Jailbreakd improvements about electra HOT 5 CLOSED

libproc is now used to check for xpcproxy in 0efc63b

from electra.

I would like to add:

• check if env is really set, instead of segfaulting when it's not.
• fix the race condition against unlink/open for /var/tmp/jailbreakd.pid, because it let's you create a file with controlled content (pid) anywhere on the disk (fopen will follow symlinks). Because of the exit command an attacker would have unlimited tries.
• lock the process list when we are doing stuff with it. Because this would fix a vuln in the new setuid command, where an attacker could use the pid reuse attack to gain higher privileges.

from electra.

Speaking of locking process list -- kexectue to proc_find should fix it and speed up process finding in general.

About the race condition and the pid file -- we can actually use a better way of signaling about it being ready -- after #43.

from electra.

kexectue to proc_find should fix

I thought about locking while we execute the whole command, when we only lock while we are looking for the process, we are still vulnerable. The attacker would simply spawn a setuid binary which is killable by the user. Then it would warp the pid around and right before it reaches the setuid binary's pid, it would signal jdb to do the setuid fixup and then kill the setuid binary. If the kill happens after the proc_pidpath, but before the change of the svuid field, the race is won. Pulling of such an attack is not that difficult, because max pid is (at least on most Linux systems) 32768.

I am also worried about another thing:
Is proc_pidpath really secure? Because when I tested it, it didn't look like it:

[20:10:20] ~<PATH>$ cat test.c    
#include <stdio.h>    
#include <stdlib.h>    
#include <string.h>    
#include <errno.h>    
#include <libproc.h>    

int main (int argc, char* argv[])    
{    
        pid_t pid; int ret;    
        char pathbuf[PROC_PIDPATHINFO_MAXSIZE];    

        if ( argc > 1 ) {    
                pid = (pid_t) atoi(argv[1]);    
                ret = proc_pidpath (pid, pathbuf, sizeof(pathbuf));    
                if ( ret <= 0 ) {    
                        fprintf(stderr, "PID %d: proc_pidpath ();\n", pid);    
                        fprintf(stderr, "    %s\n", strerror(errno));    
                } else {    
                        printf("proc %d: %s\n", pid, pathbuf);    
                }    
        }    

        return 0;    
}    
[20:10:23] ~<PATH>$ cat 1.c    
#include <stdio.h>    

int main() {    
        getchar();    
}    
[20:10:26] ~<PATH>$ gcc test.c -o test    
[20:10:29] ~<PATH>$ gcc 1.c -o 1
[20:10:33] ~<PATH>$ echo "Now start ./1 in another window"    
Now start ./1 in another window    
[20:10:37] ~<PATH>$ ps aux | grep "./1"
Felix             1408   0,3  0,0  2432804    768 s002  S+    8:10pm   0:00.00 grep ./1 
Felix             1314   0,0  0,0  2432788    648 s001  S+    8:10pm   0:00.00 ./1 
[20:10:46] ~<PATH>$ ./test 1314
proc 1314: /Users/Felix<PATH>/1
[20:10:57] ~<PATH>$ rm 1
[20:11:03] ~<PATH>$ ./test 1314
PID 1314: proc_pidpath (); 
    No such file or directory
[20:11:04] ~<PATH>$ touch 1
[20:11:13] ~<PATH>$ ./test 1314
proc 1314: /Users/Felix<PATH>/1
[20:11:14] ~<PATH>$ ps aux | grep "./1"
Felix             1422   0,3  0,0  2423384    244 s002  U+    8:11pm   0:00.00 grep ./1 
Felix             1314   0,0  0,0  2432788    648 s001  S+    8:10pm   0:00.00 ./1 
[20:11:26] ~<PATH>$ 

Because when it behaves like this on IOS too, an attacker could create some binary which, after it has been spawned, deletes itself and then tricks a root service into creating a binary with the same name under the same path and setting the setuid bit on it. Then when the setuid fixup command is called proc_pidpath would return the path to the binary and lstat would detect it as a setuid binary owned by root.

from electra.

Libjb in #90

from electra.