Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Anatomy of an Exploit: Starting Analysis

DZone's Guide to

Anatomy of an Exploit: Starting Analysis

In this part of Chris Lamb's series, he gets us started on analysis.

· Mobile Zone
Free Resource

Download this comprehensive Mobile Testing Reference Guide to help prioritize which mobile devices and OSs to test against, brought to you in partnership with Sauce Labs.

If you've been following this series, at this point, we've pulled the jailbreak binary off the phone (or out of the IPA) and are ready to start analysis.

So let's get started.

otool

Okay, so let's first run strings, otool, and class-dump over the executable and see what turns up. First, we're going to look over the libraries the Jailbreak uses:

$ otool -L PPJailbreakCarrier
PPJailbreakCarrier:
        /System/Library/Frameworks/AdSupport.framework/AdSupport (compatibility version 1.0.0, current version 1.0.0)
        /usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 216.7.0)
        /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
        /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)
        /System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1280.25.0)
        /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
        /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 237.2.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)
        /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1280.38.0)
        /System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1033.1.0)
        /System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
        /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compatibility version 1.0.0, current version 802.40.13)
        /System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3512.60.7)

Look familiar? we generated this in the last article. So what's interesting here? well, first, look at the first line. The jailbreak imports the Ad Support Framework. This is a really simple framework that records user preferences with respect to advertising and opt-out preferences. But I'm not sure exactly why it's here — it's possible this was unintentional. I don't recall seeing any ads in the jailbreak (but I wouldn't mind if there were, I don't mind of the Pangu team gets something for their efforts here).

libz.1.dylib is a compression library. Okay, sure, they could be compressing something in the app bundle, though I'm not sure what that would be right now. IOKit enables kernel manipulation and driver development; not too surprising to see this in a jailbreak. libSystem.B.dylib is a catch-all dynamic library containing the C standard library, pthreads, kernel memory manipulation primitives, and a few other things. Other than the System Configuration Framework, the remaining libraries are pretty typical for an app, though there's lots of them.

The jailbreak has imported lots of libraries, and lots of potential functionality. We don't know yet which ones are really used though, or how.

Strings

Now, let's take a look over the strings output. I'm not going to include it here, there's lots of it, but let's see what looks interesting:

$ strings PPJailbreakContainer
...
JailBreakDetect
...                                                                                                       
<lots of strings with a WB prefix>
WeiboSDK
...
PayReq
PayResp
...
reachabilityForLocalWiFi
currentReachabilityStatus
...
JSONObjectWithData:options:error:
errorWithCode:userInfo:
sinaweiboRequest:didFailWithError:
...
requestWithURL:httpMethod:params:delegate:
serializeURL:params:httpMethod:
requestWithURL:cachePolicy:timeoutInterval:
httpMethod
setHTTPMethod:
postBodyHasRawData:
setHTTPBody:
setValue:forHTTPHeaderField:
initWithRequest:delegate:startImmediately:
cancel
sinaweiboRequest:didReceiveResponse:
...
handleJailbreakSuccess
handleJailbreakFaild
isFirstJb
showLocalPushNotification:
makeupJailbreakEnvironment
makeupJailbreakSuccess
...
jailBreakClick:
...
sinaWeiboEngine
...
setCompressedData:
zipStream
_compressedData
_logEnable
_uploadService
...
compressedData
...
pay:
...
https://applog.uc.cn/collect
...
Content-Disposition: form-data; name="%@"
Content-Disposition: form-data; name="%@"; filename="file"
Content-Type: image/png
Content-Transfer-Encoding: binary
Content-Type: content/unknown
Content-Transfer-Encoding: binary
...
https://open.weibo.cn
http://www.25pp.com
...
https://open.weibo.cn/2/
...
http://image.uc.cn/s/uae/g/26/ios_yueyutool/faq.html
http://bbs.25pp.com/forum-203-1.html
...
http://bbs.25pp.com/thread-462623-1-1.html
...
/private/var/mobile/Media/iTunes_Control/iTunes/gdeviceInfo.plist
/private/var/mobile/Media/iTunes_Control/iTunes/gdeviceInfo_code
...
CryptoCoderErrorDomain
no key or iv
Could not encrypt data
Could not decrypt data
hello world.
...
  /tmp/.pangu93loaded
*** pangu93 is loaded
lpesdk9x.semaphore
/bin/bash
/tmp/.needuicache
/private/var/mobile/Media/pg-install/pgloader
/tmp/pgloader
/dev/disk0s1s1
com.apple.springboard.lockstate
/private/var/mobile/Media/pg-install/Cydia.tar
/Library/LaunchDaemons/io.pangu93.loader.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>io.pangu93.loader</string>
    <key>Program</key>
    <string>/tmp/pgloader</string>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>
...
https://api.weibo.com/2/statuses/update.json
https://upload.api.weibo.com/2/statuses/upload.json
...
https://api.weibo.com/oauth2/revokeoauth2
https://m.api.weibo.com/2/messages/invite.json
...
http://itunes.apple.com/cn/app/id350962117?mt=8
...
http://app.sina.cn/appdetail.php?appID=84560
...
@(#)PROGRAM:PPJailbreak9SDKAdapter  PROJECT:PPJailbreak9SDKAdapter-1
...
<...lots more removed for brevity...>

Okay, so we see that there are references to the WeiboSDK, which as far as I can tell is a microblogging SDK. There's clearly lots of references to HTTP communication. Some of these strings are class names (usually the case with camelcase strings) and argument names (look at the colons).

Well, one thing's for sure — there's lots of URLs and support for HTTP/S communication. Also, very interested in the 'jailBreakClick' string.

class-dump

Okay, so let's run class-dump and take a look at the Objective-C classes in the binary:

$ class-dump -H -o interfaces/ PPJailbreakCarrier
$ ls interfaces
AppCommunicate.h                                PPNotificationManager.h                         UIWebViewDelegate-Protocol.h                    WXMediaInternalMessage.h
AppCommunicateData.h                            PPRunManager.h                                  WBAuthorizeRequest.h                            WXMediaMessage.h
AppDelegate.h                                   PPRunManagerDelegate-Protocol.h                 WBAuthorizeResponse.h                           WXMusicObject.h
AppRegisterInfo.h                               PPSDKM9Utils.h                                  WBAuthorizeWebView.h                            WXVideoObject.h
AppSettingItem.h                                PPShareInfo.h                                   WBBaseMediaObject.h                             WXWebpageObject.h
BaseReq.h                                       PPShareManager.h                                WBBaseRequest.h                                 WaBridge.h
BaseResp.h                                      PPWaStatictisManager.h                          WBBaseResponse.h                                WaCommon.h
CDStructures.h                                  PayReq.h                                        WBComposerDelegate-Protocol.h                   WaCompress.h
CommenInfo.h                                    PayResp.h                                       WBComposerViewController.h                      WaConfige.h
FeedBackViewController.h                        Reachability.h                                  WBDataTransferObject.h                          WaConnection.h
GTMBase64-PrivateMethods.h                      SendAuthReq.h                                   WBHttpRequest.h                                 WaData.h
GTMBase64.h                                     SendAuthResp.h                                  WBHttpRequestDelegate-Protocol.h                WaDataTask.h
GetMessageFromWXReq.h                           SendMessageToWXReq.h                            WBImageObject.h                                 WaHeader.h
GetMessageFromWXResp.h                          SendMessageToWXResp.h                           WBMessageObject.h                               WaMonitor.h
InstallWeiboAppAlert.h                          ShareEngine.h                                   WBMusicObject.h                                 WaPackageTask.h
LaunchFromWXReq.h                               ShareEngineDelegate-Protocol.h                  WBProvideMessageForWeiboRequest.h               WaRequest.h
LostWa.h                                        ShowMessageFromWXReq.h                          WBProvideMessageForWeiboResponse.h              WaResponse.h
MMApiRegister.h                                 ShowMessageFromWXResp.h                         WBSendMessageToWeiboRequest.h                   WaService.h
MainViewController.h                            SinaWeiboRequest.h                              WBSendMessageToWeiboResponse.h                  WaServiceDelegate-Protocol.h
NSCoding-Protocol.h                             SinaWeiboRequestDelegate-Protocol.h             WBVideoObject.h                                 WaThread.h
NSData-CYAes128.h                               TRFileHashUtility.h                             WBWebpageObject.h                               WeChatApiUtil.h
NSDictionary-CYValueHelper.h                    TRHandleData.h                                  WXApi.h                                         WeiboSDK.h
NSObject-Protocol.h                             TRSinaWeiboEngine.h                             WXApiDelegate-Protocol.h                        WeiboSDK3rdApp.h
NSString-GTMNSStringURLArgumentsAdditions.h     TRSinaWeiboEngineDelegate-Protocol.h            WXAppExtendObject.h                             WeiboSDKDelegate-Protocol.h
NSString-SinaWeiboEncode.h                      UIAlertViewDelegate-Protocol.h                  WXAuthInternal.h                                adDKknelkdkfeknkdnfldls.h
NSString-WBSDKNSStringUtils.h                   UIApplicationDelegate-Protocol.h                WXEmoticonObject.h
NSString-WBSDK_CountWord.h                      UIDevice-JailBreakDetect.h                      WXFileObject.h
PPJBEncryption.h                                UIDeviceAdditions.h                             WXImageObject.h

Interesting, but not as informative as the strings analysis. The adDKknelkdkfeknkdnfldls.h class interfaces seem out of place, though.

We've done some initial exploration of the binary. Next time, I'm going to disassemble the binary and look at some of these functions, and start looking at overall application flow. I'm also going to explore some of these URLs and put my phone behind a proxy briefly to see what happens.

A Final Word...

I'd like to note here, there's been some controversy around this jailbreak. Some folks have been getting calls, having money taken from Apple accounts, Paypal, or Western Union. Nobody knows why right now. Some are speculating that this is, in some way, associated with this jailbreak.

Personally, I don't believe that Pangu has anything to do this. It doesn't make sense to me that they'd do this — they're a reputable, respected, and highly technical group associated with Alibaba. I don't believe they need to resort to fraud to do this. And keep in mind, a jailbroken phone is by definition more vulnerable, from a security perspective, than a non-jailbroken device. There's a slew of other possible attack vectors, including software downloaded to a workstation host. For example, it's possible to intercept code sent in the clear and modify it. This is a known attack vector with software updates, and tools are in the wild to enable this kind of attack.

This does, however lend more urgency to this work from my perspective. I'm going to expand and up the priority of my analysis as a result.

Analysts agree that a mix of emulators/simulators and real devices are necessary to optimize your mobile app testing - learn more in this white paper, brought to you in partnership with Sauce Labs.

Topics:
iphone ,jailbreak ,analysis

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}