Upload
shawn-davidson
View
19
Download
0
Tags:
Embed Size (px)
DESCRIPTION
http://www.securitylearn.net/wp-content/uploads/iOS%20Resources/iAnalyzer%20-%20No%20More%20Blackbox%20iOS%20Analysis.pdf
Citation preview
:';&<#1.$(#)+*!'"#1&4*+1+/2(09/&=#$$&>+)9/12*(2+&(&/+=&(44*9(."&(/>&299$&29&
4+*,9*)&4*(.0.($&7$(.%&79?&2+10/@&9/&(/A&#B-&(44$#.(09/8&
&&
'"+1+&>+)91&=#$$&7+&#$$C12*(2+>&C1#/@&2+."/#.($&2+*)1&(/>&299$1&9,&
2*(>+&2"(2&*+$(2+1&29&7$(.%579?&+D9*2&9/&#B-&(44$#.(09/18&
&
E,&2+*)1&1C."&(1F&B7G!H&!$(115<C)45IH&!A.*#42H&!$C2."H&J*9?#+1H&
-.(//+*1H&+2.8&)(%+&A9C&=(/2&29&:';H&4$+(1+&1++&2"+&*+,+*+/.+&
1$#>+1&(2&2"+&+/>&9,&2"+&4*+1+/2(09/&29&C4@*(>+&A9C*&%/9=$+>@+8&
&
B*&A9C&.(/&C1+&2"+&+?#2&>99*&29&1+$+.2&(&>#D+*+/2&2*(.%&!&
&
379C2&)+!! Security Researcher ,Trainer, Speaker ! Pervious Publications:
! Lenovo privilege escalation WiFi driver ! SOAP patch for Sqlmap ! Belch – Burp suite plugin for binary protocols (AMF, Jser, etc.) ! EvilQR open Research ! AppUse - Android Applicaition Uniform Security Evaluation
Platform (Developed with Erez Metula) ! Talks: OWASP IL (2011,2012) DC9723(2013)
! B.Sc. Biomedical Engineering
O+.(4F&:"(2P1&(/&#B-&344&Q!! ObjC/C/C++ Compiled (ARM) Executable ! Encrypted Executable (fairplay) ! Self contained under
~/Applications/GUID/AppName.app folder ! Installed by “mobile” user ! Executes under sandbox ! Under the radar can escape
(SpyPhone, Storm8, etc.)&
K$(.%&K9?&
311+11#/@&
&3441!
http://www.securitygeneration.com/security/pic-of-the-week-real-world-penetration-testing/
-2(0.&3/($A1#1&'99$1!" Tools: ! iFile / iTools/ iExplorer (Cydia iOS/PC) ! Clutch (Cydia) ! IDA / Dissasembler (PC) ! SSH / Putty (iOS + PC) ! HexEditor (Win/Mac) ! Plist Editor (iOS, PC) ! -S6#2+&K*9=1+*&T:#/UV(.W&
<A/()#.&3/($A1#1&'99$1!" Tools: ! Proxy (PC) + Certificate (Root CA) ! iSEC SSL KillSwitch (iOS) ! Mallory (VM) ! WiFi HotSpot ! Cycript (iOS) ! Class-Dump-Z (iOS) ! GDB (iOS) ! Theos / Logos / CaptainHook (iOS)
K$(.%&K9?&3@9/AF&X/.9N+*&
2"+&)#11#/@&4#+.+1!No Code
No Simulator
Encrypted by iTunes
Unknown end points
% of Functionality Coverage
Hidden vulnerabilities
Typical approach " File System: ! Monitoring (DB, Plist, Logs) ! Tampering (SQLite, plutil)
" Network: ! Monitoring (Mallory, Proxy) ! Tampering (Proxy, Scanners, tools)
" Application Resources: ! CFURL invocations ! EA protocols
Typical approach - Cont " Binary: ! Decryption (Clutch) ! Class identification (class-dump-z) ! Reversing (IDA) ! Patching (when needed)
" Application Runtime: ! Objc_msgSend monitor ! Theos / Logos Tweaks ! GDB ! Cycript
Typical approach – ARM RCE ing Use GDB / IDA Pro + zynamics
Problems: • Assembly Language ARM • Overhead for mid scope • Tedious • Manual
Objective C class interposing Presenting a new implementation to a foundation
class selector:
Surprise, Surprise!
!
Cycript: Tampering tool " Not a new concept ! F-script.org (OSX) ! Cycript (@saurik iOS) (J. Zdziarski – Hacking and securing iOS applications)
Dashboard Building In the Payload/Appname.app/Doxygen/ folder:
Execute the doxMe.sh file (Mac) Open dox.Template with DoxyGen (Win)
Dashboard Building: it could take time
Once finished open the Payload/Appname.app/Doxygen/html/index.html
file with FireFox
iNalyzer 5.5b: The Recipe 1. Jail-borken 6.1.2 device (@evad3rs) 2. Clutch to decrypt app (ttwj) 3. Class-dump-Z to app prototypes (@kennytm) 4. Doxygen engine to render a Dashboard (@doxygen) 5. FireFox to run the Dashboard (@firefox) 6. Cycript to modify the app behavior(@saurik) 7. Repeat step 6 until completed Optional: 8. SubjectiveC to log selectors (@kennytm)
Pros:
Cons:
" No GDB/IDA required " Semi - Automatic Static Analysis (Expandable) " Automatic Call Graph/Hierarchy Graph " Attaches to any scanner or other Web testing
Tool.
" It’s free, open-source
Summary
" iOS Black Box testing, just got grayer !
" V97#$+&J'&*+LC#*+1&V97#$+&C/>+*12(/>#/@&
" Y9#/&9C*&)97#$+&(44$#.(09/&1+.C*#2A&
"(/>159/&!"#$%$%&&! V97#$+&Z(.%#/@&&TK$(.%&Z(2&X-3&[\]^&_&#B-&U&3/>*9#>&W&
! V97#$+&-+.C*+&!9>#/@&T'K<H&#/,9`(441+.5$(718.9)W&
! V97#$+&3=(*+/+11&T'K<H&#/,9`(441+.5$(718.9)W&
" ObjC interposing – http://culater.net/wiki/moin.cgi/CocoaReverseEngineering
" Clutch – https://github.com/ttwj/ClutchMod " Class-dump-z –
https://github.com/kennytm/Miscellaneous/downloads " Cycript – http://www.cycript.org/ " IDA – https://www.hex-rays.com/products/ida/index.shtml " Mallory – http://intrepidusgroup.com/insight/mallory/ " Burp – http://www.portswigger.net/burp/download.html