Comments (5)
libproc is now used to check for xpcproxy in 0efc63b
from electra.
I would like to add:
- check if env is really set, instead of segfaulting when it's not.
- fix the race condition against unlink/open for /var/tmp/jailbreakd.pid, because it let's you create a file with controlled content (pid) anywhere on the disk (fopen will follow symlinks). Because of the exit command an attacker would have unlimited tries.
- lock the process list when we are doing stuff with it. Because this would fix a vuln in the new setuid command, where an attacker could use the pid reuse attack to gain higher privileges.
from electra.
Speaking of locking process list -- kexectue to proc_find should fix it and speed up process finding in general.
About the race condition and the pid file -- we can actually use a better way of signaling about it being ready -- after #43.
from electra.
kexectue to proc_find should fix
I thought about locking while we execute the whole command, when we only lock while we are looking for the process, we are still vulnerable. The attacker would simply spawn a setuid binary which is killable by the user. Then it would warp the pid around and right before it reaches the setuid binary's pid, it would signal jdb to do the setuid fixup and then kill the setuid binary. If the kill happens after the proc_pidpath, but before the change of the svuid field, the race is won. Pulling of such an attack is not that difficult, because max pid is (at least on most Linux systems) 32768.
I am also worried about another thing:
Is proc_pidpath really secure? Because when I tested it, it didn't look like it:
[20:10:20] ~<PATH>$ cat test.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <libproc.h>
int main (int argc, char* argv[])
{
pid_t pid; int ret;
char pathbuf[PROC_PIDPATHINFO_MAXSIZE];
if ( argc > 1 ) {
pid = (pid_t) atoi(argv[1]);
ret = proc_pidpath (pid, pathbuf, sizeof(pathbuf));
if ( ret <= 0 ) {
fprintf(stderr, "PID %d: proc_pidpath ();\n", pid);
fprintf(stderr, " %s\n", strerror(errno));
} else {
printf("proc %d: %s\n", pid, pathbuf);
}
}
return 0;
}
[20:10:23] ~<PATH>$ cat 1.c
#include <stdio.h>
int main() {
getchar();
}
[20:10:26] ~<PATH>$ gcc test.c -o test
[20:10:29] ~<PATH>$ gcc 1.c -o 1
[20:10:33] ~<PATH>$ echo "Now start ./1 in another window"
Now start ./1 in another window
[20:10:37] ~<PATH>$ ps aux | grep "./1"
Felix 1408 0,3 0,0 2432804 768 s002 S+ 8:10pm 0:00.00 grep ./1
Felix 1314 0,0 0,0 2432788 648 s001 S+ 8:10pm 0:00.00 ./1
[20:10:46] ~<PATH>$ ./test 1314
proc 1314: /Users/Felix<PATH>/1
[20:10:57] ~<PATH>$ rm 1
[20:11:03] ~<PATH>$ ./test 1314
PID 1314: proc_pidpath ();
No such file or directory
[20:11:04] ~<PATH>$ touch 1
[20:11:13] ~<PATH>$ ./test 1314
proc 1314: /Users/Felix<PATH>/1
[20:11:14] ~<PATH>$ ps aux | grep "./1"
Felix 1422 0,3 0,0 2423384 244 s002 U+ 8:11pm 0:00.00 grep ./1
Felix 1314 0,0 0,0 2432788 648 s001 S+ 8:10pm 0:00.00 ./1
[20:11:26] ~<PATH>$
Because when it behaves like this on IOS too, an attacker could create some binary which, after it has been spawned, deletes itself and then tricks a root service into creating a binary with the same name under the same path and setting the setuid bit on it. Then when the setuid fixup command is called proc_pidpath would return the path to the binary and lstat would detect it as a setuid binary owned by root.
from electra.
Libjb in #90
from electra.
Related Issues (20)
- debugserver HOT 5
- Error installing Jailbreak HOT 1
- Youtube App wont start/crashes
- IOS 11.3.1 Iphone 5s Electra 1/3 then crash
- Cydia Packages not appearing
- Problem with location services
- Stock mail app takes 3 or 4 attempts before opening
- Injected Tweaks don't have permissions to Injected App's Sandbox directory ie. /Documents HOT 9
- iPhone X restart at Night (IOS 11.4 b3)
- jailbreakd granted my process pseudo-superuser privileges access HOT 1
- ios11.1.1 electra1.1 OpenSSH is now running! Enjoy.
- Safari can't access the Internet(1.1.0-2) HOT 3
- basebinaries/apple_include/
- Can I turn off TweakInject Safe Mode to develop tweak?
- please update for A12 JB
- Iām
- I can not hook the callback function of the '_dyld_register_func_for_add_image' HOT 1
- Failed to get connection from a remote gdb proces HOT 3
- Cc
- iOS 11 untethered jailbreak support
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from electra.