jailbreakd granted my process pseudo-superuser privileges access #266
Description
Hello. I found a problem where my binary runs in pseudo-root mode. All details below:
Start with code to get superuser rights:
int main(int argc, char * argv[]) {
@autoreleasepool {
patch_setuidandplatformize();
if (!(setuid(0) == 0 && setgid(0) == 0)) {
printf("DID NOT SET UID 0");
exit(0);
}
return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
}
}
Where patch_setuidandplatformize is taken from cydo from youknowwhere
void patch_setuidandplatformize() {
void* handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY);
if (!handle) return;
// Reset errors
dlerror();
typedef void (*fix_setuid_prt_t)(pid_t pid);
fix_setuid_prt_t setuidptr = (fix_setuid_prt_t)dlsym(handle, "jb_oneshot_fix_setuid_now");
typedef void (*fix_entitle_prt_t)(pid_t pid, uint32_t what);
fix_entitle_prt_t entitleptr = (fix_entitle_prt_t)dlsym(handle, "jb_oneshot_entitle_now");
setuidptr(getpid());
setuid(0);
const char *dlsym_error = dlerror();
if (dlsym_error) {
return;
}
entitleptr(getpid(), FLAG_PLATFORMIZE);
}
Then i entitle is with following file, using jtool or ldid2, does not matter:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>platform-application</key>
<true/>
<key>com.apple.private.security.no-container</key>
<true/>
<key>com.apple.private.skip-library-validation</key>
<true/>
<key>get-task-allow</key>
<true/>
<key>task_for_pid-allow</key>
<true/>
</dict>
</plist>
Then i find my binary which is being installed by CydiaImpactor, and do:
chown root:wheel executablechmod 6755 executable.
So, this is how binary looks like in filesystem. suid bits are set, aren't they?
-rwsr-sr-x 1 root admin 235872 Dec 3 02:38 ElectraTest
setuid(0) starts working.
Or, does it? I do get getuid() == 0
But
I can't use posix_spawn - Operation not permitted
status = posix_spawn(&pid, "/usr/bin/stat", NULL, NULL, argv, environ);
or
status = posix_spawn(&pid, "/bootstrap/usr/bin/stat", NULL, NULL, argv, environ);
I can't write anything to filesystem exact same way Electra does to test remount
int fd = open("/.fileAccess", O_RDWR|O_CREAT);
if (fd == -1) {
fd = creat("/.fileAccess", 0644);
} else {
printf("File already exists!\n");
}
close(fd);
if (file_exists("/.fileAccess")) {
I can't get kernel task port with hsp4
host_get_special_port(mach_host_self(), HOST_LOCAL_NODE, 4, &kern);
error is: "(os/kern) invalid argument"
So i can do nothing extra. The only changes are:
- dlopen stoped screaming about invalid mmap on libjailbreak.dylib (actually, this is not because of root, but due to injections).
- nice zeroes in getpid and getgid.
At least, hsp4 is really working when called inside Electra code after remapping tfp0 in fun.c
Also, jailbreakd on launch in main.m is getting hsp4 to start working.
So, if i got uid==0 => jailbreakd patched me => it got kernel task port from hsp4?
What's wrong with theese steps?
And if this question is to be classified as "This is not about actual Electra code, it's all your's broken arms", just tell me where to find the answers, please -_-.
- iOS version: 11.0.3
- iDevice model: MG472RU/A iPhone6
- electra version: all <= Beta11-3 && 1.0.2