White Paper

By Gabriel Acevedo and Michael Price McAfee® Labs™

The Making of the FOCUS 11 Apple iPad Hack

The Making of the FOCUS 11 Apple iPad Hack2

Table of ContentsMotivation 3

Research 4

The iOS SSL implementation vulnerability 4

The “JailbreakMe” vulnerability 5

The Hack 5

Hardware 5

Software and tools 6

Scenario 7

Attack 8

Results 10

Conclusions 11

Acknowledgements 12

About the Authors 12

3The Making of the FOCUS 11 Apple iPad Hack

In October of last year, McAfee hosted its FOCUS 2011 conference. McAfee Labs offered customers several talks on malware and other threats as well as on myriad security topics. One of the most popular events was the Hacking Exposed keynote, which drew more than 2,000 people. Most of the attendees turned off their laptops, phones, Apple iPads, and other devices when McAfee CTO Stuart McClure announced that his team would perform live hacks at the session. We had seen a lot of buzz on Twitter and other social networks looking forward to the hack that everyone at the conference was talking about. Some skeptics claimed it would not be a live demo, but within moments of the start, people confirmed that the fake FOCUS Wi-Fi hotspot was indeed live.

We aimed a TV camera at our soon-to-be-hacked demo iPad screen so that the attendees could follow along. While McClure loaded Gmail via a secure sockets layer (SSL) connection, we could see the HTTPS URI scheme and the lock icon on Safari. Under the hood, an exploit was loading and installing a secure shell (SSH) server. A few seconds later, the crowd applauded appreciatively as the iPad screen appeared on our VNC remote-control client. The iPad was compromised. We had root access through the Terminal and also graphical access through VNC that allowed us to see what McClure was doing and allowed us to interact with his device. A typical iPad user in this situation would have no clue that we had such powerful control of the system. The victim was not visiting a malicious website, but was simply checking email via a secured connection. How was this hack possible?

In this report we’ll answer that question, as well as explain our research, the problems we faced, and the tools we authored.

(We explain the techniques we used in this report only to provide education and awareness of the facts and security principles involved with these techniques. McAfee does not use and does not endorse using these techniques to violate applicable law or the boundaries of ethical behavior.)

MotivationIn July 2011, a vulnerability in a basic constraint-validation error in iOS SSL certificates validation chain was disclosed by TrustWave’s SpiderLabs.1 Their researchers found it was possible to generate a bogus certificate using another certificate that, although valid, was not meant to be used to generate certificates for other websites. SpiderLabs, however, didn’t provide many details. How complicated was it to reproduce the vulnerability? What uses could attackers make of this vulnerability other than to sniff data meant to be private?

It’s been some time now since the vulnerabilities used by jailbreakme.com (collectively known as JailbreakMe, or JBME) were disclosed. So far, the only public use we have seen for them is at jailbreakme.com. Jailbreaking an Apple device is desirable for many people. However, what some people may not realize is that the JBME technique exploits vulnerabilities to gain control of the device and, as with any other vulnerabilities, these weaknesses could be used for malicious purposes.

What would happen if we were to combine those two vulnerabilities? Is it possible to use them in a sophisticated, silent, and effective attack? Note that the SSL vulnerability was not necessary to perform the hack, but we wanted to prove that even when the victim thinks it is safe, it is still possible to compromise the device. So our idea was to exploit the system while the victim was visiting a bank website, checking email, or making a payment online—all through an SSL connection.

Both of these vulnerabilities have been fixed in recent versions of Apple’s iOS. However, a lot of users have not upgraded for various reasons—from simple ignorance to the fact that they want to jailbreak their devices and install applications not available in the Apple App Store. How many of these users are still vulnerable?

We’ve just posed a lot of questions. In the following sections we shall answer them.

4 The Making of the FOCUS 11 Apple iPad Hack

ResearchThe iOS SSL implementation vulnerability

In July 2011 Paul Kehrer and Gregor Kopf disclosed an input-validation-error vulnerability (CVE-2011-0228) in Apple iOS. The mobile operating system failed to validate the X.509 certificates chain, making it possible for an attacker to capture or modify data protected by SSL/TLS and perform “man in the middle” (MITM) attacks. The vulnerability affected iOS Versions 4.3.4 and earlier for GSM network devices, and Versions 4.2.9 and earlier for CDMA network devices. The researchers notified Apple, which released security updates HT4824 and HT4825 for CDMA devices.2,3 Later, during DEFCON 19, Kehrer revealed more details, including that iOS ignored the X.509 v3 basic constraints extension.4

Certificates issued for root and intermediate entities must include the basic constraints extension with the CA field set to TRUE.5 For example:

X509v3 extensions: 1.3.6.1.4.1.311.20.2: ...C.A X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE

However, for user certificates the CA parameter should be set to FALSE. For example:

X509v3 extensions: X509v3 Basic Constraints: CA:FALSE

The flaw in these versions of iOS allows an attacker to use a legitimate non-CA certificate (CA:FALSE) to sign subsequent certificates for any domain and make the devices accept them without any warning, just like a regular X.509 certificate signed by a valid entity. For example, the following certificate chain will work on iOS Version 4.3.4, but not in patched versions (such as Version 4.3.5):

Root Certificate Intermediate Certificate (CA:TRUE) End User Certificate (CA:FALSE) Some Arbitrary Domain Certificate—Trusted

The basic constraints extension also has an optional parameter: pathlen. This parameter indicates the maximum number of certificates that can appear below this one in the chain. So, considering the example above, if the Intermediate Certificate has the pathlen parameter set to zero, the iOS device will not trust the Some Arbitrary Domain Certificate generated by the End User Certificate. The following certificate chain will not work even on iOS 4.3.4.

Root Certificate Intermediate Certificate (CA:TRUE,pathlen:0) End User Certificate (CA:FALSE) Some Arbitrary Domain Certificate—Not trusted

5The Making of the FOCUS 11 Apple iPad Hack

We came to this conclusion while trying to reproduce this vulnerability. The original advisory said that iOS fails to recognize all the basic constraints, but we concluded that the vulnerable versions would ignore only the CA value.

Therefore, to generate a bogus X.509 certificate to exploit the CVE-2011-0228 vulnerability, the certificate in the chain immediately preceding the certificate that generates the bogus certificate should not include the pathlen parameter—or it should contain a large enough pathlen value.

The “JailbreakMe” vulnerability

JBME is a website that contains a collection of jailbreaks for different versions of iOS. The breaks were designed by comex and take advantage of flaws in Safari and the kernel. The first version was released in 2007 and worked for iPhone and Apple iPod Touch firmware 1.1.1. A second version was released in August 2010 for iOS 4.0.1, and the latest version was released in July 2011. It works for iOS 4.3.3. Apple fixed the vulnerabilities used by JBME in iOS Version 4.3.4.

The July 2011 version of JBME—also known as Saffron—exploits a vulnerability (CVE-2011-0226) in Mobile Safari’s FreeType parser component, using a specially crafted PDF file. The routine in the PDF will construct and load a return-oriented programming payload into the stack and exploit a kernel vulnerability in the IOMobileFrameBuffer IOKit interface (CVE-2011-0227). The routine will then use another payload to modify some kernel functions to disable the code-signing enforcement and gain root privileges. Once the exploitation is complete, an attacker could install unsigned applications such as Cydia and all the apps provided through that system.6

Thousands of people use JBME to jailbreak their devices, to access applications not available on the Apple App Store or to modify settings restricted to regular users. But what people sometimes don’t realize is that their devices are being exploited to allow the jailbreak to succeed.

The HackHardware

We didn’t need much: we used an Apple MacBook Air laptop and a wireless dongle. We used the dongle to roam and find different points from which to launch our demo attack.

The MacBook Air is very handy for conferences, cafés, or airport lounges. A Mac is required to rebuild the malicious PDF. For the rest, it shouldn’t matter what laptop or desktop computer you use, but the operating system should be a Unix-like system such as Mac OS X, Linux, or FreeBSD. These make it easier to forward traffic using a kernel firewall like ipfw or iptables. You will also need some tools that come installed by default on such operating systems.

The Making of the FOCUS 11 Apple iPad Hack6

Software and tools

We used a couple of handy applications to perform the hack. Some were simple scripts, others were sophisticated software such Apache HTTP Server, tools included by default with the operating system, and a few custom applications.

To generate the PDF we needed comex’s star_. It contains all the files to generate the malicious PDF, which requires posixninja’s xpwn tool.7 In that project, you will also find the kernel’s exploit. You will need a custom decrypted iPad’s firmware, or generate your own using xpwn (decryption keys are not always included).8 Using comex’s tools and instructions, we generated the following files:

• PDF: takes initial control of the system • freeze.tar.xz: package contains the files and apps (such as VNC) to be installed • install-3.dylib: dynamic library used during the exploitation• saffron-jailbreak.deb: package contains a series of binaries to bootstrap the installation process

To serve the exploit and apps to the iPad, we used the Apache HTTP Server, known as the Web Sharing component, included in Mac OS X. The web server had to serve content using SSL, so it was necessary to create an SSL certificate for it. We did that using the OpenSSL tool included by default in OS X.

We used tcpdump (included by default in OS X) to verify that the exploit was requested successfully by the iPad. We configured the freeze.tar.xz payload to drop a file in /var/mobile/Media/post-jailbreak, which is executed by the star exploit (if it is present). In that file we included a ping command to our system to let us know when SSH was up. We used tcpdump to verify if the iPad was pinging our laptop.

We needed BSD’s ipfw tool to set some firewall rules on the laptop to redirect the iPad traffic to our MITM tool, iSniff.

iSniff was written by hubert3 and was inspired by Moxie’s sslsniff tool.9 Hubert3’s tool sniffs the SSL traffic by sending fake certificates generated on the fly to the victim. We edited iSniff’s source code to be able to modify the data the victim was sending to the server and vice versa. (iSniff was designed to run on Debian GNU/Linux, so we modified it to work on OS X.)

7The Making of the FOCUS 11 Apple iPad Hack

Scenario

We used the USB wireless interface on our MacBook to connect to the FOCUS Wi-Fi hotspot and the built-in Airport wireless interface to create a hotspot with an SSID name similar to the legitimate network’s name. By coming close to the real thing, our hotspot name might make the victim connect to our network. A simple trick is to take a regular SSID name and make another with a space in front of the name. That makes the imitation hotspot name go on the top of the networks list.

Attackers will normally leave the hotspot open (requiring no password). In this case, however, we added a password so that attendees of our session were not involuntarily hacked.

8 The Making of the FOCUS 11 Apple iPad Hack

Attack

We connected the laptop to the Internet using the wireless dongle, started the web server, and shared the Internet connection through Airport to make the victims believe that we were a free Wi-Fi hotspot.

We opened a couple of tabs in the Mac’s Terminal app. In the first one, we started tcpdump and had it listen on the shared network interface. On the second Terminal tab, we create a couple of firewall rules using ipfw. One rule was particularly helpful:

sudo ipfw add 1013 fwd 127.0.0.1,2000 tcp from any to any 443 recv en1

In this rule, 1013 is the rule number, 127.0.0.1,2000 indicates where the MITM proxy is listening, 443 indicates that we want to intercept connections through the standard port for SSL, and en1 is the network interface through which we are sharing the Internet connection. Next we started the MITM proxy server (iSniff). It’s configured to listen on port 2000.

We watched our victim visit https://mail.google.com on the iPad.

The proxy intercepts the victim’s connection, generates a certificate for the domain name the victim is trying to reach (mail.google.com), sends the certificate to the victim to establish a “secure” connection with the device, and finally impersonates the victim to establish a connection to the final destination.

Because the vulnerable iOS version cannot verify the SSL certificate chain, it trusted the certificate we generated and did not raise any alarms nor return any errors. In this scenario, we saw all the traffic going in and out and we could also modify it.

9

The MITM tool modified the victim’s HTTP request and asked the server for a noncompressed page, making it easier for us to process and modify the returned web page to insert an iframe HTML element just before the HTML’s </body> closing tag.

The iframe contained a web page with a link to load a malicious PDF. We could reduce the size of the iframe to make it almost imperceptible to the user. We could also insert it at the very bottom of the page. In our hack, we kept the size large so the audience could view it on screen.

The PDF file contained a specially crafted FreeType Type 1 font to exploit the Mobile Safari web browser and execute special code to download a payload to the device. The iPad downloaded all of those files (saffron .deb package, freeze.tar.xz, install.dylib) from our local HTTP server. Because we generated an SSL certificate for the domain that pointed to our local machine, the connection remained under SSL while downloading the PDF, making Safari display the lock icon all the time and making the victim feel safe.

In exploiting the victim’s iPad we downloaded a payload that installed the SSH server, VNC, and a couple of dependencies from our HTTP server. JBME would usually install Cydia at this point, but we didn’t want to reveal any signs of an attack, so we modified the JBME star_ code to not create an icon on the desktop nor to install Cydia. We used the postinstall script to remove some of our fingerprints, such as the VNC icon and settings from the iOS System Settings menu. The postinstall script then issued a ping command to let us know that the device was ready and accepting connections on port 22. We detected the ping with tcpdump running on Terminal.

The Making of the FOCUS 11 Apple iPad Hack

10

Results

Next we used SSH to reach the device as root and could do whatever we wanted: read private messages, download private pictures, grab the contact list, install more applications (a keylogger, perhaps), and more.

The Making of the FOCUS 11 Apple iPad Hack

11

We reloaded the iPad’s interface to make the VNC server properly respond to our connections. Then we started our favorite VNC client and connected to the device. We saw everything the victim did on the iPad and even interacted with it.

While we were working under the hood, the victim continued to navigate in Gmail and visit websites, unaware that we had broken into the system and had compromised all its private data.

As soon as the iPad springboard appeared on the screen, our FOCUS audience started to applaud. Some of them approached us to ask questions and in some cases to make sure that we didn’t hack anybody during the conference. Of course, we did not. We just demonstrated what evil people are capable of.

ConclusionsThe Apple iOS is more secure than many other operating systems, but it’s not impenetrable. Vulnerabilities in this operating system and its applications are sometimes discovered. Despite Apple’s marketing efforts to the contrary, we cannot rely solely on the vendor to secure our mobile devices.

The moment we think we are safe, we become vulnerable. For this hack, it didn’t matter whether the victim was using SSL. All we needed was an unaware or unconcerned victim. We tend to think that the security of our systems—and the security of our data, our money, and our online identity—can rely on just a strong password, or a big and expensive firewall (or any other appliance), or a good anti-malware program. Actually, our security relies on a combination of all of these. But the most important thing we need in order to secure ourselves online is awareness. We must be conscious that bad guys are online, that vulnerabilities exist, and that we need to fix or cover them.

The Making of the FOCUS 11 Apple iPad Hack

2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com

Sometimes, a single vulnerability seems to be harmless. If you look at each separately, you may think it impossible that someone can use the flaw to break into your device. However, if you put a couple of vulnerabilities together, they can become a serious risk. Also, keep in mind that many good things can be repurposed and turned into bad things. Good tools in the wrong hands can become weapons to break into our systems.

Vulnerabilities are present in most software. We have to stay alert to vendors’ advisories and install patches or take countermeasures to prevent compromise. We can also benefit from security tools that alert us to vulnerable software in our networks.

AcknowledgementsWe thank Stuart McClure for his constant encouragement and Raul Collantes for his help with ideas and reviews.

About the AuthorsGabriel Acevedo is a security researcher in the McAfee Labs office in Santiago, Chile. He researches new and existing vulnerabilities on Microsoft Windows and Unix platforms, security appliance devices, and other systems. Acevedo is part of the McAfee Vulnerability Management Content team (formerly called McAfee Foundstone®), a global team responsible for implementing software checks to detect the presence of vulnerabilities on remote computer systems. He also leads the Mobile Security Working Group, which is part of McAfee Labs, doing collaborative security research on mobile and embedded devices.

Michael Price is the former senior operations manager for McAfee Labs in the Santiago office. While with McAfee, he worked with external entities in Chile and Latin America and promoted technical excellence and innovation. Price is now chief architect for iOS at Appthority, where he researches iOS and application security.

1 Kehrer, Paul. “Trustwave’s SpiderLabs Security Advisory TWSL2011-007,” July 2011. https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt2 Apple. “About the security content of iOS 4.3.5 Software Update for iPhone,” July 2011. http://support.apple.com/kb/HT48243 Apple. “About the security content of iOS 4.2.10 Software Update for iPhone,” July 2011. http://support.apple.com/kb/HT48254 Percoco, Nicholas and Paul Kehrer. “Getting SSLizzard,” August 2011. http://defcon.org/html/defcon-19/dc-19-speakers.html#Percoco5 For more on certificate authorities and certificates, see http://mcaf.ee/2mjdv6 Bédrune, Jean-Baptiste. “Analysis of the jailbreakme v3 font exploit,” July 2011. http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit7 https://github.com/comex/star_8 https://github.com/posixninja/xpwn9 https://github.com/hubert3/iSniff

The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to change without notice, and is provided “as is,” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance.

McAfee, the McAfee logo, McAfee Labs, and McAfee Foundstone are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2012 McAfee, Inc. 41724wp_ipad-hack_0212_ETMG