrino which happened to be rising up in the trending page. I decided to take a quick look at it, and discovered it was a project that aimed to use native web browser frameworks, rather than bundling a framework within the application (i.e. Electron). I thought “Hey this would be cool to do some stuff with”, and proceeded to submit a PR on adding a basic feature.
I then thought that creating seperate “module” files for each module would decrease app size as developers could pick and…
webinspectord is the service in charge of all operations related to the use of the ‘Web Inspector’ on iOS. It runs an XPC service known as
Note: All of the info I mention below is from
webinspectord on iOS 10.2 IPSW. From what I’ve seen, 10.3+ has moved most of the stuff in this service to
I originally found this vulnerability as a DoS. Here’s what I found:
Messages sent are usually created with
_CFXPCCreateXPCMessageWithCFObject and when received, are decoded with
_CFXPCCreateCFObjectFromXPCMessage. The issue within
webinspectord is that it presumes that some keys will have a value of…
Note: This article at the beginning is more for beginners. I discuss more about XPC further down the article.
And so the long journey begins. For you and for me.
In summary, I decided to embark on a journey the entirely long way. I’ve received advice from lots of security researchers (on iOS) telling me to start on macOS, and then the lowest possible iOS version I can. But instead I decided to go straight to iOS 10.1.1 (and to 10.2), and begin attempting to create a jailbreak w/o any previous knowledge.
The first common step is escaping the sandbox…
With the reveal of iOS 10, some jailbreak developers have been trying to get dylib injection so they can either test existing tweaks or do some research.
The best way to do this is heavily based on friggog’s method. With some modifications, you can easily do this with iOS 10.
First, add the following to your Makefile:
TARGET = simulator:clang:latest:10.0 # Near the top
tweakname_USE_SUBSTRATE = 0 # Near decleration
Finally, in order to build to the simulator, you first need to open the simulator. Then, open terminal to your theos project and copy-paste the following:
make clean; make; xcrun…