• Stars
    star
    122
  • Rank 292,031 (Top 6 %)
  • Language
    C
  • License
    MIT License
  • Created over 2 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

iOS 15.0 - 15.3.1 sandbox escape technique using kernel read/write primitives

Sandbox Extension Generator

A method of generating arbitary sandbox extensions using kernel read/write primitives on iOS 7 - 15.3.1 (patched via PAC in iOS 15.4). Mainly useful for iOS 15.0 - 15.3.1 because many other ways of escaping sandboxes using kernel r/w have been mitigated in iOS 15 on arm64e devices via PAC or PPL.

Sandbox Extensions explained

Sandbox extensions are strings that consists of two parts, here's an example:

2e62aa619da8934a8c6ed37c413fa8e602cb00581f35f0bde3ccf0e910b5cc41;00;00000000;00000000;00000000;0000000000000020;com.apple.app-sandbox.read-write;01;01000007;0000000000000002;01;/

The very first segment (until the first ;) of it is a hash that the kernel generates when the extension is issued and verifies when the extension is attempted to be consumed, this hash is calculated based on the following data:

  • The rest of the string (including the leading ; and the trailing null byte)
  • A 128 bit secret that's generated when the device boots

The rest of the string describes what permissions the sandbox extensions allows when being consumed, in this example it is read/write access to /.

It is also important to note that the second part of the string never changes across reboots, so you can simply generate it once on a jailbroken device and then you have it, the secret is random however and therefore the hash at the beginning of the string changes every reboot.

Note that in iOS 11 and higher it is possible to generate a sandbox extension for a specific pid / audit token instead of generating one that can be consumed by the entire system, in this case the important process information is appended to the second part of the string and is included when the hash at the beginning is generated, this is largely irrelavant here however because this technique allows us to generate what we want, so we can just generate a generic extension instead of a process specific one (which would be more work).

The Problem

As an educated reader may have already realized, this approach is not secure at all. When we have kernel read/write, we can simply read the 128 bit secret and then replicate the kernel hashing code to generate the sandbox extensions without calling the kernel. That's whats demonstrated in this project.

The hmac_sha256 kernel function is responsible for generating the hash and is called by syscall_extension_issue and syscall_extension_consume. It uses some arm64 neon instructions which were very hard to replicate but I did end up finding the right header to do it. Other than that, reimplementing the hmac_sha256 function is straight forward. I have called it hmac_sha256_secret in this project because it uses the secret passed to it instead of the global variable.

Offsetless Approach

Because finding the offset of the "secret" kernel variable for every single device / iOS version combination is tedious, it is possible to dump the entire kernel __DATA:__bss section and try every single global variable until we find the secret and sandbox_extension_consume returns 1. This allows this technique to work without any hardcoded offsets. It only took about 0.1 seconds to find the offset on my iPhone 13 Pro.

The Patch

On arm64e devices running 15.4 and above, the kernel now adds a generic PAC key to the extension hash which we cannot replicate in our userspace process, meaning that this technique no longer works.

Is this useful for jailbreaking?

Unfortunately, not really. All you can technically do with this is:

  • Give yourself permission to read/write to / (See sandbox_extension_issue_file)
  • Give yourself permission to open an IOKit user client or registry entry otherwise not permitted by sandbox (See sandbox_extension_issue_iokit_registry_entry_class, sandbox_extension_issue_iokit_user_client_class)
  • Give yourself permission to contact a mach service otherwise not permitted by sandbox (See sandbox_extension_issue_mach)
  • Give yourself permission to contact a posix ipc service otherwise not permitted by sandbox (See sandbox_extension_issue_posix_ipc)
  • Give yourself a generic sandbox extension permission, not really sure what that means, wasn't able to find much on it (See sandbox_extension_issue_generic)

This technique therefore only allows you to expand your attack vector to userspace processes and to access the file-system.

Compilation

In order for this file to compile, you will need to replace the -[KernelManager readBufferAtAddress:intoBuffer:withLength:] calls with your own kread_buf function.

More Repositories

1

TrollStore

Jailed iOS app that can install IPAs permanently with arbitary entitlements and root helpers because it trolls Apple
Objective-C
17,532
star
2

Dopamine

Dopamine is a semi-untethered jailbreak for iOS 15 and 16
C
3,306
star
3

SafariPlus

Tweak for iOS App "Safari" - Various enhancements
Objective-C++
438
star
4

Choicy

Advanced tweak configurator for iOS 10 and up
Objective-C
333
star
5

opa334.github.io

Cydia Repo
HTML
312
star
6

ChOma

C library for manipulating MachO/FAT files and their code signatures
C
307
star
7

opainject

iOS runtime dylib injection tool
Objective-C
198
star
8

TrollNonce

Boot nonce utility for TrollStore (15.0 - 15.5b4)
Objective-C
176
star
9

CCSupport

Support tweak for CC modules!
Logos
116
star
10

AltList

A modern AppList alternative
Objective-C
103
star
11

u0Launcher

Launches unc0ver in a way that works when it's installed through TrollStore
Objective-C
95
star
12

libSandy

Securely extend the sandbox of system processes and user applications
Objective-C
79
star
13

IGSideloadFix

Fix crash on login when Instagram is installed via sideloading (iOS)
Logos
79
star
14

libroot

Standardized API to get root path on iOS jailbreaks
C
68
star
15

Presentations

66
star
16

xnuspy_syscall_logger

Log all syscalls executed by a process (iOS / checkra1n / xnuspy)
C
57
star
17

libundirect

Patchfinder and rebinder for objc_direct methods
Objective-C
50
star
18

NotRecording

Spoof screen recording detection!
Objective-C
36
star
19

XPF

XNU Patch Finder (based on ChOma)
C
34
star
20

futurerestore-compile-windows

MSYS2 script to compile futurerestore and all of it's dependencies for Windows (dynamically and statically)
Shell
32
star
21

Downloadally

Tweak for iOS App "TikTok" - Adds a download button
Logos
23
star
22

TimeBomb

Spinlock panic with ease!
Logos
23
star
23

powerlogHelperdFix

Block tweak injection into powerlogHelperd, fixes issues on iOS 13
Makefile
20
star
24

WatchdogDisabler

Disables app launch watchdog timeouts
Makefile
20
star
25

FLEXSimject

Open Flex in iOS Simulator (Alt+F)
Logos
19
star
26

CCSupportExamples

Some example modules
Objective-C
18
star
27

CCSupportTemplates

Templates and headers for module development
Objective-C
16
star
28

litehook

Lightweight *OS hooking library with no dependencies except for libsystem
15
star
29

WhitePointModule

Control Center Module to toggle "Reduce White Point" with the ability to change the intensity
Objective-C
13
star
30

ChoicyLoader

Hacky workaround to always load Choicy first
Objective-C
11
star
31

syscallintercept

an attempt to intercept syscalls for iOS applications that is unfinished and works only partially
Logos
11
star
32

NoSubstitute12

Disable Substitute on a per app basis (DEPRECATED, use Choicy)
Logos
10
star
33

Crane-Resources

Objective-C
10
star
34

SliceFixup

Tool to remove unsupported arm64e slice from a dylib based on the iOS version
Objective-C
8
star
35

CCCleaner

Cleaning Tool for Control Center related System Files
Objective-C++
8
star
36

FastSafariPW

1Password / LastPass Shortcut Buttons inside Toolbar
Logos
7
star
37

SaveVideoDialog

Alert to prevent a recorded video from being saved
Logos
4
star
38

TerraSmart

C++
4
star