People of Leb

Posted on May 6, 2013 by JoeSolutions

peopleoflebEver been sitting around with a group of friends discussing something and realized you wished you knew more, or who, is being discussed?

Ever have that nagging feeling in the back of your head that you have heard a name before but can’t remember where or who that person is?

Well, your troubles are over! At least if you’re in Lebanon 😛

People of Leb is an app developed for the iOS environment that contains many useful statistics and information in general on pretty much most of the “People of Lebanon”.

This is is quite useful is looking up facts about important people in Lebanon’s history. You’ll find presidents, deputies, ministers, even doctors, engineers, and lawyers. There are quite a few more categories! Moreover, with the upcoming elections and all, there is a feature in thsi app that allows users to check demographics of Lebanon alongside statistics classified by age, religion, and geography. You can also find the biggest families and most used names!

While this might sound mundane, it most certainly answers the many little questions that arise daily that might be tedious to manually look them up online or ask people about. With this app, all you have to do is fire it up and click on the category you wish to learn more about!

People of Leb also includes a section which displays Lebanon’s people on twitter! You can find out who they are and follow them.

This is quite a useful app if you want an easy and quick way to learn more about people in Lebanon. Here are some screenshots of the features in this app:

photo 1          photo 2

Here you can see a list for presidents and miss Lebanon.

Hopefully, the developers will release an update soon that will optimize this app for iPhone 5 display, but in the meantime, download it and check it out on iTunes!

Posted in iPad, iPhone, iPod | Tagged , , , , | Leave a comment

Apple Credits Evad3rs on Four Security Fixes in iOS 6.1.3

Posted on March 19, 2013 by JoeSolutions

Apple has acknowledged the evad3rs for discovery of four of the six security issues fixed in iOS 6.1.3, notes MuscleNerd.

Apple gives hat tip to @evad3rs for 4 of the 6 security fixes in 6.1.3 🙂 http://is.gd/nfspim

dyld
Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to execute unsigned code
Description: A state management issue existed in the handling of Mach-O executable files with overlapping segments. This issue was addressed by refusing to load an executable with overlapping segments.
CVE-ID : CVE-2013-0977 : evad3rs

Kernel
Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to determine the address of structures in the kernel
Description: An information disclosure issue existed in the ARM prefetch abort handler. This issue was addressed by panicking if the prefetch abort handler is not being called from an abort context.
CVE-ID : CVE-2013-0978 : evad3rs

Lockdown
Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to change permissions on arbitrary files
Description: When restoring from backup, lockdownd changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path.
CVE-ID : CVE-2013-0979 : evad3rs

USB
Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code in the kernel
Description: The IOUSBDeviceFamily driver used pipe object pointers that came from userspace. This issue was addressed by performing additional validation of pipe object pointers.
CVE-ID : CVE-2013-0981 : evad3rs

Posted in iPad, iPhone, iPod | Tagged , , , , , , , | Leave a comment

Best Installous Alternatives For iPhone/iPad and iPod Touch

Posted on February 16, 2013 by JoeSolutions

After the bad news we all heard about the shutting down of the well known piracy Installous app that allowed users to install all paid App Store apps for free, here is a breath of fresh air!

1. Zeusmos

 Only a couple of days ago we reported that Installous, one of the most popular apps in Cydia for pirating apps had been shut down. Many people called the shutting down of Installous a small victory against piracy. But it turns out this “victory” has been short lived. Since the shutting down of Installous, many more piracy-related apps have come fourth. One of these pirate apps is called Zeusmos.
So how can you download Zeusmos on your iPhone ? Well here’s how:

STEP 1: Open Cydia store and go to Manage—>Sources.

STEP 2: Now tap on ‘Edit’ then add the following repo to Cydia: ihacksrepo.com and then tap on Add Source.

STEP 3: Now search for ‘Zeusmose’ on Cydia and download it..

STEP 4: That’s it, now and after you restart Springboard you should see Zeusmos app available at your iPhone Springboard.

2- Vshare or App VV

Probably everyone heard about the popular piracy app which called Vshare 

Those of you who follow jailbreak related news will already know this app. App VV or mostly commonly known as Vshare is quite a popular app in the Cydia store. Besides Installous, Vshare and AppCake are the most popular methods to download paid apps for free.

 Vshare works mostly the same way as Installous did. If you have used Installous then UI (User Interface) of Vshare will be familiar to you. Although it does allow you to download paid apps but like AppCake, most of the content is in Chinese and the translation is to a minimum. You can grab Vshare from Cydia store by adding the following repo (Try to search for the app before adding the repo) : http://repocydia.com 
3-AppCake: The third Installlous alternative app called AppCake that most of you heard about it and for me I hate using it as it is slow but all the apps works, only if you are patient then you can try AppCake as it will be useful for you but you will have to wait as loading takes a long time..
Posted in iPad, iPhone, iPod | Tagged , , , , , , , | Leave a comment

Evasi0n 1.3 Released!

Posted on February 12, 2013 by JoeSolutions

Evasi0n 1.3 has been released to jailbreak iPhone 4S running iOS 6.1.1. However, the evad3rs team advised on making a backup and updating to 6.1.1 through iTunes and not as an OTA update.

Head on to http://www.evasi0n.com to get your copy.

Happy Jailbreaking!

Posted in iPhone | Tagged , , , , , , , | Leave a comment

iOS 6.1.1 for iPhone 4S

Posted on February 11, 2013 by JoeSolutions

iOS 6.1.1 has been released for iPhone 4S. It addresses a cellular performance issue. HOWEVER, if you are enjoying your newly jailbroken phone, hold off from updating while we confirm whether or not iOS 6.1.1 breaks evasi0n.

Posted in iPhone | Tagged , , , , , , , | Leave a comment

How Evasi0n Actually Works

Posted on February 6, 2013 by JoeSolutions

For those of you who are interested in how evasi0n technically works, check this out:

iOS 6.1 evasi0n jailbreak

The latest jailbreak is out, and it’s time to dissect it and document all the exploits and techniques it contains.  These days, jailbreaks are so well tested that it’s easy for people to forget all the complexity that goes into them.  There are numerous exploit mitigations in iOS userland, such as sandboxing, ASLR, and code signature requirements that make jailbreaking incredibly difficult.

One important point to make is that unlike the previous jailbreakme.com exploits, which could be used against an unwitting victim, jailbreaks that require USB tethering have a lower security impact, and are usually only useful to the phone’s owner.  Attackers are less interested because iPhones with a passcode set will refuse to communicate over USB if they are locked, unless they have previously paired with the connecting computer.  So your phone is stolen and it’s locked, attackers won’t be able to jailbreak it.  Therefore, only malicious code already running on your computer can leverage USB jailbreaks nefariously.

Evasi0n userland component

This blog post will focus on the evasi0n userland component.  Evasi0n’s userland component is very unique, because it is entirely filesystem-based.  It doesn’t require memory corruption to escalate privileges from mobile to root.  Perhaps it was named evasi0n because it evades all the userland exploit defenses instead of attacking them head-on.

Evasi0n works in 3 stages that are described below.  All of the stages use functionality on the phone exposed by MobileBackup, the daemon used to backup user data from the device, and restore backups back to the device.  Since backups are created by the user’s device, and must be interchangeable between devices, they cannot be easily cryptographically signed, so they are essentially untrusted data.

MobileBackup uses both a domain, such as MediaDomain, and a relative path to identify every file. A static absolute path corresponding to the domain, joined with the file-specific relative path, determines the absolute path of every file.  Evasi0n creates all its files in MediaDomain, so all of the files are within /var/mobile/Media.

Stage 1:

During stage 1, evasi0n creates a fresh backup to restore to the device, containing only the following files.  All files are within the MediaDomain.

directory: Media/
directory: Media/Recordings/
symlink: Media/Recordings/.haxx -> /var/mobile
directory: Media/Recordings/.haxx/DemoApp.app/
file: Media/Recordings/.haxx/DemoApp.app/Info.plist
file: Media/Recordings/.haxx/DemoApp.app/DemoApp
file: Media/Recordings/.haxx/DemoApp.app/Icon.png
file: Media/Recordings/.haxx/DemoApp.app/Icon@2x.png
file: Media/Recordings/.haxx/DemoApp.app/Icon-72.png
file: Media/Recordings/.haxx/DemoApp.app/Icon-72@2x.png
file: Media/Recordings/.haxx/Library/Caches/com.apple.mobile.installation.plist

The symlink in .haxx to /var/mobile is created to escape the MobileBackup domain’s normal path restriction.  That is, normally files in the MediaDomain must reside within /var/mobile/Media; however, with the symlink created any file that exists in .haxx is actually restored in /var/mobile.  This technique has been used in past jailbreaks as well.

Next, DemoApp.app, an iOS app, is created in /var/mobile, complete with icons and other supporting collateral.  The plist com.apple.mobile.installation.plist is updated so that Springboard knows where the app lives, and can display it on the home screen.

However, unlike a normal iOS app, this app contains a very peculiar main binary consisting of just the following:

#!/bin/launchctl submit -l remount -o /var/mobile/Media/mount.stdout -e /var/mobile/Media/mount.stderr — /sbin/mount -v -t hfs -o rw /dev/disk0s1s1

For those unfamiliar with UNIX shell scripts, the kernel looks at the first line of text files to determine the interpreter for the script.  The above file contents tell the kernel to execute launchctl with those specific arguments.

Additionally, com.apple.mobile.installation.plist contains a peculiar section for DemoApp.app, defining an environment variable to set when running it:

<key>EnvironmentVariables</key>
<dict>
<key>LAUNCHD_SOCKET</key>
<string>/private/var/tmp/launchd/sock</string>
</dict>

At this point, the device is rebooted so that the app is picked up by Springboard, and displayed to the user.

Stage 2.1:

Now that the previous files have been put into place, Stage 2 begins by creating a new empty backup, and restoring more files to the device.

directory: Media/
directory: Media/Recordings/
symlink: Media/Recordings/.haxx -> /var/db
symlink: Media/Recordings/.haxx/timezone -> /var/tmp/launchd

Essentially, this just creates a symlink called /var/db/timezone that points to /var/tmp/launchd.  The normal permissions on /var/tmp/launchd are:

drwx—— 2 root   wheel  102 Feb  4 12:17 launchd

These permissions normally prevent applications running as user mobile from descending into this directory.  Next, evasi0n tells the user it is stroking lockdownd.  What that actually means is evasi0n is sending a malformed PairRequest command to lockdownd.  Lockdownd is the main daemon that operates on commands received over USB, and is used to start/stop other services, such as MobileBackup and AFC.  Since lockdownd runs as root and the user can communicate to it, abusing it to perform unintended tasks has become common in recent jailbreaks.

Now we come to the first vulnerability exploited.  Sending lockdownd a malformed PairRequest command, causes lockdownd to chmod 777 /var/db/timezone so that it is accessible to mobile (and all users).  It isn’t clear whether this is a vulnerability in lockdownd or in an underlying library or framework.

Stage 2.2:

Stage 2.2 drills down further into /var/tmp/launchd.  It modifies the permissions in the system so that the launchd socket is also accessible by the mobile user.  Stage 2.2 changes the timezone symlink as follows:

Symlink:  Media/Recordings/.haxx/timezone -> /var/tmp/launchd

To

Symlink:  Media/Recordings/.haxx/timezone -> /var/tmp/launchd/sock

Then evasi0n sends another malformed PairRequest packet to lockdownd, causing /var/tmp/launchd/sock to become accessible to the mobile user.

Stage 2.3:

Stage 2.3 begins by uploading a Cydia and packagelist tarfile to the phone.  This isn’t used immediately, but is uploaded for use after the jailbreak is complete.

Next, the user is instructed to run the Jailbreak app (actually DemoApp.app) on their phone. Recall what that app did:

#!/bin/launchctl submit -l remount -o /var/mobile/Media/mount.stdout -e /var/mobile/Media/mount.stderr — /sbin/mount -v -t hfs -o rw /dev/disk0s1s1

With the environment variable

LAUNCHD_SOCKET = /private/var/tmp/launchd/sock

If you read man launchctl, you will see that the submit command is described as follows:

submit -l label [-p executable] [-o path] [-e path] — command [args]
A simple way of submitting a program to run without a configuration file. This mechanism also tells launchd to keep the program alive in the event of failure.
-l label
What unique label to assign this job to launchd.
-p program
What program to really execute, regardless of what follows the — in the submit sub-command.
-o path  Where to send the stdout of the program.
-e path  Where to send the stderr of the program.

If you look at the manpage for launchd, you will see:

ENVIRONMENTAL VARIABLES

LAUNCHD_SOCKET

This variable is exported when invoking a command via the launchd command line. It informs launchctl how to find the correct launchd socket for communications.

Unlike most other things on iOS, launchd’s IPC mechanism operates through unix domain sockets.  There are also multiple launchd processes – one running as each user.  On iOS, there is one running as root, and one running as mobile.  So the user, as mobile, is executing launchctl via DemoApp.app.  However, launchctl is not talking to the mobile user’s launchd.  Instead, it is talking to the root user’s launchd, via the launchd socket that was exposed via UNIX permissions using the /var/db/timezone vulnerability.

Since the root user’s launchd runs as root, this job will be run as root.  The job will remap the system partition as read-write, allowing the exploit to then make persistent changes on the system partition that will execute as root in the early boot environment.

Stage 3:

Next, the final stage of the jailbreak begins, again using MobileBackup, but this time with full access to the system partition.

directory: Media/
directory: Media/Recordings/
symlink: Media/Recordings/.haxx -> /
symlink: Media/Recordings/.haxx/private/etc/launchd.conf -> /private/var/evasi0n/launchd.conf
directory: Media/Recordings/.haxx/var/evasi0n
file: Media/Recordings/.haxx/var/evasi0n/evasi0n
file: Media/Recordings/.haxx/var/evasi0n/amfi.dylib
file: Media/Recordings/.haxx/var/evasi0n/udid
file: Media/Recordings/.haxx/var/evasi0n/launchd.conf

Things are getting a bit confusing due to extensive use of pushing files through symlinks, but essentially this creates a directory at /var/evasi0n containing an executable, a library, and a new launchd.conf.  Launchd.conf is described by Apple (see man launchd.conf) as:

DESCRIPTION

launchd.conf contains a list of subcommands (load, unload, etc.) to run via launchctl(1) when launchd(8) starts.

The replacement launchd.conf, which will run at each boot, contains:

bsexec .. /sbin/mount -u -o rw,suid,dev /

setenv DYLD_INSERT_LIBRARIES /private/var/evasi0n/amfi.dylib

load /System/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist

bsexec .. /private/var/evasi0n/evasi0n

unsetenv DYLD_INSERT_LIBRARIES

bsexec .. /bin/rm -f /private/var/evasi0n/sock

bsexec .. /bin/ln -f /var/tmp/launchd/sock /private/var/evasi0n/sock

Here’s what that does, line by line:

bsexec .. /sbin/mount -u -o rw,suid,dev /

Mount system partition read-write again

setenv DYLD_INSERT_LIBRARIES /private/var/evasi0n/amfi.dylib

Insert amfi.dylib into any executable that launches after this point

load /System/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist

Load the MobileFileIntegrity daemon

bsexec .. /private/var/evasi0n/evasi0n

Execute the malicious code, previously dropped in /var/evasi0n/evasi0n

unsetenv DYLD_INSERT_LIBRARIES

Unset DYLD_INSERT_LIBRARIES, so that amfi.dylib will no longer be inserted into every executable after this point

bsexec .. /bin/rm -f /private/var/evasi0n/sock

Delete any pre-existing socket file at /private/var/evasi0n/sock

bsexec .. /bin/ln -f /var/tmp/launchd/sock /private/var/evasi0n/sock

Create a symlink from /var/tmp/launchd/sock to /private/var/evasi0n/sock, allowing other code direct access to the root launchd socket

Next, the exploit reboots the device, causing this configuration file to get run, line by line, on next boot.  The interesting thing about amfi.dylib and evasi0n is that neither are code-signed.  If you look at amfi.dylib with otool, you will see that it in fact has no TEXT/text section at all.  No TEXT/text section means that there is nothing to sign, and therefore, it won’t trip up the code-signing machinery.  What it does have, is lazy binding information.
$ dyldinfo -export amfi.dylib
export information (from trie):
[re-export] _kMISValidationOptionValidateSignatureOnly (_kCFUserNotificationTokenKey from CoreFoundation)
[re-export] _kMISValidationOptionExpectedHash (_kCFUserNotificationTimeoutKey from CoreFoundation)
[re-export] _MISValidateSignature (_CFEqual from CoreFoundation)

This technique is described, at least, at http://networkpx.blogspot.com/2009/09/compiling-iphoneos-31-apps-with-xcode.html:

“If we can force MISValidateSignature() to always return 0, any binaries will pass the test. This function is part of libmis.dylib, which is now part of the shared cache, so you can’t binary patch this file. Replacing the implementation of a function is a perfect job with MobileSubstrate, unfortunately, no matter how I tried MS can’t be injected. Therefore I use a trick: create a “proxy dynamic library” that changes only the MISValidateSignature function, and let the rest pass through.”

By clever usage of a codeless dynamic library, existing valid methods (such as CFEqual()) can be re-exported as different methods with the same method signature, such that MISValidateSignature will always return 0, allowing any unsigned binary to run.

Conclusion

Evasi0n is interesting because it escalates privileges and has full access to the system partition all without any memory corruption.  It does this by exploiting the /var/db/timezone vulnerability to gain access to the root user’s launchd socket.  It then abuses launchd to load MobileFileIntegrity with an inserted codeless library, which is overriding MISValidateSignature to always return 0.

Posted in iPad, iPhone, iPod | Tagged , , , , , , , , | Leave a comment

Evad3rs Release Fixes for Weather App and Long Reboot Following Evasi0n Jailbreak

Posted on February 6, 2013 by JoeSolutions

The Evad3rs have released fixes for the those experiencing problems with the Weather app or long reboots after performing the Evasi0n jailbreak.

The fixes can be applied easily by updating the evasi0n 6.x untether and uikittools packages in Cydia, reports planetbeing.

Fixes for the long reboot issue and Weather app issue are now available on Cydia with an update to the untether and uikittools.

The team is also planning an update to the Evasi0n utility which will include these fixes.

    

 

Posted in iPad, iPhone, iPod | Tagged , , , , , , , , , | Leave a comment

Fix Weather.app Bug after iOS 6.1 Evasi0n Jailbreak

Posted on February 5, 2013 by JoeSolutions

After jailbreaking iOS 6.1 on iPhone with Evasi0n on Mac or Windows, many users have complained about the stock weather app crashing all the time. Even after restoring the device and jailbreaking it again, users were unable to fix the bug.

The developers behind Evasi0n jailbreak already knows about the issue, and how to fix Weather.app. Per pod2g, the jailbreak process messes up with com.apple.mobile.installation.plist file and they are already working on modifying evasi0n app and on pushing a fix to Cydia for already jailbroken devices.

Those who cannot wait for few hours, here is a script that forces a rebuild of com.apple.mobile.installation.plist  but before executing it, make sure to do a full backup. If you feel comfortable typing on terminal or command prompt, here are the steps:

Step 1: Connect your iOS device to your Mac

Step 2: Open a Terminal window and type the following commands.

#!/bin/bash
chmod -x /usr/libexec/mobile_installation_proxy
killall -9 mobile_installation_proxy
rm /var/mobile/Library/Caches/com.apple.mobile.installation.plist /var/mobile/Library/Caches/com.apple.LaunchServices-045.csstore
launchctl stop com.apple.mobile.installd
launchctl start com.apple.mobile.installd

Step 3: Now execute the following command.

while [ ! -f /var/mobile/Library/Caches/com.apple.mobile.installation.plist ];
do
sleep 1
done
while [ ! -f /var/mobile/Library/Caches/com.apple.LaunchServices-045.csstore ];
do
sleep 1
done
sleep 10

Step 4: Now type the following command.

chmod +x /usr/libexec/mobile_installation_proxy
sync
reboot

Posted in iPhone, iPod | Tagged , , , , , , , , | 4 Comments

Evasi0n: iOS 6.0 to 6.1 Jailbreak Has Been Released!

Posted on February 4, 2013 by JoeSolutions

Well, you’ve all been waiting for it and now it’s finally here: The jailbreak for iOS 6.0 through 6.1 on all devices has just been released!

Head over to www.evasi0n.com to download your version (windows/mac/linux) and get jailbreaking!

Posted in iPad, iPhone, iPod | Tagged , , , , , , , , , , , , , , , , , | 1 Comment

iOS 6.1 Is Here BUT BE CAREFUL!

Posted on January 29, 2013 by JoeSolutions

Last night, Apple pushed its latest version of iOS, iOS 6.1, to its servers. This updates targets iPhone, iPad, and iPod.

However, before you update, heed these words:
If you plan to jailbreak your iDevice, you can update to iOS 6.1 as planetbeing has confirmed that iOS 6.1 is still vulnerable to the exploits that are used in the yet-to-be-released jailbreak. BUT, musclenerd cautions users on updating via iTunes rather than over-the-air; MuscleNerd offers some insight as to why this is necessary, “a few reasons: OTA is more time consuming for us to test, and it gives you different SHSH blobs than normal restore.”

So just to be on the safe side, update through iTunes.

Posted in iPad, iPhone, iPod | Tagged , , , , , , , , | Leave a comment