i s - dinosec ·  · 2014-06-242014 © dino security s.l. ... –similar to common law sentences...

63
2014 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com @dinosec Raúl Siles [email protected] @raulsiles @dinosec June 3, 2014 i S

Upload: duongnhan

Post on 07-May-2018

218 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

2014 © Dino Security S.L.

All rights reserved. Todos los derechos reservados.

w w w . d i n o s e c . c o m

@ d i n o s e c

Raúl Siles

[email protected]

@raulsiles

@dinosec

June 3, 2014

i S

Page 2: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

2 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Page 3: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

3 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Outline

• Vulnerability research and markets

• Apple & iOS: State of the art

– iPhone/iPad in business

– SSA

• Can we manipulate the iOS update process?

• Vulnerability details: iOS 5, 6, 7…

– Attacks

• Conclusions

• Credits

Page 4: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

4 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Vulnerability Research & Markets

Insider View

Page 5: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

5 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Vulnerability Markets

• How security vulnerability information is managed and traded today?

– Importance of (vuln) information systems for modern economy and society

• Who is going to potentially buy your cyber weapon?

– Closed privileged groups

• Black market: cyber criminals

• Public markets: private security companies, governments, brokers…

– E.g. Subscription fees for 25 zero-days per year: USD $2.5 million

– What is it going to be used for?

• Compromise all vuln systems w/o people ever having knowledge of the threat

– Vulns remain private for an average of 151 days (+100 exploits per year)

– Real risk exposure: Assume you are already compromised

• NSSLabs – “The Known Unknowns” (Dec 5, 2013)

– “International Vulnerability Purchase Program” (Dec 17, 2013)

https://www.nsslabs.com/reports/known-unknowns-0 https://www.nsslabs.com/reports/ivpp

Page 6: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

6 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Disclosure Options

‘Responsible’ disclosure

• Do nothing

– Assuming it is the best way to serve the community

• Coordinated disclosure (vendor)

– Information about vulnerabilities is a valuable asset

• Security researchers require compensation for time spent

• Full disclosure

– Motivate vendors to act

• Sell it

– Bug bounty (vendor)

– Broker or directly to third-parties

Page 7: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

7 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Vulnerability Research

• For previous vulnerability research I followed…

– Responsible and coordinated disclosure with vendors

– But it was time to research the current vulnerability markets

• Vulnerability was accepted and published in one of the vulnerability purchase programs

• No real interest out of RCE, LPE and information disclosure (memory addresses)

• Vulnerability discovered in early 2012 (+2.5 years)

– Keeping it private (as far as I know) and verifying it is still not public and valid

requires lot of effort (specially over long periods of time)

– Remained private until March 2014 (at RootedCON)

• What happens in Madrid stays in Madrid

– … and June 2014 at Area41: “First anniversary!”

• What if someone finds it meanwhile… or the vendor fixes it?

– For how long a not very complex vulnerability can remain undisclosed?

– Value of modern vulnerabilities and exploits is based on who knows about them

• How to provide details without disclosing too much?

Page 8: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

8 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Vulnerability Research & Disclosure

• We know vendors do not always take relevant issues seriously…

– "Why iOS (Android…) Fail inexplicably". Raul Siles. Rooted CON 2013

• “When should a researcher initially notify a vendor with no serious

bug bounty before releasing an undisclosed vulnerability in a

security conference?” (Community disclosure?)

– It depends: vendor, bug, researcher, follow-ups… (“negotiate”)

• Complexity, criticality, scope…

• Evolution of security business landscape

– Vulnerability disclosure policies are like assh*les…

• …everyone has one!

• The "Month and a Day Rule" (DinoSec 2014)

– Similar to common law sentences

– Vulnerability notified to Apple on February 6, 2014 (1m + 1d)

Page 9: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

9 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Apple & iOS: State of the Art

Page 10: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

10 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

iPhone/iPad in Business (1/2)

• Your business or Apple business model?

– Hardware, software, services & contents

• App Store & iTunes

• Apple Q1 2014 financial results

– Sales (quarter): 51M iPhones & 26M iPads

– Revenue: $57.6 billion

• $4.4 billion on iTunes/Software/Service

– Net quarterly profit: $13.1 billion

– 65 billion in apps cumulative ($15 billion to developers)

• 1 million apps cumulative in 24 categories

https://www.apple.com/pr/library/2014/01/27Apple-Reports-

First-Quarter-Results.html

Page 11: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

11 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

iPhone/iPad in Business (2/2)

• iOS design, features, and architecture

– https://www.apple.com/iphone/business/it/

– https://www.apple.com/ipad/business/it/

• iOS security model (Feb’14)

– Updates: System Software Authorization

https://www.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf

Page 12: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

12 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

System Software Authorization (1/2)

• To prevent devices from being downgraded

– Older versions lack the latest security updates

• “An attacker who gains possession of a device could install

an older version of iOS and exploit a vulnerability that’s been

fixed in the newer version”

• Jailbreak?

• iTunes or wirelessly over the air (OTA)

– Full copy of iOS or only the components required

• Connects to Apple’s installation authorization server – Crypto measurements for each part of installation bundle (LLB,

iBoot, kernel & OS image), nonce & ECID (device unique ID)

Page 13: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

13 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

System Software Authorization (2/2)

• Authorization server checks measurements

against versions permitted by Apple

– Allows only latest version for each device model

• Narrow signing window (~24h)

– Apple signs measurements, nonce and ECID

• Per device (ECID) and per restore (nonce)

• Every firmware installation is remotely verified

(signed) by Apple during every restore or upgrade

– Started with iPhone 3G[S] & iOS 3 (using ECID only)

• "Verifying restore with Apple...“

– iTunes “personalizes” the firmware file (ECID…): SHSH

Page 14: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

14 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Apple iOS Downgrade (1/3)

• SHSH blobs and APTickets – Signature HaSH (SHSH blobs) and nonce (APTicket)

• Cydia (saurik) & redsn0w (Musclenerd) & iFaith (iH8sn0w)

• TSS Center (Cydia), redsn0w,TU, iFaith…

– MitM (& cache) signature server: gs.apple.com

• Source: http://svn.saurik.com/repos/menes/trunk/cysts/

– The verifier was the Tatsu Signing Server (TSS)

• Spidercab (Apple internal equivalent), running at ‘tatsu-tss-

internal.apple.com’ (Apple VPN), is used to sign old versions...

http://www.saurik.com/id/12 (iOS 3.x) http://www.saurik.com/id/15 (iOS 6.x)

Page 15: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

15 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Apple iOS Downgrade (2/3)

• SHSH blobs (SHA-1 hashes ;160-bit digests) – iPhone Software (IPSW) file (ZIP file)

• Build manifest: BuildManifest.plist

– List of files and their content (+ Apple integrity signature) digests

• “Personalization” process

– Build manifest TSS request Apple SHSH blobs

Replace files signature section with SHSH blobs

• APTickets – Introduced with iOS 5.x

– Block of data with digest for all files used during boot • No IPSW file “personalization” any more (APTicket)

• Contains a “nonce” (anti-replay mechanism - uncacheable)

Page 16: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

16 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Apple iOS Downgrade (3/3)

• Caching the uncacheable – Restore to very old iOS versions (no APTicket)

– Downgrade tricks history

• http://www.jailbreakqa.com/faq#32763 …

– Exploits for reusing APTickets

• No way to downgrade from iOS 6.x to older versions on

newer devices (as of April 2013) – Eligible older devices

• iPhone 4 & 3G[S], iPad, and iPod Touch 4th (A4 processor)

– limera1n BootROM exploit (redsn0w can dump TSS info from device)

• iPad2

– Go from iOS 5 (or 6) to iOS 4 (no APTicket) and back to iOS 5

• iPad 2, 3 & iPhone 4s: From iOS 5 to any other iOS 5 version

Requirement: TSS information previously saved

Page 17: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

17 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

http://iossupportmatrix.com

Page 18: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

18 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Can We Manipulate the iOS Update

Process?

Without a new BootROM exploit

Page 19: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

19 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Relevant iOS 5 Change

• Over the Air (OTA)

– iOS software updates

• Settings - General - Software Update

– iTunes data sync & backup over Wi-Fi

• iTunes 10.5+

– Options – Sync with this iPhone over Wi-Fi

– iCloud backup

• Settings - iCloud - Storage & Backup

Apple fans behavior change: Getting rid of the USB cables

Page 20: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

20 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

iOS OTA Update Process

• HTTP (vs. HTTPS)

– iOS software (IPSW) integrity verification

– Software update server: http://mesu.apple.com

• Automatically used by iOS…

– … or manually launched by the user

• Settings - General - Software Update

• iOS software update (plist) file (XML format)

– References (URLs) to all the current iOS version files

http://appldnld.apple.com

Page 21: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

21 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Main iOS SW Update Files

• iOS software update (plist) file – http://mesu.apple.com/assets/

com_apple_MobileAsset_SoftwareUpdate/

com_apple_MobileAsset_SoftwareUpdate.xml

• iOS software update documentation (plist) file – http://mesu.apple.com/assets/

com_apple_MobileAsset_SoftwareUpdateDocumentation/

com_apple_MobileAsset_SoftwareUpdateDocumentation.xml

• iOS 5.0 (GM) was not offered via OTA

– iOS 5.0 betas (4-7) & 5.1 beta 2 were offered via OTA

– iOS 5.0.1 was the first public OTA version

Page 22: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

22 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

iOS 5.x & 6.x

Page 23: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

23 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

iOS 5 & 6: HEAD Request

HEAD /assets/com_apple_MobileAsset_SoftwareUpdate/

com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1

Host: mesu.apple.com

User-Agent: MobileAsset/1.0

Connection: close

Content-Length: 0

HEAD /assets/com_apple_MobileAsset_SoftwareUpdate/

com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1

Host: mesu.apple.com

User-Agent: $%7BPRODUCT_NAME%7D/1 CFNetwork/548.0.4

Darwin/11.0.0

Content-Length: 0

Connection: close

Page 24: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

24 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

iOS 5 & 6: HEAD Response

HTTP/1.1 200 OK

Server: Apache

ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985"

Content-MD5: oNVyoddHvxLCsQeRblBskw==

Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT

Accept-Ranges: bytes

Content-Length: 283956

Content-Type: application/xml

Date: Mon, 20 Jan 2014 11:02:00 GMT

Connection: close

If it contains a date greater than

the date from the last update, it

will ask for the new content:

GET.

Page 25: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

25 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

iOS 5 & 6: GET Req & Resp

GET /assets/com_apple_MobileAsset_SoftwareUpdate/

com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1

Host: mesu.apple.com

Connection: close

User-Agent: MobileAsset/1.0

HTTP/1.1 200 OK

Server: Apache

ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985"

Content-MD5: oNVyoddHvxLCsQeRblBskw==

Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT

Accept-Ranges: bytes

Content-Length: 283956

Content-Type: application/xml

Date: Mon, 20 Jan 2014 11:02:00 GMT

Connection: keep-alive

...

Page 26: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

26 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

iOS 5 & 6: GET Req & Resp

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"

"http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Assets</key>

<array>

<dict>

<key>Build</key>

...

<key>OSVersion</key>

<string>7.0.4</string>

...

<key>Certificate</key>

<data>

MIID...YSoiag78twmDRk726aYmxNIfYYpDs0hS7Mw==

</data>

<key>Signature</key>

<data>

LyfS...pvlWlONSzNYx9qZdS6B7Fs6JgHqw9DA1d2w==

</data>

<key>SigningKey</key>

<string>AssetManifestSigning</string>

</dict>

</plist> Same behavior with the iOS SW update documentation file

Page 27: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

27 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Last-Modified: Date

Can we manipulate the iOS update process?

Page 28: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

28 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

StarWars or Matrix?

Page 29: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot
Page 30: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

30 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

• Man in the Middle (MitM) attacks

– E.g. Wi-Fi network impersonation attacks • http://www.dinosec.com/docs/RootedCON2013_Taddong_

RaulSiles-WiFi.pdf

• http://vimeo.com/70718776

• iProxy: MitM Python tool – Twisted (https://twistedmatrix.com)

• Event-driven networking engine (e.g. sslstrip)

– Implements both StarWars and Matrix attacks

• Multiple and flexible options

Vulnerability Exploitation

Page 31: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

31 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

“These aren’t the updates you’re looking for”

Page 32: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

32 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

StarWars Attack

• Block and/or drop the HEAD request (timeout)

– Fail: It sends a GET request

– Block and/or drop the GET request (timeout)

• Fail: Error message

– When the user manually checks for updates

– “Unable To Check for Update”

• Change the “Last-Modified” header of the HEAD

response to the past

– “These aren’t the updates you’re looking for”

DEMO

Page 33: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

33 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Page 34: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

34 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

“This is your last chance. After this, there is no turning back. You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Appleland and I show you how deep the update-hole goes.”

Page 35: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

35 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Matrix Attack

• Change the “Last-Modify” header of the HEAD

response to the future

– Forcing a GET request

• Change the contents of the GET response

– Fail: The response contents are signed

– Replay attacks?

• Change the “Last-Modify” header of the GET

response to the future & provide a previous file

– “You’re inside the Matrix”

• No more updates up to that future date

DEMO

Page 36: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

36 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Page 37: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

37 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

iOS Software Update Files Repo

Page 38: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

38 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

iCamasu

• iCamasu

– iOS com_apple_MobileAsset_SoftwareUpdate

• Python-based tool to parse and extract details

from Apple iOS software update PLIST files

– com_apple_MobileAsset_SoftwareUpdate.xml

• Version 0.41 (~ Area41)

– Multiple parsing options…

• Min & Max iOS versions, several summaries, search by iOS

version, search by Apple device, full details…

http://www.dinosec.com/en/lab.html#iCamasu

Released today!

$ ./iCamasu.py

com_apple_MobileAsset_SoftwareUpdate.xml (SHA-1:b21edffaf1b62d0d911a0974f15e54d111127162)

= 396870 bytes, 260 assets, 37 devices, 5 versions, min: 5.1.1, max: 7.1.1

Page 39: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

39 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

iOS 7.x

Page 40: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

40 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

iOS 7: GET Request

GET /assets/com_apple_MobileAsset_SoftwareUpdate/

com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1

Host: mesu.apple.com

If-Modified-Since: Tue, 07 Jan 2014 17:45:50 GMT

Accept-Encoding: gzip, deflate

Accept: */*

Accept-Language: en-us

Connection: keep-alive

User-Agent: MobileAsset/1.0

HEAD request removed from iOS 7

It discloses the date from the last

update stored on the iOS device:

THANKS iOS!

Page 41: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

41 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

iOS 7: GET Response (304)

• If there is no new update from that date…

HTTP/1.1 304 Not Modified

Content-Type: application/xml

Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT

ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985"

Date: Mon, 20 Jan 2014 12:35:20 GMT

Connection: keep-alive The date on the “Last-Modified”

header does not influence the

iOS behavior this time (304)

Page 42: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

42 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

iOS 7: GET Response (200)

• If there is a new update from that date…

HTTP/1.1 200 OK

Server: Apache

ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985"

Content-MD5: oNVyoddHvxLCsQeRblBskw==

Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT

Accept-Ranges: bytes

Content-Length: 283956

Content-Type: application/xml

Date: Mon, 20 Jan 2014 11:02:00 GMT

Connection: keep-alive

<?xml version="1.0" encoding="UTF-8"?>

...

<plist version="1.0">

<dict>

...

<key>OSVersion</key>

<string>7.0.4</string> ...

Page 43: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

Temporary vs. Permanent attacks

Page 44: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

44 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

StarWars Attack

• Block and/or drop the GET request (timeout)

– Fail: Error message

• When the user manually checks for updates

• “Unable To Check for Update”

• Send a 304 response

– “These aren’t the updates you’re looking for”

• Change the “Last-Modified” header of the GET request to the

future to get a 304 from Apple’s server

• Change the GET response manually to 304

This 304 Jedi trick does not work for iOS 6

DEMO

Page 45: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

45 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Matrix Attack

• Change the contents of the GET response

– Fail: The response contents are signed

– Replay attacks?

• Change the “Last-Modify” header of the GET

response to the future

– “You’re inside the Matrix”

• No more updates up to that future date

DEMO

Page 46: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

46 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Conclusions

Page 47: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

47 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Vulnerability Details

• Affects iOS 5.x - 7.x (up to the latest version) – iOS 5.0 released on October 12, 2011

– Vulnerability discovered on early 2012, between… • 5.0.1 (Nov 10, 2011) & 5.1 (March 7, 2012)

• It has survived multiple iOS versions: 5, 6 & 7

– Long time verifying it has not been fixed

– Long time collecting iOS software update files (plist XML files)

• Targeted and very carefully planned attacks – Plenty of time to launch future attacks

• Forever (persistent - Matrix) or between iOS updates (now)

• Stealthy attacks

– The update freeze can be reverted back silently

Page 48: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

48 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Vulnerability Limitations

• Cannot be used to downgrade to a previous

version, but to remain on the current version

• Can by bypassed via iTunes

– Different update check mechanism (HTTPS)

– Temporarily, as iTunes does not change the iOS

device update state if cancelled

– What is the current iOS update user behavior?

• iTunes or OTA

Page 49: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

49 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Vulnerability Usage

• Outside the information security field…

• People complaining because they didn’t want to

update from iOS 6 to iOS 7

– Huge user interface (GUI) change they didn’t like

– But their iOS device used +1Gb of space (e.g. 16Gb

iPad) just to locally store the new iOS 7 update

• New update is available

• Download update

• Install update

• “Unwanted iOS 7 occupying space on iOS 6 devices”

Freeze the iOS device at iOS 6 and never get iOS 7

Page 50: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

50 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Vulnerability Exploitation

• Freeze the version of a target device and wait for the next

succulent iOS update fixing a critical flaw • Wait… that sounds like… goto fail;

– Speculation: Released on February 21, 2014 (although it is older)

• Without any public researcher recognition (Apple?)

– For iOS 7.0.6 & 6.1.6, but not for OS X Mavericks (10.9) - in a hurry?

– CVE-2014-1266 • Lack of proper certificate validation: DHE & ECDHE

• https://www.imperialviolet.org/2014/02/22/applebug.html

https://www.gotofail.com

Page 51: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

51 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Vulnerability Disclosure: History

• Vulnerability discovered on early 2012 – +2 years (or +750 days or +…)

– Obtained a copy of the iOS software update file for 5.0 & 5.0.1 from

other researchers (March 2012), but not the early doc update files

• Vulnerability notified to Apple on February 6, 2014 – The "Month and a Day Rule“ (“Yes We Can” )

• E-mails – Feb 6: Standard Apple automated response confirming reception

– Feb 14: Apple asked for PoC for permanent disabling • Sent a detailed response clarifying the attack techniques

• “Thanks for the clarification.”

• A victim iPad got a new update on March 1, 2014 – Saturday: “Apple has changed something on their servers!”

• Without sending any notification to the researcher…

• … and trying to break his demo at Rooted CON 2014

Page 52: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

52 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Vulnerability Today (1/4)

Page 53: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

53 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Vulnerability Today (2/4)

• Apple implemented the following check in its iOS

software update server (mesu.apple.com) on March 1…

– Pseudo-code

...

/* Process GET request */

if ( header(‘If-Modified-Since’) is missing ) ||

( header(‘If-Modified-Since’) > date(now) )

goto fail;

else

/* Check the date to reply with a 304 or 200 */

...

fail:

/* Send a ‘200 OK’ response including the current iOS

software update file, to avoid dates from future */

...

Page 54: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

54 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Vulnerability Today (3/4)

• iOS 6

– StarWars attacks still work

– Matrix attacks still work

• iOS 6 does not send the “If-Modified-Since” header

• iOS 7

– StarWars attacks still work (304)

– Matrix attacks: Change the “Last-Modify” header of the

GET response to the current date (minus one minute)

• “You’re inside the Matrix”

• Remain on the current version and no more updates up to the

next one

DEMO

Page 55: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

55 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Vulnerability Today (4/4)

• Since iOS 7.1…

– In order to start downloading new

iOS updates, the passcode is

mandatory… delaying the update

process

Page 56: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

56 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Glitch in The Matrix

• And if you look carefully you can see it…

Do you remember sometimes anomalies show up in The Matrix?

Page 57: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

57 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Vulnerability Fix(es)

• Why OTA SW updates didn’t use HTTPS by design? – Did Apple put too much trust on the IPSW integrity verification?

• Lack of verification of the update contents (e.g. evilgrade, 2010)

– Lack of verification of the update checks • Differentiate between update checks and update contents

– httpS://mesu.apple.com & http://appldnld.apple.com

• Caching responses for sensitive checks is probably not a good idea

• Certificate pinning?

– Performance impact? • Again, differentiate update checks from update contents

– Conspiracy theory or… another developer ‘mistake’ • Design, implementation, Q&A, security testing… (Apple?)

• MDM solutions: Verify the latest version is applied

iOS OTA was released late 2011… and it is 2014 now!

Page 58: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

58 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Real Vulnerability Impact (1/2)

• How many people could I (or others knowing about this, e.g.

NSA) have attacked using this ‘simple’ vulnerability? – During the last +2 years

– Considering all the potential victims available worldwide • Some of them very relevant and managing very sensitive information

– By freezing their device to an old & vulnerable iOS version… • Temporarily or permanently

– … in order to exploit other iOS vulnerabilities, such as… • 197 vulns in iOS 6.0, 80 vulns in iOS 7.0, plus others…

– Ending up with the last goto fail in iOS 7.0.6

• Including multiple jailbreaks (or wait for the next one…)

– Silently, without the victim users noticing

• And even with the option of stealthily reverting the attack back…

Although the vulnerability markets were not very interested on it…

Page 59: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

59 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Real Vulnerability Impact (2/2)

Freezing iOS from iOS 6 to iOS 7…

Page 60: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

60 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

This is the world we live in…

… overly dependent on technology, highly

sophisticated, but still immature and very vulnerable

Page 61: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

61 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Credits

Raúl Siles

Mónica Salas

E & E

Apple

Jorge Ortiz

Jay Freeman (saurik)

Jan Hindermann

Siletes

camisetasfrikis.es

– Produced by:

– Directed by:

– Casting by:

– IPSW Assistant:

– iOS5.0 & 5.0.1 files:

(March 2012)

– Music by:

– Costume Designer:

Page 62: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

62 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.

Questions?

Page 63: i S - DinoSec ·  · 2014-06-242014 © Dino Security S.L. ... –Similar to common law sentences ... –Block of data with digest for all files used during boot

w w w. d i n o s e c . c o m

@ d i n o s e c

R a ú l S i l e s

r a u l @ d i n o s e c . c o m

@ r a u l s i l e s