La noticia de la semana y probablemente de lo que va de año, es el lanzamiento del Jailbreak del iOS 6. El grupo de hackers Evad3rs se encargo de juntar al menos 5 vulnerabilidades del nuevo iOS para formar lo que conocemos como un Jailbreak. A través de los años, Apple ha aumentado sus niveles de seguridad en iOS haciendo que los Jailbreaks sean cada vez mas difíciles de lograr. Antiguamente estos Jailbreaks podían ser realizados por 1 sola persona, pero después de tantas trabas de seguridad que Apple ha colocado, los hackers han tenido que juntarse para lograr el objetivo en equipo.
El jailbreak del iOS 6 trajo a la mesa de los hackers nuevos retos y el hacker David Wang (Planetbeing) ha dado una entrevista a Forbes donde explica como lograron hacer el jailbreak y como funciona paso a paso. El lenguaje es bastante técnico por lo que preferí no intentar traducirlo. También, como lo ha resaltado el experto en seguridad, Stefan Esser (i0n1c), algunas de las vulnerabilidades utilizadas en este Jailbreak fueron descubiertas por otros hackers que no forman parte del grupo Evad3rs. El trabajo del grupo Evad3rs ha sido formidable, juntando las vulnerabilidades conocidas y agregando ellos las que faltaban para lograr el objetivo. Esta es la explicación de como funciona el Jailbreak del iOS 6:
«I asked Wang to walk me through how evasi0n works, step by step. Here’s what he told me.
- Evasi0n begins by running libimobiledevice, a program that substitutes for iTunes to communicate with iOS devices via the same protocol as Apple’s program. Using that tool, Evasi0n exploits a bug in iOS’s mobile backup system to gain access to certain settings that it normally shouldn’t be able to access, namely a file that indicates the device’s time zone.
- The jailbreak program inserts a “symbolic link” in that time zone file, a shortcut from one place in an operating system to another. In this case the link leads to a certain “socket,” a restricted communications channel between different programs that Wang describes as a kind of “red telephone to Moscow.” Evasi0n alters the socket that allows programs to communicate with a program called Launch Daemon, abbreviated launchd, a master process that loads first whenever an iOS device boots up and can launch applications that require “root” privileges, a step beyond the control of the OS than users are granted by default. That means that whenever an iPhone or iPad’s mobile backup runs, it automatically grants all programs access to the time zone file and, thanks to the symbolic link trick, access to launchd.
- iOS has another safeguard that would normally prevent any rogue application from gaining access to launchd: Code-signing. That restriction requires that all code run on a device is approved with an unforgeable signature from Apple. So Evasi0n launches a new app that appears to have no code at all–signed or unsigned. But when a user is prompted and taps the app’s icon, it uses a Unix trick called a “shebang” that can summon up code from another, signed application. In this case, it summons up launchd–which it can only access thanks to the socket change it made earlier–and uses it to run a “remount” command that changes the memory settings of the read-only root file system to make it writable.
- Now that the root file system is writable, evasi0n changes a file called launchd.conf that alters the configuration of launchd so that the changes evasi0n makes to it are repeated every time it runs. That’s what will make the jailbreak “persistent”: The user won’t need to re-run the program over a USB cable every time the device boots.
- Even after all those contortions, a device isn’t jailbroken until its restrictions are removed at the “kernel” layer–the deepest part of the operating system that performs the code-signing checks to prevent running unapproved apps using a process called the Apple Mobile File Integrity Daemon. (AMFID) So evasi0n uses launchd to load a library of functions into AMFID every time a program launches that somehow swaps out the function that checks for a code signature for one that always returns an “approved” answer. Wang won’t say exactly how that AMFID-defeating part of the jailbreak works. “Apple can figure that one out for themselves,” he says.
- iOS has yet another safeguard to prevent hackers from altering memory in the operating system kernel: Address Space Layout Randomization, or ASLR. That defensive trick moves the location of device’s code in its flash memory a certain, random distance every time it boots up to stymie anyone who would write over a particular part of the code. But evasi0n uses a memory allocation trick to locate one spot in memory that’s harder to hide in ARM-chip-based devices, known as the ARM exception vector. That part of the kernel handles application crashes, reporting on where in memory they happened. So evasi0n simulates a crash and checks the ARM exception vector to see where the crash occurred, providing just enough information to map out the rest of the kernel in the device’s memory.
- Once it’s beaten ASLR, the jailbreak uses one final bug in iOS’s USB interface that passes an address in the kernel’s memory to a program and “naively expects the user to pass it back unmolested,” according to Wang. That allows evasi0n to write to any part of the kernel it wants. The first place it writes is to the part of the kernel that restricts changes to its code–the hacker equivalent of wishing for more wishes. ”Once you get into the kernel, no security matters any more,” says Wang. “Then we win.”
Si te gusto este articulo y quieres saber mas, sígueme en Twitter y Facebook:
