ToothPicker - An In-Process, Coverage-Guided Fuzzer For iOS

ToothPicker - An In-Process, Coverage-Guided Fuzzer For iOS
2020-11-24 05:30:00 Author: www.blogger.com(查看原文) 阅读量:148 收藏

tag:blogger.com,1999:blog-8317222231133660547.post-4039076089389698462020-11-23T17:30:00.001-03:002020-11-23T17:30:02.009-03:00ToothPicker - An In-Process, Coverage-Guided Fuzzer For iOS<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-0jtKhKqofOo/X7dc8pMoUeI/AAAAAAAAUcU/tmyiBJ_3FyQFUMHZuMIjGtb4pa4FssGiACNcBGAsYHQ/s2317/toothpicker_1_toothpicker.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="987" data-original-width="2317" height="272" src="https://1.bp.blogspot.com/-0jtKhKqofOo/X7dc8pMoUeI/AAAAAAAAUcU/tmyiBJ_3FyQFUMHZuMIjGtb4pa4FssGiACNcBGAsYHQ/w640-h272/toothpicker_1_toothpicker.png" width="640" /></a></div> ToothPicker is an in-process, coverage-guided fuzzer for iOS. It was developed to specifically targets iOS's <a href="https://www.kitploit.com/search/label/Bluetooth" target="_blank" title="Bluetooth">Bluetooth</a> daemon <code>bluetoothd</code> and to analyze various Bluetooth protocols on iOS. As it is built using <a href="https://frida.re/" rel="nofollow" target="_blank" title="FRIDA">FRIDA</a>, it can be adapted to target any platform that runs FRIDA. This repository also includes an over-the-air fuzzer with an exemplary implementation to fuzz Apple's MagicPairing protocol using <a href="https://github.com/seemoo-lab/internalblue" rel="nofollow" target="_blank" title="InternalBlue">InternalBlue</a>. Additionally, it contains the <code>ReplayCrashFile.py</code> script that can be used to verify crashes the in-process fuzzer has found.<a name='more'></a> In-Process Fuzzer The In-Process Fuzzer works out-of-the-box on various iOS versions (13.3-13.6 tested), but <a href="https://github.com/seemoo-lab/toothpicker/blob/master/harness/symbols.js" rel="nofollow" target="_blank" title="symbols need to be specified">symbols need to be specified</a>. Other iOS versions require adaptions to function addresses. Additionally, it seems like FRIDA's stalker has some problems with the iPhone 8. On newer iPhones that support <a href="https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html" rel="nofollow" target="_blank" title="PAC">PAC</a>, the <a href="https://www.kitploit.com/search/label/Performance" target="_blank" title="performance">performance</a> significantly suffers from signing pointers. Thus, it is recommended to run this on an iPhone 7. <code>ToothPicker</code> is built on the codebase of <a href="https://github.com/demantz/frizzer" rel="nofollow" target="_blank" title="frizzer">frizzer</a>. However, it has been adapted for this specific application as therefore not compatible with the original version anymore. There exist plans to replace this with a more dedicated component in the future. Prerequesits: On the iPhone: <ul> <li><a href="https://frida.re/docs/ios/" rel="nofollow" target="_blank" title="https://frida.re/docs/ios/">https://frida.re/docs/ios/</a></li> </ul> On Linux: <ul> <li><a href="https://github.com/libimobiledevice/usbmuxd" rel="nofollow" target="_blank" title="usbmuxd">usbmuxd</a></li> <li><a href="https://github.com/libimobiledevice/libimobiledevice" rel="nofollow" target="_blank" title="libimobiledevice">libimobiledevice</a></li> <li>Optional but recommended: <a href="https://virtualenv.pypa.io/en/latest/" rel="nofollow" target="_blank" title="virtualenv">virtualenv</a></li> <li><a href="https://gitlab.com/akihe/radamsa" rel="nofollow" target="_blank" title="radamsa">radamsa</a> (needed by frizzer)</li> </ul> For Arch-based Linux: <div><pre><code># usbmuxd typically comes with libimobiledevice # but just to be sure, we manually install it as well sudo pacman -S usbmuxd libimobiledevice python-virtualenv radamsa # Connect the iPhone to the computer # Unlock it. # If a pairing message pops up, click "Trust" # If no pairing message pops up: idevicepair pair # Now there should be the pop up, accept and then again: idevicepair pair # In case of connection errors: sudo systemctl restart usbmuxd # or pair phone and computer again # Other useful commands # To ssh into the iPhone: # Checkra1n comes with an <a href="https://www.kitploit.com/search/label/SSH%20server" target="_blank" title="SSH server">SSH server</a> listening on Port 44 # Proxy the phone's SSH port to 4444 localport: iproxy 4444 44 # Connect: ssh root@localhost -p 4444 # Default password: alpine # To fetch some device information of the phon e: ideviceinfo</code></pre></div> For Debian Linux: Almost the same as above. Exceptions: <ul> <li><code>radamsa</code> needs to be installed from the <a href="https://gitlab.com/akihe/radamsa" rel="nofollow" target="_blank" title="git repository">git repository</a> because it is not packaged.</li> <li>The command <code>iproxy</code> requires the additional package <code>libusbmuxd-tools</code>.</li> </ul> For macOS: Slightly different commands compared to the <a href="https://www.kitploit.com/search/label/Arch%20Linux" target="_blank" title="Arch Linux">Arch Linux</a> setup... <div><pre><code>brew install libimobiledevice usbmuxd radamsa npm idevicepair pair npm install frida-compile pip3 install frida-tools</code></pre></div> On macOS, PacketLogger, which is part of the <a href="https://developer.apple.com/bluetooth/" rel="nofollow" target="_blank" title="Additional Tools for Xcode">Additional Tools for Xcode</a>, can decode various packets once the <a href="https://developer.apple.com/bug-reporting/profiles-and-logs/?name=bluetooth" rel="nofollow" target="_blank" title="Bluetooth Debug Profile">Bluetooth Debug Profile</a> is installed. Moreover, if you open iOS crash logs with Xcode, it will add some symbols. Setup and Fuzzing Setup: <ul> <li>It is recommended to set up a virtual Python environment for <code>frizzer</code>.</li> <li>Install the required packages by running in the <code>frizzer</code> directory.</li> <li>The <code>projects</code> directory contains an example project to fuzz the <code>MagicPairing</code> protocol.</li> <li>To build the harness compile the general harness and the specialized <code>MagicPairing</code> harness into one file.</li> <li><code>cd</code> into the <code>harness</code> directory and install <a href="https://github.com/frida/frida-compile" rel="nofollow" target="_blank" title="$ (19)"><code>frida-compile</code></a>. Note that this needs to be run in that folder and can be directly installed as user by running <code>npm install frida-compile</code>.</li> <li>Now run <code>frida-compile ../projects/YOUR_PROJECT/YOUR_SPECIALIZED_HARNESS.JS -o ../projects/YOUR_PROJECT/harness.js</code>. As this was installed in npm context it might require running <code>npx frida-compile</code> instead. Each time the harness changes, you need to rerun <code>frida-compile</code>.</li> </ul> Fuzzing: <ul> <li>Connect an iOS device to your computer.</li> <li>It is advisable to put the phone in flight mode and turn on the "Do not disturb" feature to limit any other activity on the phone.</li> <li>Run <code>killall -9 bluetoothd</code> to freshly start <code>bluetoothd</code>.</li> <li>Make sure the phone does not connect to other Bluetooth devices.</li> <li>Now, <code>cd</code> back into your project's directory, create the crashlog-directory (<code>mkdir crashes</code>) and run <code>../../frizzer/fuzzer.py fuzz -p .</code></li> <li>Yay! Now collect zero days and obtain large amounts of cash from Apple! (Or collect a huge list of useless NULL-pointer dereferences...)</li> </ul> In short, for starting a new project, run: <div><pre><code>cd harness npx frida-compile ../projects/YOUR_PROJECT/YOUR_SPECIALIZED_HARNESS.JS -o ../projects/YOUR_PROJECT/harness.js cd ../projects/YOUR_PROJECT/ mkdir crashes frizzer fuzz -p .</code></pre></div> You can start with a different seed by using <code>frizzer fuzz --seed 1234 -p .</code>. Adding new iOS versions: Currently, different versions of iOS are defined in <code>bluetoothd.js</code>. You can find these with the Ghidra versioning tool given an initial version that has all the required symbols. Note that some of them are not named in the original iOS binary, so ideally start with one that was already annotated before. Each time the <code>bluetoothd.js</code> changes, you need to re-run <code>frida-compile</code>. Increasing bluetoothd capacities: iOS crash logs are stored in <code>Settings -> Privacy -> <a href="https://www.kitploit.com/search/label/Analytics" target="_blank" title="Analytics">Analytics</a> & Improvements -> Analytics Data</code>. If they contain <code>bluetoothd</code> crashes of the pattern <code>bluetoothd.cpu_resource-*.ips</code> this indicates that the crash was caused due to exceeding resources. They can be increased as follows. On an iPhone 7, run: <div><pre><code>cd /System/Library/LaunchDaemons/ plistutil -i com.apple.jetsamproperties.D10.plist -o com.apple.jetsamproperties.D10.plist.txt plistutil -i com.apple.jetsamproperties.D101.plist -o com.apple.jetsamproperties.D101.plist.txt</code></pre></div> On iPhone SE2, these are in <code>com.apple.jetsamproperties.D79.plist</code>.: <div><pre><code>cd /System/Library/LaunchDaemons/ plistutil -i com.apple.jetsamproperties.D79.plist -o com.apple.jetsamproperties.D79.plist.txt</code></pre></div> Search for <code>bluetoothd</code>, update the priority to 19 (highest valid priority) and set the memory limit to something very high. Apply the same changes to both files. <div><pre><code><dict> <key>ActiveSoftMemoryLimit</key> <integer>24000</integer> <key>InactiveHardMemoryLimit</key> <integer>24000</integer> <key>EnablePressuredExit</key> <false/> <key>JetsamPriority</key> <integer>19</integer> </dict></code></pre></div> Write the changes back and restart <code>bluetoothd</code>. <div><pre><code>plistutil -i com.apple.jetsamproperties.D10.plist.txt -o com.apple.jetsamproperties.D10.plist plistutil -i com.apple.jetsamproperties.D101.plist.txt -o com.apple.jetsamproperties.D101.plist killall -9 bluetoothd</code></pre></div> Respectively on the iPhone SE2: <div><pre><code>plistutil -i com.apple.jetsamproperties.D79.plist.txt -o com.apple.jetsamproperties.D79.plist killall -9 bluetoothd</code></pre></div> Deleting old logs: iOS stops saving crash logs for one program after the limit of 25 is reached. If loading a crash log with Xcode (via Simulators&Devices), some symbols are added to the stack trace. Once the limit is reached, the logs can either be removed via Xcode or directly on the iOS device by deleting them in the folder <code>/var/mobile/Library/Logs/CrashReporter/</code>. A12+: Starting from the iPhone XR/Xs, PAC has been introduced. This requires calling <code>sign()</code> on <code>NativeFunction</code> in FRIDA. While this is a no-op on earlier CPUs, this tremendously reduces speed on newer devices, but is required to make them work at all. We observed that ToothPicker operates at half the speed when using an iPhone SE2 instead of an iPhone 7. Over-the-Air Fuzzer and Crash Replay The <code>MagicPairing</code> implementation of the over-the-air fuzzer requires InternalBlue to be installed and can be executed by running <code>python MagicPairingFuzzer.py TARGET_BD_ADDR</code>. If you want to reproduce crashes, use the <a href="https://github.com/seemoo-lab/toothpicker/blob/master/ota-fuzzer/ReplayCrashFile.py" rel="nofollow" target="_blank" title="ReplayCrashFile.py">ReplayCrashFile.py</a> script, which can take a crash file and initiates an over-the-air connection with a payload based on the crash. <div style="text-align: center;"><a class="kiploit-download" href="https://github.com/seemoo-lab/toothpicker" rel="nofollow" target="_blank" title="Download Toothpicker">Download Toothpicker</a></div>Zion3R[email protected]

文章来源: http://www.blogger.com/feeds/8317222231133660547/posts/default/403907608938969846
如有侵权请联系:admin#unsafe.sh