Post AS4ZkcGcWN7EcFhnMG by zhuowei@notnow.dev
(DIR) More posts by zhuowei@notnow.dev
(DIR) Post #AS3uwlzK6lkq7TIE9w by zhuowei@notnow.dev
2023-01-27T08:03:47.987244Z
0 likes, 0 repeats
I got `tccd` to make a sandbox extension for reading/writing outside the sandbox on iOS 16.1RC, using Ian Beer's CVE-2022-46689 (MacDirtyCow) exploithttps://gist.github.com/zhuowei/bc7a90bdc520556fda84d33e0583eb3eI can't do anything with this yet: I can't find anything to overwrite. Also, I don't have an offset finder.I tried all the options from TrollTools using my sandbox extension, but only the "lock screen footnote" option worked; the rest all do nothing.I guess sandbox extensions are less powerful than a TrollStore app with no-sandbox entitlement...
(DIR) Post #AS4ZkcGcWN7EcFhnMG by zhuowei@notnow.dev
2023-01-27T15:41:01.200833Z
0 likes, 0 repeats
OK, I tried adding a patchfinder for tccd, so https://gist.github.com/zhuowei/bc7a90bdc520556fda84d33e0583eb3e should be able to run on arm64e devices - haven't tested on anything other than iPhone 14 Pro / iOS 16.1 RC, though
(DIR) Post #AS4ZwzDd0rSbH5CjgG by opa334@infosec.exchange
2023-01-27T15:26:41Z
1 likes, 0 repeats
@zhuowei Yep, sandbox extensions aren't *that* powerful. A lot of directories are gated behind specific entitlements unfortunately. Still cool, you should be able to give yourself read access to amfid with this however and use MacDirtyCOW on that.
(DIR) Post #AS4Zx02fx4IFpP5VFQ by zhuowei@notnow.dev
2023-01-27T15:43:15.060797Z
0 likes, 0 repeats
@opa334 I'm not that smart yet (I don't know what to override in amfid): ask me again in a few months. Or are you going to try looking into it? (I'm just trying to follow Ian Beer's comment on how one would exploit this from his proof-of-concept release)
(DIR) Post #AS4ao423qaf7YE6T3Y by opa334@infosec.exchange
2023-01-27T15:48:09Z
0 likes, 0 repeats
@zhuowei Don't worry, I'm not that smart either. If you really want to neuter amfid it's probably really difficult, you need to find some sort of gadget / chain that you can rebind the libmis verification functions to so that they always return success. Maybe look at the AppSync hooks to get an idea of what needs to be done (Obviously you can't map executable code to amfid so it's much harder). Also I'm unsure what neutering amfid would actually give you, I could be wrong but I think the "CoreEntitlements" iOS 15 feature will restrict things a lot. I'm probably not going to look into this myself, just watching from the side 👀
(DIR) Post #AS4ao4TMD6UqussGbQ by zhuowei@notnow.dev
2023-01-27T15:52:51.349656Z
0 likes, 0 repeats
@opa334 you can't use this to rebind stuff in dyld cache, only rebind pointers in the executable to things already in the executable/imported by the executable (i.e. write anything in __DATA_CONST / __DATA).I updated my proof-of-concept (https://gist.github.com/zhuowei/bc7a90bdc520556fda84d33e0583eb3e); let me know if it works for you. (And thanks for your sandbox generator documentation!)
(DIR) Post #AS4bL3E9rQRSbwUVKS by opa334@infosec.exchange
2023-01-27T15:57:07Z
1 likes, 0 repeats
@zhuowei Yes, but amfid imports libmis functions and there should be pointers to these functions inside the data segment of amfid.I haven't tested or done anything with MacDirtyCOW yet, might do so at some point.
(DIR) Post #AS4bMo6T3w3YHejOyW by zhuowei@notnow.dev
2023-01-27T15:59:08.868098Z
0 likes, 0 repeats
@opa334 I do not envy your Birdsite mentions when you do...
(DIR) Post #AS7EcGhZIl4tquMsnw by zhuowei@notnow.dev
2023-01-28T22:28:20.557254Z
0 likes, 0 repeats
@opa334 So should I even try attacking amfid? You mentioned in this thread and on other threads that AMFI/CoreTrust/CoreEntitlements now validates entitlements against provisioning profiles outside of amfid; does this mean that taking over amfid is useless now?