The Making of the FOCUS 11 Apple iPad Hack White Paper McAfee

White Paper
The Making of the FOCUS 11 Apple iPad Hack
By Gabriel Acevedo and Michael Price
McAfee® Labs™
Table of Contents
Motivation
3
Research
4
The iOS SSL implementation vulnerability
4
The “JailbreakMe” vulnerability
5
The Hack
5
Hardware5
Software and tools
6
Scenario7
Attack8
Results10
2
Conclusions
11
Acknowledgements
12
About the Authors
12
The Making of the FOCUS 11 Apple iPad Hack
In October of last year, McAfee hosted its FOCUS 2011 conference. McAfee Labs offered customers
several talks on malware and other threats as well as on myriad security topics. One of the most popular
events was the Hacking Exposed keynote, which drew more than 2,000 people. Most of the attendees
turned off their laptops, phones, Apple iPads, and other devices when McAfee CTO Stuart McClure
announced that his team would perform live hacks at the session. We had seen a lot of buzz on Twitter
and other social networks looking forward to the hack that everyone at the conference was talking
about. Some skeptics claimed it would not be a live demo, but within moments of the start, people
confirmed that the fake FOCUS Wi-Fi hotspot was indeed live.
We aimed a TV camera at our soon-to-be-hacked demo iPad screen so that the attendees could follow
along. While McClure loaded Gmail via a secure sockets layer (SSL) connection, we could see the HTTPS
URI scheme and the lock icon on Safari. Under the hood, an exploit was loading and installing a secure
shell (SSH) server. A few seconds later, the crowd applauded appreciatively as the iPad screen appeared
on our VNC remote-control client. The iPad was compromised. We had root access through the Terminal
and also graphical access through VNC that allowed us to see what McClure was doing and allowed
us to interact with his device. A typical iPad user in this situation would have no clue that we had such
powerful control of the system. The victim was not visiting a malicious website, but was simply checking
email via a secured connection. How was this hack possible?
In this report we’ll answer that question, as well as explain our research, the problems we faced, and the
tools we authored.
(We explain the techniques we used in this report only to provide education and awareness of the facts
and security principles involved with these techniques. McAfee does not use and does not endorse using
these techniques to violate applicable law or the boundaries of ethical behavior.)
Motivation
In July 2011, a vulnerability in a basic constraint-validation error in iOS SSL certificates validation
chain was disclosed by TrustWave’s SpiderLabs.1 Their researchers found it was possible to generate a
bogus certificate using another certificate that, although valid, was not meant to be used to generate
certificates for other websites. SpiderLabs, however, didn’t provide many details. How complicated was
it to reproduce the vulnerability? What uses could attackers make of this vulnerability other than to sniff
data meant to be private?
It’s been some time now since the vulnerabilities used by jailbreakme.com (collectively known as
JailbreakMe, or JBME) were disclosed. So far, the only public use we have seen for them is at jailbreakme.
com. Jailbreaking an Apple device is desirable for many people. However, what some people may not
realize is that the JBME technique exploits vulnerabilities to gain control of the device and, as with any
other vulnerabilities, these weaknesses could be used for malicious purposes.
What would happen if we were to combine those two vulnerabilities? Is it possible to use them in
a sophisticated, silent, and effective attack? Note that the SSL vulnerability was not necessary to
perform the hack, but we wanted to prove that even when the victim thinks it is safe, it is still possible
to compromise the device. So our idea was to exploit the system while the victim was visiting a bank
website, checking email, or making a payment online—all through an SSL connection.
Both of these vulnerabilities have been fixed in recent versions of Apple’s iOS. However, a lot of users
have not upgraded for various reasons—from simple ignorance to the fact that they want to jailbreak
their devices and install applications not available in the Apple App Store. How many of these users are
still vulnerable?
We’ve just posed a lot of questions. In the following sections we shall answer them.
The Making of the FOCUS 11 Apple iPad Hack
3
Research
The iOS SSL implementation vulnerability
In July 2011 Paul Kehrer and Gregor Kopf disclosed an input-validation-error vulnerability (CVE-20110228) in Apple iOS. The mobile operating system failed to validate the X.509 certificates chain, making it
possible for an attacker to capture or modify data protected by SSL/TLS and perform “man in the middle”
(MITM) attacks. The vulnerability affected iOS Versions 4.3.4 and earlier for GSM network devices, and
Versions 4.2.9 and earlier for CDMA network devices. The researchers notified Apple, which released
security updates HT4824 and HT4825 for CDMA devices.2,3 Later, during DEFCON 19, Kehrer revealed
more details, including that iOS ignored the X.509 v3 basic constraints extension.4
Certificates issued for root and intermediate entities must include the basic constraints extension with
the CA field set to TRUE.5 For example:
X509v3 extensions:
1.3.6.1.4.1.311.20.2:
...C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
However, for user certificates the CA parameter should be set to FALSE. For example:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
The flaw in these versions of iOS allows an attacker to use a legitimate non-CA certificate (CA:FALSE)
to sign subsequent certificates for any domain and make the devices accept them without any warning,
just like a regular X.509 certificate signed by a valid entity. For example, the following certificate chain
will work on iOS Version 4.3.4, but not in patched versions (such as Version 4.3.5):
Root Certificate
Intermediate Certificate (CA:TRUE)
End User Certificate (CA:FALSE)
Some Arbitrary Domain Certificate—Trusted
The basic constraints extension also has an optional parameter: pathlen. This parameter indicates the
maximum number of certificates that can appear below this one in the chain. So, considering the
example above, if the Intermediate Certificate has the pathlen parameter set to zero, the iOS device will
not trust the Some Arbitrary Domain Certificate generated by the End User Certificate. The following
certificate chain will not work even on iOS 4.3.4.
Root Certificate
Intermediate Certificate (CA:TRUE,pathlen:0)
End User Certificate (CA:FALSE)
Some Arbitrary Domain Certificate—Not trusted
4
The Making of the FOCUS 11 Apple iPad Hack
We came to this conclusion while trying to reproduce this vulnerability. The original advisory said that
iOS fails to recognize all the basic constraints, but we concluded that the vulnerable versions would
ignore only the CA value.
Therefore, to generate a bogus X.509 certificate to exploit the CVE-2011-0228 vulnerability, the
certificate in the chain immediately preceding the certificate that generates the bogus certificate should
not include the pathlen parameter—or it should contain a large enough pathlen value.
The “JailbreakMe” vulnerability
JBME is a website that contains a collection of jailbreaks for different versions of iOS. The breaks were
designed by comex and take advantage of flaws in Safari and the kernel. The first version was released
in 2007 and worked for iPhone and Apple iPod Touch firmware 1.1.1. A second version was released
in August 2010 for iOS 4.0.1, and the latest version was released in July 2011. It works for iOS 4.3.3.
Apple fixed the vulnerabilities used by JBME in iOS Version 4.3.4.
The July 2011 version of JBME—also known as Saffron—exploits a vulnerability (CVE-2011-0226) in
Mobile Safari’s FreeType parser component, using a specially crafted PDF file. The routine in the PDF
will construct and load a return-oriented programming payload into the stack and exploit a kernel
vulnerability in the IOMobileFrameBuffer IOKit interface (CVE-2011-0227). The routine will then use
another payload to modify some kernel functions to disable the code-signing enforcement and gain
root privileges. Once the exploitation is complete, an attacker could install unsigned applications such as
Cydia and all the apps provided through that system.6
Thousands of people use JBME to jailbreak their devices, to access applications not available on the
Apple App Store or to modify settings restricted to regular users. But what people sometimes don’t
realize is that their devices are being exploited to allow the jailbreak to succeed.
The Hack
Hardware
We didn’t need much: we used an Apple MacBook Air laptop and a wireless dongle. We used the
dongle to roam and find different points from which to launch our demo attack.
The MacBook Air is very handy for conferences, cafés, or airport lounges. A Mac is required to rebuild
the malicious PDF. For the rest, it shouldn’t matter what laptop or desktop computer you use, but the
operating system should be a Unix-like system such as Mac OS X, Linux, or FreeBSD. These make it easier
to forward traffic using a kernel firewall like ipfw or iptables. You will also need some tools that come
installed by default on such operating systems.
The Making of the FOCUS 11 Apple iPad Hack
5
Software and tools
We used a couple of handy applications to perform the hack. Some were simple scripts, others were
sophisticated software such Apache HTTP Server, tools included by default with the operating system,
and a few custom applications.
To generate the PDF we needed comex’s star_. It contains all the files to generate the malicious PDF,
which requires posixninja’s xpwn tool.7 In that project, you will also find the kernel’s exploit. You will
need a custom decrypted iPad’s firmware, or generate your own using xpwn (decryption keys are not
always included).8 Using comex’s tools and instructions, we generated the following files:
•
PDF: takes initial control of the system
•
freeze.tar.xz: package contains the files and apps (such as VNC) to be installed
•
install-3.dylib: dynamic library used during the exploitation
•
saffron-jailbreak.deb: package contains a series of binaries to bootstrap the installation process
To serve the exploit and apps to the iPad, we used the Apache HTTP Server, known as the Web Sharing
component, included in Mac OS X. The web server had to serve content using SSL, so it was necessary
to create an SSL certificate for it. We did that using the OpenSSL tool included by default in OS X.
We used tcpdump (included by default in OS X) to verify that the exploit was requested successfully
by the iPad. We configured the freeze.tar.xz payload to drop a file in /var/mobile/Media/post-jailbreak,
which is executed by the star exploit (if it is present). In that file we included a ping command to our
system to let us know when SSH was up. We used tcpdump to verify if the iPad was pinging our laptop.
We needed BSD’s ipfw tool to set some firewall rules on the laptop to redirect the iPad traffic to our
MITM tool, iSniff.
iSniff was written by hubert3 and was inspired by Moxie’s sslsniff tool.9 Hubert3’s tool sniffs the SSL
traffic by sending fake certificates generated on the fly to the victim. We edited iSniff’s source code to
be able to modify the data the victim was sending to the server and vice versa. (iSniff was designed to
run on Debian GNU/Linux, so we modified it to work on OS X.)
6
The Making of the FOCUS 11 Apple iPad Hack
Scenario
We used the USB wireless interface on our MacBook to connect to the FOCUS Wi-Fi hotspot and
the built-in Airport wireless interface to create a hotspot with an SSID name similar to the legitimate
network’s name. By coming close to the real thing, our hotspot name might make the victim connect
to our network. A simple trick is to take a regular SSID name and make another with a space in front of
the name. That makes the imitation hotspot name go on the top of the networks list.
Attackers will normally leave the hotspot open (requiring no password). In this case, however, we added
a password so that attendees of our session were not involuntarily hacked.
The Making of the FOCUS 11 Apple iPad Hack
7
Attack
We connected the laptop to the Internet using the wireless dongle, started the web server, and shared
the Internet connection through Airport to make the victims believe that we were a free Wi-Fi hotspot.
We opened a couple of tabs in the Mac’s Terminal app. In the first one, we started tcpdump and had it
listen on the shared network interface. On the second Terminal tab, we create a couple of firewall rules
using ipfw. One rule was particularly helpful:
sudo ipfw add 1013 fwd 127.0.0.1,2000 tcp from any to any 443 recv en1
In this rule, 1013 is the rule number, 127.0.0.1,2000 indicates where the MITM proxy is listening, 443
indicates that we want to intercept connections through the standard port for SSL, and en1 is the
network interface through which we are sharing the Internet connection. Next we started the MITM
proxy server (iSniff). It’s configured to listen on port 2000.
We watched our victim visit https://mail.google.com on the iPad.
The proxy intercepts the victim’s connection, generates a certificate for the domain name the victim is
trying to reach (mail.google.com), sends the certificate to the victim to establish a “secure” connection
with the device, and finally impersonates the victim to establish a connection to the final destination.
Because the vulnerable iOS version cannot verify the SSL certificate chain, it trusted the certificate we
generated and did not raise any alarms nor return any errors. In this scenario, we saw all the traffic
going in and out and we could also modify it.
8
The Making of the FOCUS 11 Apple iPad Hack
The MITM tool modified the victim’s HTTP request and asked the server for a noncompressed page,
making it easier for us to process and modify the returned web page to insert an iframe HTML element
just before the HTML’s </body> closing tag.
The iframe contained a web page with a link to load a malicious PDF. We could reduce the size of the
iframe to make it almost imperceptible to the user. We could also insert it at the very bottom of the
page. In our hack, we kept the size large so the audience could view it on screen.
The PDF file contained a specially crafted FreeType Type 1 font to exploit the Mobile Safari web browser
and execute special code to download a payload to the device. The iPad downloaded all of those files
(saffron .deb package, freeze.tar.xz, install.dylib) from our local HTTP server. Because we generated an SSL
certificate for the domain that pointed to our local machine, the connection remained under SSL while
downloading the PDF, making Safari display the lock icon all the time and making the victim feel safe.
In exploiting the victim’s iPad we downloaded a payload that installed the SSH server, VNC, and a couple
of dependencies from our HTTP server. JBME would usually install Cydia at this point, but we didn’t
want to reveal any signs of an attack, so we modified the JBME star_ code to not create an icon on the
desktop nor to install Cydia. We used the postinstall script to remove some of our fingerprints, such as
the VNC icon and settings from the iOS System Settings menu. The postinstall script then issued a ping
command to let us know that the device was ready and accepting connections on port 22. We detected
the ping with tcpdump running on Terminal.
The Making of the FOCUS 11 Apple iPad Hack
9
Results
Next we used SSH to reach the device as root and could do whatever we wanted: read private messages,
download private pictures, grab the contact list, install more applications (a keylogger, perhaps), and more.
10
The Making of the FOCUS 11 Apple iPad Hack
We reloaded the iPad’s interface to make the VNC server properly respond to our connections. Then we
started our favorite VNC client and connected to the device. We saw everything the victim did on the
iPad and even interacted with it.
While we were working under the hood, the victim continued to navigate in Gmail and visit websites,
unaware that we had broken into the system and had compromised all its private data.
As soon as the iPad springboard appeared on the screen, our FOCUS audience started to applaud. Some
of them approached us to ask questions and in some cases to make sure that we didn’t hack anybody
during the conference. Of course, we did not. We just demonstrated what evil people are capable of.
Conclusions
The Apple iOS is more secure than many other operating systems, but it’s not impenetrable.
Vulnerabilities in this operating system and its applications are sometimes discovered. Despite Apple’s
marketing efforts to the contrary, we cannot rely solely on the vendor to secure our mobile devices.
The moment we think we are safe, we become vulnerable. For this hack, it didn’t matter whether the
victim was using SSL. All we needed was an unaware or unconcerned victim. We tend to think that the
security of our systems—and the security of our data, our money, and our online identity—can rely on
just a strong password, or a big and expensive firewall (or any other appliance), or a good anti-malware
program. Actually, our security relies on a combination of all of these. But the most important thing we
need in order to secure ourselves online is awareness. We must be conscious that bad guys are online,
that vulnerabilities exist, and that we need to fix or cover them.
The Making of the FOCUS 11 Apple iPad Hack
11
Sometimes, a single vulnerability seems to be harmless. If you look at each separately, you may think it
impossible that someone can use the flaw to break into your device. However, if you put a couple of
vulnerabilities together, they can become a serious risk. Also, keep in mind that many good things can
be repurposed and turned into bad things. Good tools in the wrong hands can become weapons to
break into our systems.
Vulnerabilities are present in most software. We have to stay alert to vendors’ advisories and install
patches or take countermeasures to prevent compromise. We can also benefit from security tools that
alert us to vulnerable software in our networks.
Acknowledgements
We thank Stuart McClure for his constant encouragement and Raul Collantes for his help with ideas
and reviews.
About the Authors
Gabriel Acevedo is a security researcher in the McAfee Labs office in Santiago, Chile. He researches new
and existing vulnerabilities on Microsoft Windows and Unix platforms, security appliance devices, and
other systems. Acevedo is part of the McAfee Vulnerability Management Content team (formerly called
McAfee Foundstone®), a global team responsible for implementing software checks to detect the presence
of vulnerabilities on remote computer systems. He also leads the Mobile Security Working Group, which is
part of McAfee Labs, doing collaborative security research on mobile and embedded devices.
Michael Price is the former senior operations manager for McAfee Labs in the Santiago office. While
with McAfee, he worked with external entities in Chile and Latin America and promoted technical
excellence and innovation. Price is now chief architect for iOS at Appthority, where he researches iOS
and application security.
Kehrer, Paul. “Trustwave’s SpiderLabs Security Advisory TWSL2011-007,” July 2011. https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt
Apple. “About the security content of iOS 4.3.5 Software Update for iPhone,” July 2011. http://support.apple.com/kb/HT4824
3
Apple. “About the security content of iOS 4.2.10 Software Update for iPhone,” July 2011. http://support.apple.com/kb/HT4825
4
Percoco, Nicholas and Paul Kehrer. “Getting SSLizzard,” August 2011. http://defcon.org/html/defcon-19/dc-19-speakers.html#Percoco
5
For more on certificate authorities and certificates, see http://mcaf.ee/2mjdv
6
Bédrune, Jean-Baptiste. “Analysis of the jailbreakme v3 font exploit,” July 2011. http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit
7
https://github.com/comex/star_
8
https://github.com/posixninja/xpwn
9
https://github.com/hubert3/iSniff
1
2
The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information
contained herein is subject to change without notice, and is provided “as is,” without guarantee or warranty as to the accuracy or applicability
of the information to any specific situation or circumstance.
2821 Mission College Boulevard
Santa Clara, CA 95054
888 847 8766
www.mcafee.com
McAfee, the McAfee logo, McAfee Labs, and McAfee Foundstone are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in
the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and
descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind,
express or implied. Copyright © 2012 McAfee, Inc.
41724wp_ipad-hack_0212_ETMG