The iPhone Wiki - User contributions [en]

MobileBackup Copy Exploit

2010-07-23T18:14:27Z

Comex:

BackupAgent normally restricts files to be restored to a specific set of directories ("domains"). It even has a check to ensure that ".." isn't in the path:

Path contains sneaky dots to traverse up outside of the domain: %@

However, for some reason, this check isn't applied when taking alternate code paths for special handling of certain files. For example, a restore to HomeDomain with a path starting with Library/Preferences/SystemConfiguration/ is migrated to the new directory for system configuration, /var/preferences/SystemConfiguration. This bypasses the sneaky dots check, so spirit is able to restore to this path:

Library/Preferences/SystemConfiguration/../../../../../var/db/launchd.db/com.apple.launchd/overrides.plist

This was fixed in iOS 3.2.1 and 4.0.

[[Category:Exploits]]

MobileBackup Copy Exploit

2010-05-14T23:11:34Z

Comex: New page: BackupAgent normally restricts files to be restored to a specific set of directories ("domains"). It even has a check to ensure that ".." isn't in the path: Path contains sneaky dots...

BPF STX Kernel Write Exploit

2010-05-14T23:06:45Z

Comex:

bpf has a little virtual machine that executes packet filters. The machine includes a "scratch area" which is stored as an array on the stack. There are two instructions that write to that array:

case BPF_ST:
mem[pc->k] = A;
continue;

case BPF_STX:
mem[pc->k] = X;
continue;

bpf_validate runs first to check the program, and handles BPF_ST correctly, but forgets to handle BPF_STX:

/*
* Check that memory operations use valid addresses.
*/
if ((BPF_CLASS(p->code) == BPF_ST ||
(BPF_CLASS(p->code) == BPF_LD &&
(p->code & 0xe0) == BPF_MEM)) &&
p->k >= BPF_MEMWORDS)
return 0;

This allows arbitrary locations on the stack to be modified.

This bug was actually fixed in FreeBSD: http://svn.freebsd.org/viewvc/base/head/sys/net/bpf_filter.c?r1=182380&r2=182379&pathrev=182380

BPF STX Kernel Write Exploit

2010-05-14T23:06:00Z

Comex: New page: bpf has a little virtual machine that executes packet filters. The machine includes a "scratch area" which is stored as an array on the stack. There are two instructions that write to th...

bpf has a little virtual machine that executes packet filters. The machine includes a "scratch area" which is stored as an array on the stack. There are two instructions that write to that array:

case BPF_ST:
mem[pc->k] = A;
continue;

case BPF_STX:
mem[pc->k] = X;
continue;

bpf_validate runs first to check the program, and handles BPF_ST correctly, but forgets to handle BPF_STX:

/*
* Check that memory operations use valid addresses.
*/
if ((BPF_CLASS(p->code) == BPF_ST ||
(BPF_CLASS(p->code) == BPF_LD &&
(p->code & 0xe0) == BPF_MEM)) &&
p->k >= BPF_MEMWORDS)
return 0;
/*

This was actually fixed in FreeBSD: http://svn.freebsd.org/viewvc/base/head/sys/net/bpf_filter.c?r1=182380&r2=182379&pathrev=182380

Talk:Spirit

2010-05-14T22:54:46Z

Comex:

There exists also a tool called [[Spirit Fixer|Spirit Fixer v1.01]], written by [[Kirma]]. Anybody knows what that is? Here's a link: http://twitter.com/elior231/status/13296125900

--[[User:Http|http]] 21:42, 4 May 2010 (UTC)

I'd love to see a technical writeup of everything, although I don't blame you if you don't. I'm lazy about those things too. As far as trying to keep it secret from Apple, I don't feel theres a point, they'll find it no matter what we do.

--[[User:Geohot|geohot]] 14:02, 5 May 2010 (UTC)

I have started reverse engineering Spirit and making some UML(like) data flow and function diagrams. The problem is that I am guessing at too many things since I did not wana post anything and have someone get pissed it was out there. I am up for putting a formal brief together if others want to collaborate. I would imagine as Geohot said, that apple had this disassembled before the .tar was dry. Not to mention that they are not just looking for the exploit that was used (since they most likely had a whiteboard full of potentials during design) , they are looking for copyright violations and their stollen code in every bit of its bits.

--KodeSlinger 16:31, 5 May 2010 (UTC)

Meh, as mentioned on spiritjb.com, once Apple has shown that they've fixed it, the source will be released anyway. - MuscleNerd

@MuscleNerd - I started working on it BS (Before Spirit :) ), to create a centralized location that dynamically maps (HW/FW/SW) physical and logical drawings together. My thought was something like this wiki on crack. Ideally to generate functional diagrams of the idevice that act as a starting point to link to more detailed sections pertaining to that functions exploits, related functions, and source code samples(or any other data). Since I am new to this community I have been trying to organize this data for my own brain, and thought others might use it. I will post some screen shots later. The more organized we are the easier it will be to exploit the next vulnerability.
--[[User:Viper911h|KodeSlinger]] 20:11, 5 May 2010 (UTC)

Oh hah, cool :) If you do that though, obviously you shouldn't go overboard and start publicly discussing variations of this that would help Apple close other holes yet to be exploited (it sounds like your well-versed enough to do that!) - MuscleNerd

@MuscleNerd - Hah; yeah obviously cool kidz only lol --[[User:Viper911h|KodeSlinger]] 21:08, 5 May 2010 (UTC)

== Reversing Spirit ==

I just started reversing Spirit and thought I'd share what I learned so far in hopes of hearing more from others.

Spirit.exe extracts a bunch of files into a temp directory as follows:

<pre>

+ Documents and Settings/<User>/Local Settings/spiritxxx
|
+ - dl
| |
| + - dl.exe
|
+ - igor
| |
| + - 2dcde0a77381d24b7c02ac0cf7f714434c4ccdcf.dylib
| + - 3e404d11fcbd5486d3be2dd86ce21316e1854842.dylib
| + - 74227c0021c5e12effb5bd3175eb469a8df0622e.dylib
| + - b735701843456754988021d128c2671ee36d1b04.dylib
| + - f6c17e934ba0ad477812de0b7cb019396d259d93.dylib
| + - install
| + - map.plist
|
+ - resources
|
+ - 320x480.jpg
+ - 1024x768.jpg
+ - overrides.plist
+ - icon.ico
</pre>

Spirit.exe is simply a GUI wrapper for dl.exe, which does the heavy lifting and is written using the cross-platform library CoreFoundation.dll. Dl.exe uses the iTunes DLL to get access to the iDevice, registering a callback function through AMDeviceNotificationSubscribe. The callback function launches a thread, which uploads 4 files as follows:

# One of the dylibs (depending on the iDevice version?) is uploaded as /var/mobile/Media/spirit/one.dylib
# The Mach-O ARM executable "install" is uploaded as /var/mobile/Media/spirit/install
# The Spirit.exe is uploaded as /var/mobile/Media/spirit/freeze.tar.xz
# One of the jpgs is uploaded as /var/mobile/Media/spirit/bg.jpg

After the files are uploaded, the upload thread signals to the main thread that the files are ready. The main thread then sends over two plists (shown at the end of the log below) via MobileBackup.

As I've only just started looking at this, and I'm also new to the iPhone scene, I have lots of questions.

# Is the MobileBackup interface documented anywhere? Was it used in other jb tools before Spirit?
# Why is Spirit.exe uploaded to the iDevice as freeze.tar.xz?
# What purpose do map.plist and overrides.plist serve?
# What are the two plists sent at the end of the transfer, and how do they allow the "install" image to be executed?
# What does install do to provide an untethered solution?

I'll post more as I learn, but it would be nice to hear if others have made more progress.

-[[User:EnohpiDesrever|EnohpiDesrever]] 16:47, 14 May 2010 (UTC)

# Don't think it's documented.
# Actually, freeze.tar.xz is tacked on to Spirit.exe, after the string 'magicmagicmagicm'. xz is http://tukaani.org/xz/
# One maps firmware version to the dylib that should be uploaded. The other is read by launchd.
# Just look at the contents of overrides.plist and the launchd source. The nefarious part is actually getting that file in the appropriate directory. (Note that overrides is only used for the initial install, because launchd spawns everything at once and the following solution ensures the exploit is run first.)
# By installing itself as /usr/lib/libgmalloc.dylib. To quote saurik: "if you touch the file /var/db/.launchd_use_gmalloc, then the first thing launchd does is set DYLD_INSERT_LIBRARIES to /usr/lib/libgmalloc.dylib and restart itself"

--[[User:Comex|Comex]] 22:54, 14 May 2010 (UTC)