Injecting into system services without being stopped by sb

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Injecting into system services without being stopped by sb

Postby backendbilly » Sat Dec 08, 2018 3:51 pm

I'm trying to inject into system services (/usr/sbin, /usr/libexec) on iOS 11 but sandbox keeps denying activities such as "deny(1) mach-lookup", "deny(1) file-write-create". Does this mean that additional entitlements are required and/or additional patching is required at the sandbox level within the kernel?
backendbilly
Site Admin
 
Posts: 140
Joined: Fri May 29, 2015 5:58 pm

Re: Injecting into system services without being stopped by

Postby Siguza » Sat Dec 08, 2018 8:41 pm

Yes. If you want to nuke the sandbox, either would work.

If you have the ability to freely re-sign your binaries, try adding these entitlements:
Code: Select all
<key>platform-application</key>
<true/>
<key>com.apple.private.security.no-container</key>
<true/>
and remove the "seatbelt-profile" entitlement, if present.

If you don't have that ability, the quick and dirty way would be to create a dummy binary (just a "while(1)" or so) with said entitlements, and then use tfp0 to steal its kauth creds and insert them into your victim process.

If you want to preserve the sandbox other for the capabilities your injection needs, you'll have to create a helper daemon along with some IPC mechanism (e.g. a custom MIG system, whose client port you inject into the victim process with mach_port_insert_right).
User avatar
Siguza
Unicorn
 
Posts: 181
Joined: Thu Jan 28, 2016 10:38 am


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 3 guests