Injecting into system services without being stopped by sb

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Injecting into system services without being stopped by sb

Postby backendbilly » Sat Dec 08, 2018 3:51 pm

I'm trying to inject into system services (/usr/sbin, /usr/libexec) on iOS 11 but sandbox keeps denying activities such as "deny(1) mach-lookup", "deny(1) file-write-create". Does this mean that additional entitlements are required and/or additional patching is required at the sandbox level within the kernel?
backendbilly
Site Admin
 
Posts: 138
Joined: Fri May 29, 2015 5:58 pm

Re: Injecting into system services without being stopped by

Postby Siguza » Sat Dec 08, 2018 8:41 pm

Yes. If you want to nuke the sandbox, either would work.

If you have the ability to freely re-sign your binaries, try adding these entitlements:
Code: Select all
<key>platform-application</key>
<true/>
<key>com.apple.private.security.no-container</key>
<true/>
and remove the "seatbelt-profile" entitlement, if present.

If you don't have that ability, the quick and dirty way would be to create a dummy binary (just a "while(1)" or so) with said entitlements, and then use tfp0 to steal its kauth creds and insert them into your victim process.

If you want to preserve the sandbox other for the capabilities your injection needs, you'll have to create a helper daemon along with some IPC mechanism (e.g. a custom MIG system, whose client port you inject into the victim process with mach_port_insert_right).
User avatar
Siguza
Unicorn
 
Posts: 203
Joined: Thu Jan 28, 2016 10:38 am

Re: Injecting into system services without being stopped by

Postby backendbilly » Thu Dec 13, 2018 6:46 pm

I was able to add the necessary entitlements and remove the seatbelt-profile, sign, and add to trustcache right after the exploit takes affect during the JB process because as you're aware, AMFI will invalidate the signature on boot and will cause the system to boot (essentially becomes a boot loop).

Now the issue I'm facing is the process (pid 612, the injector) I'm using to control the /usr/sbin/binary is getting denied by the kernel as shown below:

SpringBoard(BaseBoard)[395] <Error>: Unable to obtain a task name port right for pid 612: : (os/kern) failure (0x5)


So the error seems to indicate that SpringBoard/Basebooard is/are unable to obtain a task port right (send/receive?) to the inject process. The injector does use UIKit and other frameworks to control the process in question.

Any ideas are appreciated.

Billy
backendbilly
Site Admin
 
Posts: 138
Joined: Fri May 29, 2015 5:58 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 3 guests

cron