opa334/sandbox_extension_generator opa334/sandbox_extension_generator

  • Stars
    star
    117
  • Rank 292,037 (Top 6 %)
  • Language
    C
  • License
    MIT License
  • Created almost 2 years ago
  • Updated almost 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
opa334/sandbox_extension_generator
github

opa334

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

iOS 15.0 - 15.3.1 sandbox escape technique using kernel read/write primitives

Sandbox Extension Generator

A method of generating arbitary sandbox extensions using kernel read/write primitives on iOS 7 - 15.3.1 (patched via PAC in iOS 15.4). Mainly useful for iOS 15.0 - 15.3.1 because many other ways of escaping sandboxes using kernel r/w have been mitigated in iOS 15 on arm64e devices via PAC or PPL.

Sandbox Extensions explained

Sandbox extensions are strings that consists of two parts, here's an example:

2e62aa619da8934a8c6ed37c413fa8e602cb00581f35f0bde3ccf0e910b5cc41;00;00000000;00000000;00000000;0000000000000020;com.apple.app-sandbox.read-write;01;01000007;0000000000000002;01;/

The very first segment (until the first ;) of it is a hash that the kernel generates when the extension is issued and verifies when the extension is attempted to be consumed, this hash is calculated based on the following data:

  • The rest of the string (including the leading ; and the trailing null byte)
  • A 128 bit secret that's generated when the device boots

The rest of the string describes what permissions the sandbox extensions allows when being consumed, in this example it is read/write access to /.

It is also important to note that the second part of the string never changes across reboots, so you can simply generate it once on a jailbroken device and then you have it, the secret is random however and therefore the hash at the beginning of the string changes every reboot.

Note that in iOS 11 and higher it is possible to generate a sandbox extension for a specific pid / audit token instead of generating one that can be consumed by the entire system, in this case the important process information is appended to the second part of the string and is included when the hash at the beginning is generated, this is largely irrelavant here however because this technique allows us to generate what we want, so we can just generate a generic extension instead of a process specific one (which would be more work).

The Problem

As an educated reader may have already realized, this approach is not secure at all. When we have kernel read/write, we can simply read the 128 bit secret and then replicate the kernel hashing code to generate the sandbox extensions without calling the kernel. That's whats demonstrated in this project.

The hmac_sha256 kernel function is responsible for generating the hash and is called by syscall_extension_issue and syscall_extension_consume. It uses some arm64 neon instructions which were very hard to replicate but I did end up finding the right header to do it. Other than that, reimplementing the hmac_sha256 function is straight forward. I have called it hmac_sha256_secret in this project because it uses the secret passed to it instead of the global variable.

Offsetless Approach

Because finding the offset of the "secret" kernel variable for every single device / iOS version combination is tedious, it is possible to dump the entire kernel __DATA:__bss section and try every single global variable until we find the secret and sandbox_extension_consume returns 1. This allows this technique to work without any hardcoded offsets. It only took about 0.1 seconds to find the offset on my iPhone 13 Pro.

The Patch

On arm64e devices running 15.4 and above, the kernel now adds a generic PAC key to the extension hash which we cannot replicate in our userspace process, meaning that this technique no longer works.

Is this useful for jailbreaking?

Unfortunately, not really. All you can technically do with this is:

  • Give yourself permission to read/write to / (See sandbox_extension_issue_file)
  • Give yourself permission to open an IOKit user client or registry entry otherwise not permitted by sandbox (See sandbox_extension_issue_iokit_registry_entry_class, sandbox_extension_issue_iokit_user_client_class)
  • Give yourself permission to contact a mach service otherwise not permitted by sandbox (See sandbox_extension_issue_mach)
  • Give yourself permission to contact a posix ipc service otherwise not permitted by sandbox (See sandbox_extension_issue_posix_ipc)
  • Give yourself a generic sandbox extension permission, not really sure what that means, wasn't able to find much on it (See sandbox_extension_issue_generic)

This technique therefore only allows you to expand your attack vector to userspace processes and to access the file-system.

Compilation

In order for this file to compile, you will need to replace the -[KernelManager readBufferAtAddress:intoBuffer:withLength:] calls with your own kread_buf function.

More Repositories

1

TrollStore

Jailed iOS app that can install IPAs permanently with arbitary entitlements and root helpers because it trolls Apple
Objective-C
15,417
star
2

Dopamine

Dopamine is a semi-untethered jailbreak for iOS 15 and 16
C
2,545
star
3

SafariPlus

Tweak for iOS App "Safari" - Various enhancements
Objective-C++
389
star
4

opa334.github.io

Cydia Repo
HTML
280
star
5

Choicy

Advanced tweak configurator for iOS 10 and up
Objective-C
268
star
6

ChOma

C library for manipulating MachO/FAT files and their code signatures
C
181
star
7

TrollNonce

Boot nonce utility for TrollStore (15.0 - 15.5b4)
Objective-C
175
star
8

opainject

iOS runtime dylib injection tool
Objective-C
130
star
9

CCSupport

Support tweak for CC modules!
Logos
104
star
10

u0Launcher

Launches unc0ver in a way that works when it's installed through TrollStore
Objective-C
85
star
11

AltList

A modern AppList alternative
Objective-C
77
star
12

IGSideloadFix

Fix crash on login when Instagram is installed via sideloading (iOS)
Logos
74
star
13

libSandy

Securely extend the sandbox of system processes and user applications
Objective-C
70
star
14

xnuspy_syscall_logger

Log all syscalls executed by a process (iOS / checkra1n / xnuspy)
C
53
star
15

libundirect

Patchfinder and rebinder for objc_direct methods
Objective-C
49
star
16

libroot

Standardized API to get root path on iOS jailbreaks
C
38
star
17

Presentations

30
star
18

NotRecording

Spoof screen recording detection!
Objective-C
29
star
19

futurerestore-compile-windows

MSYS2 script to compile futurerestore and all of it's dependencies for Windows (dynamically and statically)
Shell
28
star
20

Downloadally

Tweak for iOS App "TikTok" - Adds a download button
Logos
22
star
21

TimeBomb

Spinlock panic with ease!
Logos
22
star
22

powerlogHelperdFix

Block tweak injection into powerlogHelperd, fixes issues on iOS 13
Makefile
19
star
23

FLEXSimject

Open Flex in iOS Simulator (Alt+F)
Logos
18
star
24

CCSupportTemplates

Templates and headers for module development
Objective-C
16
star
25

CCSupportExamples

Some example modules
Objective-C
15
star
26

XPF

XNU Patch Finder (based on ChOma)
C
15
star
27

WatchdogDisabler

Disables app launch watchdog timeouts
Makefile
13
star
28

WhitePointModule

Control Center Module to toggle "Reduce White Point" with the ability to change the intensity
Objective-C
12
star
29

ChoicyLoader

Hacky workaround to always load Choicy first
Objective-C
10
star
30

NoSubstitute12

Disable Substitute on a per app basis (DEPRECATED, use Choicy)
Logos
9
star
31

syscallintercept

an attempt to intercept syscalls for iOS applications that is unfinished and works only partially
Logos
8
star
32

SliceFixup

Tool to remove unsupported arm64e slice from a dylib based on the iOS version
Objective-C
7
star
33

Crane-Resources

Objective-C
7
star
34

CCCleaner

Cleaning Tool for Control Center related System Files
Objective-C++
6
star
35

FastSafariPW

1Password / LastPass Shortcut Buttons inside Toolbar
Logos
6
star
36

SaveVideoDialog

Alert to prevent a recorded video from being saved
Logos
3
star
37

TerraSmart

C++
2
star