Blog Archives

iPhone: Cracking the Dream

Moore is the man. I have lost count of the number of times I have uttered those words. I am a huge fan of Metasploit and the framework it provides is unrivaled. I recently wrote about the hacking platform that an iPhone provides, noting it would be a great tool for a bad guy. Moore is a man on a mission…

HDM has an updated ARM hack that promises to take over all iPhones, but for now takes over modified iPhones. Techie speak here, English here.

We can store our shellcode at offset 0x12C and patch the return value with 0x0006b400 + 0xA4 to return back to it. A quick test, by setting offset 0x12C to 0xffffffff (an invalid instruction), demonstrates that this works. We have successfully exploited the iPhone libtiff vulnerability using a return-to-libc back to memcpy().

Modified iPhones make this stack/heap overflow easier to accomplish, while “native” iPhones require some additional manipulation to consistently produce the exploit.

This attack exploits libtiff (TIFF Image Library in OS X) by writing to the stack a memory location that is writable and then execute that code (gross oversimplification). The manner in which this exploit is delivered opens the door for other exploits and shows how research to “modify” the iPhone for freedom from AT&T can be used to 0wn the iPhone!

Metasploit continues to be a great tool for “evaluating” security of just about anything:

While using a hex editor to write this exploit is possible, the Metasploit Framework provides a much easier method of testing different contents for the TIFF file. A working exploit for this flaw (successfully tested on 1.00 and 1.02 firmwares) can be found in the development version of the Metasploit Framework (available via Subversion).

Advertisements

iPhone: Hacker Friendly

When Apple unveiled the new iPhone, hackers, crackers, marketing types, and media outlets alike salivated; oh techno-enthusiasts aka customers too!

It is no surprise that the iPhone has been center of numerous attempts to crack, hack, subvert, reverse engineer, and otherwise decipher the software, hardware, architecture, and interfaces. After all the iPhone represents the greatest advancement in phone technology since… hmm, I’ll have to get back to you on that one. 

Steve Jobs is quoted in a Fortune magazine articleas saying that the iPhone will change the phone industry and I think he’s right but I don’t think it has changed in the way he is intending. The hype and appeal over the iPhone is amazing. Security “experts” have been saying for years that mobile devices aka cell phones are the next hacking platform and these new mobile viruses (virii — eek!) could disrupt or disable entire cellular networks.  The iPhone introduces a new twist to the mobile malware argument because the underlying operating system in this case is universally available and accessible. The cute, sophisticated, secure operating system found on those impressive 24″ iMacs, dual-core Intel PowerBook Pros, and amazing MAC servers is at the heart of the iPhone.

The bugs, flaws, exploits, and vulnerabilities of MAC OS X have always been minimized or defeated because MAC OS X doesn’t run everything as the Administrator like Microsoft Windows, according to Apple website on MAC OS X Security Architecture:

Many people find that Windows-based PCs are unusable unless they use the admin account, which exposes their PCs to attack. The Mac OS X default configuration, in contrast, guards against shady characters who could so easily take control of your system. 

eWeek reported the iPhone apparently runs every program and process with root or Administrator privileges, based on information posted on the Metasploit Official Blog (Metasploit Project).The iPhones apparently mimic the simplicity Microsoft Windows versions enjoyed for years: run everything as Administrator or Super-user.  Who says Bill Gates’ investment in Apple isn’t paying off!

Now the iPhone can make even more headlines!