Zeronights 2016 - Automating iOS blackbox security scanning
-
Upload
synack -
Category
Technology
-
view
426 -
download
3
Transcript of Zeronights 2016 - Automating iOS blackbox security scanning
![Page 1: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/1.jpg)
![Page 2: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/2.jpg)
ME!
“leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints”
Employer!
- SYNACK.com
![Page 3: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/3.jpg)
Our privacy. Our money.Our freedoms.
Wouldn’t want to lose any of those things!
![Page 5: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/5.jpg)
For those that don’t know Aarch64IdaRef documentation plugin: https://github.com/nologic/idaref
![Page 6: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/6.jpg)
In-process•••
••
External
••
![Page 7: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/7.jpg)
••••
•
•••
![Page 8: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/8.jpg)
1. Allocate a page - a jump page
2. Set objc_msgSend readable and writable
3. Copy preamble bytes from objc_msgSend
4. Check for branch instructions in preamble
5. Modify objc_msgSend preamble
6. Set jump page to readable and executable
7. Set objc_msgSend readable and executable
Objc_Trace
Call Sequence
Hook Steps
![Page 9: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/9.jpg)
void* hook_callback64_pre(id self, SEL op, void* a1, ...) {
Class cls = object_getClass(self);
if(cls != NULL && op != NULL)
cacheImp = c_cache_getImp(cls, op);
if(!cacheImp) {
// not in cache, never been called, record the call.
…
const struct mach_header* libobjc_base = libobjc_dylib_base();
c_cache_getImp = (p_cache_getImp)((uint8_t*)libobjc_base) + 97792 + 0x4000;
Only record unseen method calls
Find the cache check function cache_getImp
![Page 10: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/10.jpg)
![Page 11: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/11.jpg)
{ '_payload': { '_payload': { '_msg': '\x00\x00\x08\x00\x00\x00subsystem\x00\x00\x00\x00@\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00ha', 'type': 2048},
'magic': '!CPX',
'version': 5},
'msgh_bits': 1250579,
'msgh_id': 268435456,
'msgh_local_port': '0x30b',
'msgh_remote_port': '0x10b',
'msgh_reserved': 2819,
'msgh_size': 256}
Machshark
![Page 13: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/13.jpg)
![Page 14: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/14.jpg)
“A little engine for driving the UI while doing
blackbox testing of an iOS App”
- CHAOTICMARCH
![Page 16: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/16.jpg)
● Simulate the user ● Read and understand the UI
![Page 17: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/17.jpg)
cy# UIApp.keyWindow
<UIWindow; frame = (0 0; 320 568); gestureRecognizers = <NSArray>;>
| <TiRootViewNeue; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer>>
...
<TiUITableViewCell; baseClass = UITableViewCell; text = 'Log On';
| <TiGradientLayer;> (layer)
| <UITableViewCellContentView; frame = (0 0; 256 43.5); layer = <CALayer>>
| | <UITableViewLabel; frame = (74 0; 167 43.5); text = 'Log On'>
| | <UIImageView; frame = (15 0; 44 43.5); layer = <CALayer>>
| <_UITableViewCellSeparatorView; frame = (74 43.5; 182 0.5); layer = <CALayer>>
![Page 18: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/18.jpg)
● Lua Scriptable Logic● Standard functions for touching the device● Options for record/replay● Finding UI Components● Regulating speed of execution● Support for multiple targets● Mechanisms for generic logic● Lightweight injected module
Source
![Page 19: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/19.jpg)
•••
![Page 20: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/20.jpg)
while true dolocal button = getButton(clickedButtons)
-- put some info in.fill_all_fields()click_button(button)
if(button["text"] ~= nil) thenclickedButtons[button["text"]] = 1
endusleep(2 * 1000000)
end
![Page 21: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/21.jpg)
•••
•
•••
![Page 22: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/22.jpg)
MITM Proxy
Request
Fuzz
Parse
Mutator
![Page 23: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/23.jpg)
1 - Make a post
2 - Get exploited binary/XSS with phish
3 - Steal creds or tokens
4 - Put up a draft
5 - Request messages
6 - respond with attack content
AttackerUser
We focus on this
![Page 24: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/24.jpg)
![Page 25: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/25.jpg)
while true do
local inputs = findOfTypes("UITextField", "")
for index, inputField in pairs(inputs) do
click_button(inputField)
inputText("SomeInput!!")
end
-- touch login
touchDown(3, 138, 619);
usleep(83148.83);
touchUp(3, 141, 615);
check_alert()
end
Source
![Page 26: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/26.jpg)
••
••
••
![Page 27: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/27.jpg)
• Apps are important!• Automation of the UI• Collection of coverage information• Fuzzing of responses messages
![Page 28: Zeronights 2016 - Automating iOS blackbox security scanning](https://reader031.fdocuments.us/reader031/viewer/2022030315/587d07251a28ab1e7e8b77f1/html5/thumbnails/28.jpg)
, blog: debugtrap.comTwitter: @hexlogic
Source:CHAOTICMARCH: https://github.com/synack/chaoticmarch
Machshark: https://github.com/nologic/machshark
Objc_trace: https://github.com/nologic/objc_trace
Images: http://iconmonstr.com/