Anatomy of an Exploit: Starting Analysis
Anatomy of an Exploit: Starting Analysis
In this part of Chris Lamb's series, he gets us started on analysis.
Join the DZone community and get the full member experience.Join For Free
If you've been following this series, at this point, we've pulled the jailbreak binary off the phone (or out of the IPA) and are ready to start analysis.
So let's get started.
Okay, so let's first run strings, otool, and class-dump over the executable and see what turns up. First, we're going to look over the libraries the Jailbreak uses:
$ otool -L PPJailbreakCarrier PPJailbreakCarrier: /System/Library/Frameworks/AdSupport.framework/AdSupport (compatibility version 1.0.0, current version 1.0.0) /usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 216.7.0) /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5) /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0) /System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1280.25.0) /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0) /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 237.2.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1) /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1280.38.0) /System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1033.1.0) /System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0) /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compatibility version 1.0.0, current version 802.40.13) /System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3512.60.7)
Look familiar? we generated this in the last article. So what's interesting here? well, first, look at the first line. The jailbreak imports the Ad Support Framework. This is a really simple framework that records user preferences with respect to advertising and opt-out preferences. But I'm not sure exactly why it's here — it's possible this was unintentional. I don't recall seeing any ads in the jailbreak (but I wouldn't mind if there were, I don't mind of the Pangu team gets something for their efforts here).
libz.1.dylib is a compression library. Okay, sure, they could be compressing something in the app bundle, though I'm not sure what that would be right now. IOKit enables kernel manipulation and driver development; not too surprising to see this in a jailbreak. libSystem.B.dylib is a catch-all dynamic library containing the C standard library, pthreads, kernel memory manipulation primitives, and a few other things. Other than the System Configuration Framework, the remaining libraries are pretty typical for an app, though there's lots of them.
The jailbreak has imported lots of libraries, and lots of potential functionality. We don't know yet which ones are really used though, or how.
Now, let's take a look over the strings output. I'm not going to include it here, there's lots of it, but let's see what looks interesting:
$ strings PPJailbreakContainer ... JailBreakDetect ... <lots of strings with a WB prefix> WeiboSDK ... PayReq PayResp ... reachabilityForLocalWiFi currentReachabilityStatus ... JSONObjectWithData:options:error: errorWithCode:userInfo: sinaweiboRequest:didFailWithError: ... requestWithURL:httpMethod:params:delegate: serializeURL:params:httpMethod: requestWithURL:cachePolicy:timeoutInterval: httpMethod setHTTPMethod: postBodyHasRawData: setHTTPBody: setValue:forHTTPHeaderField: initWithRequest:delegate:startImmediately: cancel sinaweiboRequest:didReceiveResponse: ... handleJailbreakSuccess handleJailbreakFaild isFirstJb showLocalPushNotification: makeupJailbreakEnvironment makeupJailbreakSuccess ... jailBreakClick: ... sinaWeiboEngine ... setCompressedData: zipStream _compressedData _logEnable _uploadService ... compressedData ... pay: ... https://applog.uc.cn/collect ... Content-Disposition: form-data; name="%@" Content-Disposition: form-data; name="%@"; filename="file" Content-Type: image/png Content-Transfer-Encoding: binary Content-Type: content/unknown Content-Transfer-Encoding: binary ... https://open.weibo.cn http://www.25pp.com ... https://open.weibo.cn/2/ ... http://image.uc.cn/s/uae/g/26/ios_yueyutool/faq.html http://bbs.25pp.com/forum-203-1.html ... http://bbs.25pp.com/thread-462623-1-1.html ... /private/var/mobile/Media/iTunes_Control/iTunes/gdeviceInfo.plist /private/var/mobile/Media/iTunes_Control/iTunes/gdeviceInfo_code ... CryptoCoderErrorDomain no key or iv Could not encrypt data Could not decrypt data hello world. ... /tmp/.pangu93loaded *** pangu93 is loaded lpesdk9x.semaphore /bin/bash /tmp/.needuicache /private/var/mobile/Media/pg-install/pgloader /tmp/pgloader /dev/disk0s1s1 com.apple.springboard.lockstate /private/var/mobile/Media/pg-install/Cydia.tar /Library/LaunchDaemons/io.pangu93.loader.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>io.pangu93.loader</string> <key>Program</key> <string>/tmp/pgloader</string> <key>RunAtLoad</key> <true/> </dict> </plist> ... https://api.weibo.com/2/statuses/update.json https://upload.api.weibo.com/2/statuses/upload.json ... https://api.weibo.com/oauth2/revokeoauth2 https://m.api.weibo.com/2/messages/invite.json ... http://itunes.apple.com/cn/app/id350962117?mt=8 ... http://app.sina.cn/appdetail.php?appID=84560 ... @(#)PROGRAM:PPJailbreak9SDKAdapter PROJECT:PPJailbreak9SDKAdapter-1 ... <...lots more removed for brevity...>
Okay, so we see that there are references to the WeiboSDK, which as far as I can tell is a microblogging SDK. There's clearly lots of references to HTTP communication. Some of these strings are class names (usually the case with camelcase strings) and argument names (look at the colons).
Well, one thing's for sure — there's lots of URLs and support for HTTP/S communication. Also, very interested in the 'jailBreakClick' string.
Okay, so let's run class-dump and take a look at the Objective-C classes in the binary:
$ class-dump -H -o interfaces/ PPJailbreakCarrier $ ls interfaces AppCommunicate.h PPNotificationManager.h UIWebViewDelegate-Protocol.h WXMediaInternalMessage.h AppCommunicateData.h PPRunManager.h WBAuthorizeRequest.h WXMediaMessage.h AppDelegate.h PPRunManagerDelegate-Protocol.h WBAuthorizeResponse.h WXMusicObject.h AppRegisterInfo.h PPSDKM9Utils.h WBAuthorizeWebView.h WXVideoObject.h AppSettingItem.h PPShareInfo.h WBBaseMediaObject.h WXWebpageObject.h BaseReq.h PPShareManager.h WBBaseRequest.h WaBridge.h BaseResp.h PPWaStatictisManager.h WBBaseResponse.h WaCommon.h CDStructures.h PayReq.h WBComposerDelegate-Protocol.h WaCompress.h CommenInfo.h PayResp.h WBComposerViewController.h WaConfige.h FeedBackViewController.h Reachability.h WBDataTransferObject.h WaConnection.h GTMBase64-PrivateMethods.h SendAuthReq.h WBHttpRequest.h WaData.h GTMBase64.h SendAuthResp.h WBHttpRequestDelegate-Protocol.h WaDataTask.h GetMessageFromWXReq.h SendMessageToWXReq.h WBImageObject.h WaHeader.h GetMessageFromWXResp.h SendMessageToWXResp.h WBMessageObject.h WaMonitor.h InstallWeiboAppAlert.h ShareEngine.h WBMusicObject.h WaPackageTask.h LaunchFromWXReq.h ShareEngineDelegate-Protocol.h WBProvideMessageForWeiboRequest.h WaRequest.h LostWa.h ShowMessageFromWXReq.h WBProvideMessageForWeiboResponse.h WaResponse.h MMApiRegister.h ShowMessageFromWXResp.h WBSendMessageToWeiboRequest.h WaService.h MainViewController.h SinaWeiboRequest.h WBSendMessageToWeiboResponse.h WaServiceDelegate-Protocol.h NSCoding-Protocol.h SinaWeiboRequestDelegate-Protocol.h WBVideoObject.h WaThread.h NSData-CYAes128.h TRFileHashUtility.h WBWebpageObject.h WeChatApiUtil.h NSDictionary-CYValueHelper.h TRHandleData.h WXApi.h WeiboSDK.h NSObject-Protocol.h TRSinaWeiboEngine.h WXApiDelegate-Protocol.h WeiboSDK3rdApp.h NSString-GTMNSStringURLArgumentsAdditions.h TRSinaWeiboEngineDelegate-Protocol.h WXAppExtendObject.h WeiboSDKDelegate-Protocol.h NSString-SinaWeiboEncode.h UIAlertViewDelegate-Protocol.h WXAuthInternal.h adDKknelkdkfeknkdnfldls.h NSString-WBSDKNSStringUtils.h UIApplicationDelegate-Protocol.h WXEmoticonObject.h NSString-WBSDK_CountWord.h UIDevice-JailBreakDetect.h WXFileObject.h PPJBEncryption.h UIDeviceAdditions.h WXImageObject.h
Interesting, but not as informative as the strings analysis. The adDKknelkdkfeknkdnfldls.h class interfaces seem out of place, though.
We've done some initial exploration of the binary. Next time, I'm going to disassemble the binary and look at some of these functions, and start looking at overall application flow. I'm also going to explore some of these URLs and put my phone behind a proxy briefly to see what happens.
A Final Word...
I'd like to note here, there's been some controversy around this jailbreak. Some folks have been getting calls, having money taken from Apple accounts, Paypal, or Western Union. Nobody knows why right now. Some are speculating that this is, in some way, associated with this jailbreak.
Personally, I don't believe that Pangu has anything to do this. It doesn't make sense to me that they'd do this — they're a reputable, respected, and highly technical group associated with Alibaba. I don't believe they need to resort to fraud to do this. And keep in mind, a jailbroken phone is by definition more vulnerable, from a security perspective, than a non-jailbroken device. There's a slew of other possible attack vectors, including software downloaded to a workstation host. For example, it's possible to intercept code sent in the clear and modify it. This is a known attack vector with software updates, and tools are in the wild to enable this kind of attack.
This does, however lend more urgency to this work from my perspective. I'm going to expand and up the priority of my analysis as a result.
Opinions expressed by DZone contributors are their own.