Titan, 2016/01/27 and
We use two hack tools on iOS: Cycript and Reveal to analyze the vulnerability of a certain mall. Both of them have their own style and can attack cities and conquer villages. They are actually sharp knives for our daily home and killing and hijacking goods, which we now share with you.
0x00 Vulnerability origin
The store’s iOS app provides users with a function to retrieve their password, which requires three steps:
- Enter a local graphic identification verification code.
- Provide the user’s mobile phone number and enter an SMS verification code
- Enter the new password, confirm the password, and Bingo
To find loopholes, first catch the package to see, easy first, then difficult, really not do reverse analysis. Before burP is set up, open proxy, close Intercept and SSL protocol algorithm are all checked (to avoid weird SSL negotiation parameters, which have been wrongly treated before). On the iPhone, configure the proxy in the wifi option, pointing to burp. Then open app, burp reports an error.
Did the client pin the certificate? Sneer three times, open my SSL kill switch. Open the program again, log in, enter the mall, everything goes well. Ok, let’s get down to business and find a loophole. Enter the password retrieval function, submit the password according to the steps, reset the password, and then check the captured data packets in burP. The following is the POST data packets sent in the third step of password reset.
After careful analysis of the packet, it is found that except for a signature, there is nothing to do with the verification code obtained in the second step. Is the verification of this “your mother is your mother” question done on the client side? So we can change the phone number and reset any user’s password? The server returned an error when trying to change the package in burp. It seems that there are articles in Sign, it seems that we need to work from the client side.
Throw it into IDA and find the following key functions:
Then, I briefly ran through the parameters involved in the function.
It does not seem to involve the SMS verification code in the second step, should just be the phone number, the new password as the variable input signature. Good. No reverse signature algorithm. Life’s too short to save a bunch of brain cells. The basic idea is to perform the first two steps normally, and then in the third step change the screen phone number (user account) to another account that was attacked.
0 x01 cycript solution
A brief introduction to Cycript
Cycript allows developers to explore and modify running applications on either iOS or Mac OS X using a hybrid of Objective-C++ and JavaScript syntax through an interactive console that features syntax highlighting and tab completion.
In short: Insert the process and change it if you want. However, this product is a command line mode, a mixture of ObjectC and JS, the official help to write a little concise, or a little annoying. But with TAB key completion function, slightly relieved. Let’s use it step by step.
The prerequisite for achieving this goal is to find the object corresponding to the interface of the third step in the process of retrieving the password, and then operate the properties related to the registered mobile phone number in this object.
First, the app should run to the third step of our attack, which is the interface of inputting the new password and confirming the new password. Our goal is to use hack method to modify the registered mobile phone number that cannot be edited.
Of course, we also need to obtain the class information of the app using classdump. We found the following information related to password reset, which can assist the next attack.
Use the ps command to get information about the injected process, and then start cycript with the process name highlighted in red, or pid.
Then get the UI handle to the current app.
Get the app’s keyWindow.
Get the rootViewController for keyWindow.
Get the currently visible ViewController. Do interface hack, the first steps are basically the same, the purpose is to find the current display interface corresponding object.
FindPwdViewController is a password reset class found in classdump.
You can type the following command based on the classdump information:
See text not get, is the interface display registered mobile phone number, change!
On the phone, the registered phone number has been changed to the target phone number. Click Finish, success!
0 x02 pass reveal solution
The Reveal tool should be considered the first tool for interface hacks. If you’re not familiar with ObjectC and object-oriented thinking, as well as the various shell-smashing and dump tools, it’s not easy to complete cycript. But reveal is different. After the installation, you just click the mouse and tap a phone number.
But there’s one big obstacle standing in the way: Reveal’s installation on mobile devices. The following is the author’s installation experience:
Reveal is originally used by App developers as an auxiliary tool of Xcode, which does not have the function of inserting any program. However, any App, including Springboard, can be inserted by using Cydia Substrate on jailbroken iPhone. For installation method, see Reference 1. The author is installed in iOS9, must press this article said, the framework to the mobile end, in addition, plist file to use plisteditor and other special tools written, there is Filter must be written, or iPhone6S Plus will also slow intolerable! If this predicament occurs, immediately home+ Power hard shutdown, press volume + boot skip substrate, and re-configure Filter. Last but not least, the host of Reveal should be on the same LOCAL network as the phone being debugged.
After the reveal installation is complete, you need to find the bundle ID of the injected program in the info.plist file of the IPA package of the app. You can open it by using tools such as plisteditor and search for the CFBundleIdentifier.
Find the bundle ID and enter it in Filter. After you start the program, you will find the target app in the Reveal Connect target, and directly connect. The interface of the mobile app will appear in the Reveal. Borrow a picture from the above article, you can feel the various interface elements in a glance, and 3d display of hierarchy, cool.
What’s cool is that it allows you to directly modify the content of an interface element, whether or not it’s editable on the original phone, and then reflect it directly on the phone.
With this function, it is too easy to meet the target of our vulnerability verification. Go to the third step, refresh the reveal interface, edit the content of registered mobile phone number directly in the picture below, press Enter, and click finish on the mobile phone, ok.
0 x03 summary
Both Cycript and Reveal are rooted in cydia Substrate, but in very different styles. One is exquisite sword, which requires dancers to control carefully, and the other is a machete, which directly kills quickly. But the cool is that I can left linglong sword, right hand machete, up to the sky long scream, happy, not yihu!
0 x04 reference
-
Debug Reveal
http://42.96.192.22/?tag=%E8%B0%83%E8%AF%95%E5%88%A9%E5%99%A8reveal