Unless you’re on a trek in the Himalayas, by now you’ve probably heard one way or another that the infamous “Jailbreakme” website is back to free iPhones (including iPhones 4 running iOS 4.0.1) and iPads : it’s just everywhere on the web, even with videos and tutorials.

However, fewer resources address the technical aspect of jailbreaking. You might have found out that the online jailbreaking tool is resorting to a drive-by-script exploiting a 0-day vulnerability. We’ll try and provide a few other technical findings below.

First, let’s connect to the site with a proper user-agent (i.e. iPhone’s Safari). It gives us a nice Javascript, whose interesting part is:

function get_page(){return model==null?null:("/_/"+model+"_"+firmware+".pdf"}

That is to say, the user is automatically redirected to a malicious pdf based on the model of the device and the firmware version.

As directory listing is enabled, we were able to list all the files in the corresponding repository:

The file “iPhone3,1_4.0.pdf”, for instance, features an encoded PDF Type1C font (Compressed Font Format) stream that looked suspicious enough for us to decode it (thanks to the excellent pdf-parser tool from Didier Stevens). In the now clear-text stream, we could identify at least one manifest (offset 0xbcd – see below) and an iOS executable (offset 0×1109, we will get back to it later on).

Note the large values for IOSurfaceBytesPerRow, IOSurfacePixelFormat, IOSurfaceHeight and IOSurfaceWidth in the manifest above.

The corresponding system API framework is basically not documented, but we can easily guess there is an allocation issue in an IOSurface object. As IOSurface objects run in kernel space, the process can bypass usual security restrictions.

It is highly likely this 0-day exploit can be used for other means than jailbreaking an iPhone/ iPod/ iPad. Consequently, Will Strafach wrote an iPhone application that detects suspicious PDFs and warns end-users when they are at risk.

As for the binary in the decoded PDF stream, essentially, it pilots the jailbreaking.
The executable starts by checking it can access /bin/bash or not via a BrowserController object (see figure below): if bash is accessible, it concludes the device is already jailbroken and recommends not to jailbreak it again. Otherwise, it considers the device is not jailbroken:

If the device is not jailbroken, the executable then downloads hxxp://jailbreakme.modmyi.com/wad.bin into a buffer of type NSMutableData, named wad (itself member of a class the author called “Dude”).
Before going any further, the executable checks that the downloaded version of the file wad.bin starts with the four bytes 0×42424242 (‘BBBB’), then followed by its length.

The wad.bin file is exactly 3909273-byte long, i.e 0x3BA699. This length is stored in bytes 4, 5, 6 and 7:

$ hexdump -C wad.bin | head
00000000  42 42 42 42 99 a6 3b 00  15 b5 01 00 78 9c ec 7d  |BBBB..;.....x..}|
00000010  0d 9c 54 c5 95 ef bd dd  3d 43 33 34 70 81 46 87  |..T.....=C34p.F.|

This pattern may be used in the frame of counter-measures (eg: Snort signatures, etc…), to prevent jailbreaking from one’s network, for some reasons.
Additionally, it is worth noting a cookie keeps information regarding the jailbreaking attempts (date and time of access to jailbreakme.com, PDF file downloaded etc).

At this point, parts of the buffered wad.bin are dumped in inflated format on the device in /tmp/install.dylib. The dynamic library is then opened, and the do_install symbol is called. This is likely where the actual jailbreaking occurs.

Afterwards, the remaining XZ compressed data contained in wad.bin is then uncompressed, which can be reproduced manually (credits to Gecko_UK):

$ dd if=./wad.bin skip=111905 of=./wad.xz bs=1 count=3797368
$ 7zr x wad.xz
$ mv wad wad.tar
$ tar xvf wad.tar
...2009-04-27 16:34 Applications/
...2009-04-27 16:34 Applications/Cydia.app/
...2010-07-30 10:55 Applications/Cydia.app/commercial.png
...2010-08-01 20:52 Applications/Cydia.app/Modes/
...2009-08-09 11:55 Applications/Cydia.app/Modes/REMOVE.png
...2009-08-09 11:55 Applications/Cydia.app/Modes/INSTALL.png
...2010-08-01 20:52 Applications/Cydia.app/Modes/NEW_INSTALL.png -> INSTALL.png
...

And the jailbroken environment (Cydia applications, etc…) is installed on the device.

– the Crypto Girl (Axelle Apvrille) and the Vulnerability Guy (David Maciejak)

Unless you have been cut from the net this last week, you probably know
by now iPhones are facing their first set of malware (first ? well, actually, not quite as we have already detected spyware for iPhones):
it’s just all over the web. Those malware target jailbroken iPhones whose the default root password (‘alpine’) hasn’t been changed.

Consequently, most people remind/advise iPhone owners to customize root’s password or not to jailbreak their iPhone. This is correct, but it is nonetheless worth adding that:

• all passwords should be customized: for instance, change the password of the mobile account too (i.e. the default user account).
• never use a default password whether it is ‘alpine’ or anything else. iPhones with old firmwares (older than 1.1) use default password ‘dottie’. True, they are not vulnerable to the worms we encountered, but the modification would be so basic…
• do not use simple passwords. This is true for PCs, it is true for iPhones too. It would be easy to modify the worms to brute force passwords. Incidentally, that’s how Sophos found iPhoneOS/Eeki.B changes the password to ‘ohshit’. By the way, thanks to Scott McIntyre (xs4all) for sharing his sample with us.

With this in mind, I reached over for our lab’s iPhone and placed myself in the situation of a typical iPhone owner trying to secure his device. I turned the iPhone on, disabled wifi, connected the iPhone to a lab’s PC via USB and set up a SSH tunnel (I like iUSB Tunnel, because it’s simple).

At this stage, either the iPhone hasn’t been compromised and login succeeds with default password (alpine): please jump to “Changing passwords” below, or it has been compromised and root’s password consequently changed: then, logging in with the default password will fail.

In that case, I would probably recommend you completely re-install the iPhone, because one never knows what the intruder did to the phone. Remember he/she had root access to the device, he/she could do anything.

For now, let’s suppose you decide just to change the passwords, inspect the iPhone and re-install later.

To customize a password, the current one is required. If you know the password (‘alpine’ by default, ‘ohshit’ if compromised), then no problem, change the password (jump to ‘changing passwords’). If you don’t know what the old password is, the easiest solution consists in editing /etc/master.passwd with a text editor that runs as root. For instance, install iFile (eu.heinelt.ifile), browse to the /etc directory and open master.passwd for edition.

Temporarily reset root’s password to ‘alpine’ (default):

root:/smx7MYTQIi2M:0:0::0:0:System Administrator:/var/root:/bin/sh

Sidenote. I find it quite dangerous such text editors run with root privileges!

Then, login as root using password alpine and change it. See below.

Changing passwords

As a side note, I realized that picking up a nice (and secure) password was quite difficult on mobile phones, because even if the iPhone’s virtual keyboard is handy, you usually don’t feel like entering a long and complicated password (e.g. special characters are not immediately accessible on the virtual keyboard). iPhone developers, we’d certainly love to have a thumbprint authentication application, or an application where the password is a few secret gestures on the touchscreen, perhaps like a handwritten signature (but a secret one). Those gestures could translate into a long and complicated key we would not generally need to enter.

Once I changed passwords, it occurred to me that, anyway, any login attempts should be logged. I searched /var/log and /var/logs but couldn’t find any log concerning SSH. So, I opened the SSH daemon configuration file (/etc/ssh/sshd_config) and uncommented those lines:

#SyslogFacility AUTH
#LogLevel INFO

Restarted the SSH daemon, and re-logged in: still no logs ! Yes, actually, the iPhone ships with no syslog daemon ! So, I downloaded and installed a syslog daemon (com.) and configured /etc/syslog.conf:

*.*;auth.info /var/log/syslog

After restarting syslog and ssh, this time I finally get my logs in /var/log/syslog:

Nov 24 14:29:15 iPhone-de-axelle sshd[6270]: Failed password for mobile from 127.0.0.1 port 56304 ssh2
Nov 24 14:29:18 iPhone-de-axelle sshd[6270]: Accepted password for mobile from 127.0.0.1 port 56304 ssh2

Actually, logs are rather useful before one gets compromised, to see the failed login attempts, because once an intruder has successfully logged in as root, he/she can stop the syslog daemon or erase /var/log/syslog…

Finally, I ought to point out allowing root login via SSH is usually considered as insecure. Disable it in /etc/ssh/sshd_config (check out other security options) :

PermitRootLogin no

– The Crypto Girl (with her iPhone)