Zeronights 2016 - Automating iOS blackbox security scanning
Post on 15-Apr-2017
426 Views
Preview:
Transcript
ME!
“leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints”
Employer!
- SYNACK.com
Our privacy. Our money.Our freedoms.
Wouldn’t want to lose any of those things!
For those that don’t know Aarch64IdaRef documentation plugin: https://github.com/nologic/idaref
In-process•••
••
External
••
••••
•
•••
1. Allocate a page - a jump page
2. Set objc_msgSend readable and writable
3. Copy preamble bytes from objc_msgSend
4. Check for branch instructions in preamble
5. Modify objc_msgSend preamble
6. Set jump page to readable and executable
7. Set objc_msgSend readable and executable
Objc_Trace
Call Sequence
Hook Steps
void* hook_callback64_pre(id self, SEL op, void* a1, ...) {
Class cls = object_getClass(self);
if(cls != NULL && op != NULL)
cacheImp = c_cache_getImp(cls, op);
if(!cacheImp) {
// not in cache, never been called, record the call.
…
const struct mach_header* libobjc_base = libobjc_dylib_base();
c_cache_getImp = (p_cache_getImp)((uint8_t*)libobjc_base) + 97792 + 0x4000;
Only record unseen method calls
Find the cache check function cache_getImp
{ '_payload': { '_payload': { '_msg': '\x00\x00\x08\x00\x00\x00subsystem\x00\x00\x00\x00@\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00ha', 'type': 2048},
'magic': '!CPX',
'version': 5},
'msgh_bits': 1250579,
'msgh_id': 268435456,
'msgh_local_port': '0x30b',
'msgh_remote_port': '0x10b',
'msgh_reserved': 2819,
'msgh_size': 256}
Machshark
“A little engine for driving the UI while doing
blackbox testing of an iOS App”
- CHAOTICMARCH
● Simulate the user ● Read and understand the UI
cy# UIApp.keyWindow
<UIWindow; frame = (0 0; 320 568); gestureRecognizers = <NSArray>;>
| <TiRootViewNeue; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer>>
...
<TiUITableViewCell; baseClass = UITableViewCell; text = 'Log On';
| <TiGradientLayer;> (layer)
| <UITableViewCellContentView; frame = (0 0; 256 43.5); layer = <CALayer>>
| | <UITableViewLabel; frame = (74 0; 167 43.5); text = 'Log On'>
| | <UIImageView; frame = (15 0; 44 43.5); layer = <CALayer>>
| <_UITableViewCellSeparatorView; frame = (74 43.5; 182 0.5); layer = <CALayer>>
● Lua Scriptable Logic● Standard functions for touching the device● Options for record/replay● Finding UI Components● Regulating speed of execution● Support for multiple targets● Mechanisms for generic logic● Lightweight injected module
Source
•••
while true dolocal button = getButton(clickedButtons)
-- put some info in.fill_all_fields()click_button(button)
if(button["text"] ~= nil) thenclickedButtons[button["text"]] = 1
endusleep(2 * 1000000)
end
•••
•
•••
MITM Proxy
Request
Fuzz
Parse
Mutator
1 - Make a post
2 - Get exploited binary/XSS with phish
3 - Steal creds or tokens
4 - Put up a draft
5 - Request messages
6 - respond with attack content
AttackerUser
We focus on this
while true do
local inputs = findOfTypes("UITextField", "")
for index, inputField in pairs(inputs) do
click_button(inputField)
inputText("SomeInput!!")
end
-- touch login
touchDown(3, 138, 619);
usleep(83148.83);
touchUp(3, 141, 615);
check_alert()
end
Source
••
••
••
• Apps are important!• Automation of the UI• Collection of coverage information• Fuzzing of responses messages
, blog: debugtrap.comTwitter: @hexlogic
Source:CHAOTICMARCH: https://github.com/synack/chaoticmarch
Machshark: https://github.com/nologic/machshark
Objc_trace: https://github.com/nologic/objc_trace
Images: http://iconmonstr.com/
top related