recent articles

Return-oriented programming (ROP) allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing using ROP Gadgets. More details about ROP can be found here. In this blog post, we will be writing a ROP Chain for the rop binary. The binaries for this article can be found here. Your task here is to call the function chain1 followed by chain2 SSH to your Corellium or iOS device and run the rop binary $ rop Run the rop command ./rop Nothing much happnes, however on...

In this blog post, we will be exploiting a Use-after-free vulnerability in the vuln binary. The binaries for this and the next article can be found here. This UaF challenge is based on the one used by Protostar Use-after-free vulnerabilities occurs on the use of heap allocated memory after it has been freed. This can lead to several unexpected behaviours, from a crash to code execution. Anyways, let’s get started. Copy the vuln binary to your iOS or Corellium device. Run the binary vuln. You get a message that says “Better luck next time”...

Hi Everyone ! In this blog series, we will be understanding the ARM instruction set and using that to reverse ARM Binaries followed by writing exploits for them. So let’s start with the basics of ARM64. ARM64 Intro ARM64 is a family of RISC (reduced instruction set computer) architecture. The distinguishing factor of a RISC architecture is the use of a small, highly-optimized set of instructions, rather than the more specialized set often found in other types of architecture (for e.g CISC). ARM64 follows the Load/Store approach, in which both operands and destination must...

In this article, we will get an in-depth look at the voucher_swap vulnerability and all the steps leading up to getting the kernel task port. All credit for the vulnerability and the PoC goes to @_bazad Reference Counting The bug in this article is a reference counting issue due to MIG generated code. But let’s understand first what is reference counting ? Reference counting is a form of simple yet effective memory management. It is basically a way to keep a count of the number of references to an object held by other objects....

On Jan 22, 2019, Google Project Zero researcher @_bazad tweeted the following. If you’re interested in bootstrapping iOS kernel security research (including the ability to forge PACs and call arbitrary kernel functions), keep an A12 research device on iOS 12.1.2. — Brandon Azad (@_bazad) January 22, 2019 It was a reference counting bug in MIG (Message Interface generator) generated code. The PoC included a code snippet that would trigger the bug and cause a kernel panic. This was followed later by a complete PoC that provided the Kernel task port (tfp0) to userland thereby...

In this article, we will have a look at passionfruit which is an iOS blackbox app analysis tool based on Frida . It also provides a really nice web GUI which makes analysis relatively easy. Here is the list of features as per their Github page. Cross plarform web GUI! Also supports non-jailbroken device (see Non-jailbroken device). List all url schemes. Check signature entitlements. List human readable app meta info (Info.plist). Capture screenshot. Checksec: see if target app is encrypted, and has enabled PIE, ARC and stack canary. App sandbox file browser. Directly preview...

In this article, we will talk about another framework for assessing iOS apps named Needle. Released by MWR labs and written by Marco Lancini, it provides a lot of modules that with help automate a lot of the tasks while doing iOS security assessments. Needle requires a jailbroken device and uses an agent installed on the jailbroken device that communicates with the host installed on the computer. At the time of writing of this article, Needle supports devices until iOS 10 only. To install Needle, add the source http://mobiletools.mwrinfosecurity.com/cydia/ in Cydia and then search...

In this article, we will continue looking into Objection and some of the use cases it provides. One of the most useful features objection provides is the ability to bypass jailbreak detection. This might not be always effective since it’s only looking for certain checks that an application will do to detect a jailbroken device and hooks them to return a false value. But any application can deploy a check not looked into by objection and the jailbreak detection bypass will fail. Neverthless, this feature might be useful in many cases where the apps...

In the previous few articles, we have looked at how we can use Frida to perform dynamic instrumentation of applications. In this article, we will look at a tool based using Frida’s capabilities, known as objection, which can be very useful in testing iOS applications on non-jailbroken devices. The only thing that is required is an unencrypted IPA (insert Frida Gadget using insert_dylb) or the source code. Since in the previous article we already looked at how we can add a Frida dylib into the source code and do instrumentation, we will carry forward...

In this article, we will look at how to dump decrypted IPA file for an application using frida and then look at how to set up Frida for dynamic instrumentation on a non-jailbroken device. To dump an IPA, we will use an open source tool known as frida-ios-dump which can be found on https://github.com/AloneMonkey/frida-ios-dump. The first thing is to set up port forwarding. This can be done by using iproxy. By default frida-ios-dump will connect from local port 2222 to remote port 22. So this is what we will set up with iproxy as...

In the previous article, we looked at Runtime Manipulation with Frida. In this article, we will look at how we can bypass Touch ID authentication in certain iOS applications using Frida. We will be performing the tests on the swift version of Damn Vulnerable iOS app which can be downloaded from damnvulnerableiosapp.com. Open the app and navigate under the section Touch/Face ID Bypass Authentication can be done in multiple ways, and can use different languages (Objective-C or Swift). One of the ways is to use the LAContext class using the Local Authentication framework. The...

In the previous article, we looked at Frida APIs and some examples of how to hook into methods, log the arguments, find the return value etc. In this article, we will look at how we can use Frida to do runtime patching of the application. Specifically, we will solve the following 2 challenges in DVIA-v2. You can download the Swift version of the app from damnvulnerableiosapp.com. An app can still have some sections in Objective-C which can be swizzled and this is what we will be taking advantage of in this article. Jailbreak Detection...

In the previous article, we had a basic introduction to Frida. In this article, we will look at some of the APIs that Frida provides to automate a lot of this stuff. Frida provides APIs in Javascript, Swift and C to interact with apps. This can be used to perform injection, runtime manipulation, reading the memory etc. It also has an API in python but it is very high level and restricted at the moment. It still has been used to create many useful scripts that are invaluable for iOS app security assessments. The...

In this article, we will talk about Frida. Frida is a dynamic instumentation toolkit which can prove to be extremely useful in iOS application assessments. It can be used to assess apps on jailbroken and non-jailbroken devices (provided you have the source code) .We will look at all these examples in this and the coming few articles. Let’s start first with assessment over jailbroken devices. Frida basically works on a client-server model. The client is running on your computer and the server on the iOS device. To install frida on your computer, simple issue...

I am glad to release a completely new version of Damn Vulnerable iOS App written in Swift 4. With developers now migrating to Swift for developing apps, it is important to have a testbed app for iOS in Swift. Though I have added some sections in Objective-C too which the users can test to learn Objective-C related vulns. The following vulnerabilities are covered in this version. Local Data Storage - Data Storage in Plist, UserDefaults, Keychain, CoreData, Webkit Cache, Realm, Couchbase and YapDatabase. Jailbreak Detection - 5 challenges in this section. Apart from the...

One of the most common misconfiguration issues that i find during testing iOS apps is the bypass of the App Transport Security feature introduced by Apple in iOS 9. Here’s an excerpt from Apple’s documentation about ATS. Starting in iOS 9.0 and OS X v10.11, a new security feature called App Transport Security (ATS) is available to apps and is enabled by default. It improves the privacy and data integrity of connections between an app and web services by enforcing additional security requirements for HTTP-based networking requests. Specifically, with ATS enabled, HTTP connections must...

In this article, i would like to give a quick walkthrough of the new vulnerabilities and challenges that we have added in version 1.5 of Damn Vulnerable iOS app. In the Insecure Data storage section, we have added challenges for the following databases. Realm Database Couchbase Lite YapDatabase We have also added a new section on Extension vulnerabilities, which covers vulnerabilities in different application extensions, a feature that was introduced with iOS 8. In the Runtime Manipulation section, we have added a challenge where you can write a cycript script to brute force a...

In this small article, we will look at a very handful utility named Xconfor bypassing Jailbreak detection. As per the wiki page … xCon is a collaborative project by n00neimp0rtant and Lunatik that aims to be an all-in-one solution for hooking every known method and function responsible for informing an application of a jailbroken device. At first, the project aimed to patch applications on a per-app basis, but now it uses lower-level hooks to cover any apps that attempt to use the same procedure, even patching apps not explicitly reversed by the developers. Originally...

In this article, we will talk about FAT binaries and see more usage of LLDB. Fat binaries are single binaries that are compiled for different architectures. They are done so because it is easier to ship a single binary for different architectures. Apple has been changing the architecture in the last three versions of it’s iPhones, armv7, armv7s, and arm64. The good thing is that new iOS devices can run applications compiled for older architectures as well. However it is recommended to upgrade the architecture of the application for enhanced performance. You can see...

In this article, we will look at some of the most important commands in LLDB to debug applications. If you have been following this blog series, you would have noticed that we have been using GDB until now for debugging applications, but the support for GDB has been disabled by Apple. Apple has compiled a very useful list of GDB to LLDB commands to get you up to date with debugging via LLDB that can be found here. We will look at some of the most important commands after hooking into an application. In...