You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
API functi<strong>on</strong>s, 32stage2 calls a subroutine (identified in this report as initialize) that in turn<br />
calls several o<str<strong>on</strong>g>the</str<strong>on</strong>g>r subroutines, each <str<strong>on</strong>g>of</str<strong>on</strong>g> which is resp<strong>on</strong>sible for loading additi<strong>on</strong>al API functi<strong>on</strong>s<br />
in additi<strong>on</strong> to performing various startup tasks.<br />
The grouping <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> API functi<strong>on</strong>s being loaded (in terms <str<strong>on</strong>g>of</str<strong>on</strong>g> which API functi<strong>on</strong>s are loading by<br />
which Stage 2 functi<strong>on</strong>s) and <str<strong>on</strong>g>the</str<strong>on</strong>g> inclusi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> multiple API functi<strong>on</strong>s being loaded multiple times<br />
suggests that <str<strong>on</strong>g>the</str<strong>on</strong>g> API loading is specific to individual comp<strong>on</strong>ents or operati<strong>on</strong>s <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> Stage 2<br />
binary. For instance, as discussed later, a pair <str<strong>on</strong>g>of</str<strong>on</strong>g> functi<strong>on</strong>s are resp<strong>on</strong>sible for decompressing<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> jailbreak files, changing <str<strong>on</strong>g>the</str<strong>on</strong>g>ir permissi<strong>on</strong>s via chmod, and positi<strong>on</strong>ing <str<strong>on</strong>g>the</str<strong>on</strong>g> files in <str<strong>on</strong>g>the</str<strong>on</strong>g> correct<br />
locati<strong>on</strong> <strong>on</strong> <str<strong>on</strong>g>the</str<strong>on</strong>g> victim’s iPh<strong>on</strong>e. The API functi<strong>on</strong>s resp<strong>on</strong>sible for <str<strong>on</strong>g>the</str<strong>on</strong>g>se operati<strong>on</strong>s are all<br />
loaded by a self-c<strong>on</strong>tained functi<strong>on</strong>. The loading functi<strong>on</strong> <strong>on</strong>ly loads those API functi<strong>on</strong>s that are<br />
necessary for <str<strong>on</strong>g>the</str<strong>on</strong>g> described operati<strong>on</strong>s, and <str<strong>on</strong>g>the</str<strong>on</strong>g> APIs are not shared with any o<str<strong>on</strong>g>the</str<strong>on</strong>g>r part <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
Stage 2 system.<br />
The analysis <str<strong>on</strong>g>of</str<strong>on</strong>g> Stage 2 was also made somewhat easier given <str<strong>on</strong>g>the</str<strong>on</strong>g> heavy use <str<strong>on</strong>g>of</str<strong>on</strong>g> debug logging<br />
throughout <str<strong>on</strong>g>the</str<strong>on</strong>g> binary. Calls to <str<strong>on</strong>g>the</str<strong>on</strong>g> logging sub-system generally reference <str<strong>on</strong>g>the</str<strong>on</strong>g> original file<br />
names used by <str<strong>on</strong>g>the</str<strong>on</strong>g> exploit developers. The presence <str<strong>on</strong>g>of</str<strong>on</strong>g> this debugging code discloses <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
presence <str<strong>on</strong>g>of</str<strong>on</strong>g> at least <str<strong>on</strong>g>the</str<strong>on</strong>g> following individual modules (or subsystems):<br />
1. fs.c - Loads API functi<strong>on</strong>s related to file and file system management such as ftw,<br />
open, read, rename, and mount<br />
2. kaslr.c - Loads API functi<strong>on</strong>s such as IORegistryEntryGetChildIterator,<br />
IORegistryEntryGetProperty, and IOServiceGetMatchingService that<br />
relate to finding <str<strong>on</strong>g>the</str<strong>on</strong>g> address <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> kernel using a vulnerability in <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
io_service_open_extended functi<strong>on</strong><br />
3. bh.c - Loads API functi<strong>on</strong>s that relate to <str<strong>on</strong>g>the</str<strong>on</strong>g> decompressi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> next stage payloads and<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g>ir proper placement <strong>on</strong> <str<strong>on</strong>g>the</str<strong>on</strong>g> victim’s iPh<strong>on</strong>e by using functi<strong>on</strong>s such as<br />
BZ2_bzDecompress, chmod, and malloc<br />
4. safari.c - Loads API functi<strong>on</strong>s such as sync, exit, and strcpy that are used for<br />
clearing Safari cache files and terminating <str<strong>on</strong>g>the</str<strong>on</strong>g> Safari process. This cleanup is required<br />
for <str<strong>on</strong>g>the</str<strong>on</strong>g> case where we succeed and exit cleanly, as <str<strong>on</strong>g>the</str<strong>on</strong>g> Safari crash cleanup (described<br />
in <str<strong>on</strong>g>the</str<strong>on</strong>g> Stage 1 writeup) will never occur.<br />
These artifacts suggest that <str<strong>on</strong>g>the</str<strong>on</strong>g> Stage 2 binary is based <strong>on</strong> a modular design philosophy or, at<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g> very least, is made up <str<strong>on</strong>g>of</str<strong>on</strong>g> various library source code files that are ultimately tied toge<str<strong>on</strong>g>the</str<strong>on</strong>g>r to<br />
form <str<strong>on</strong>g>the</str<strong>on</strong>g> Stage 2 binary. The various comp<strong>on</strong>ents that make up <str<strong>on</strong>g>the</str<strong>on</strong>g> Stage 2 exploit were likely<br />
designed to be reused across multiple <strong>iOS</strong> exploit chains.<br />
Envir<strong>on</strong>ment Setup and Platform Determinati<strong>on</strong><br />
After initialize completes, Stage 2 calls a functi<strong>on</strong> that specifies a global callback functi<strong>on</strong><br />
that is used whenever Stage 2 terminates due to an error. Based <strong>on</strong> <str<strong>on</strong>g>the</str<strong>on</strong>g> filename supplied in <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
writeLog, most likely <str<strong>on</strong>g>the</str<strong>on</strong>g> functi<strong>on</strong> is an assert-style callback.<br />
Page 13