How to get the Root in Rootless by PWN24K. What is Rootless? Sources within Apple are particularly...

ADVENTURES OF ROOTLESS How to get the Root in Rootless by PWN24K

Transcript of How to get the Root in Rootless by PWN24K. What is Rootless? Sources within Apple are particularly...

Page 1: How to get the Root in Rootless by PWN24K. What is Rootless?  Sources within Apple are particularly enthusiastic about a new security system called Rootless,


How to get the Root in Rootless by PWN24K

Page 2: How to get the Root in Rootless by PWN24K. What is Rootless?  Sources within Apple are particularly enthusiastic about a new security system called Rootless,

What is Rootless? Sources within Apple are particularly enthusiastic about a

new security system called Rootless, which is being described internally as a “huge,” kernel-level feature for both OS X and iOS. To prevent malware, increase the safety of extensions, and preserve the security of sensitive data, Rootless will prevent even administrative-level users from being able to access certain protected files on Apple devices. Sources say that Rootless will be a heavy blow to the jailbreak community on iOS, though it can supposedly be disabled on OS X. Even with this Rootless feature coming to OS X, sources say that the standard Finder-based file system is not going away this year.

Page 3: How to get the Root in Rootless by PWN24K. What is Rootless?  Sources within Apple are particularly enthusiastic about a new security system called Rootless,

A little more info..

Rootless can actually already be found in OSX 10.10 “Yosemite” probably for testing although its most likely a beta test feature for there upcoming iOS and OSX releases this fall,

Not a whole lot is known about what exactly Rootless is going to be like in these future firmware's as they are either in Beta stage or not been released publicly

Page 4: How to get the Root in Rootless by PWN24K. What is Rootless?  Sources within Apple are particularly enthusiastic about a new security system called Rootless,

How does rootless work?

As far as i can tell and from what I know Rootless is going to be Kernel based and is pretty much a 2 part sandboxing process located in /System/Library/Sandbox

Think of it as a Great Giant Sandbox “the actual Filesystem/System” and a bunch of smaller sandboxes inside “mobile/system applications etc..”

Page 5: How to get the Root in Rootless by PWN24K. What is Rootless?  Sources within Apple are particularly enthusiastic about a new security system called Rootless,

How does Rootless Work Cont

1st portion is a .conf file that represents and defines 3 Stages

#1 The Booter #2 Update Settings #3 Symlinks These stages define what Directories

are quarantined from the rest of the system and protected from unauthorized access even with root!

Page 6: How to get the Root in Rootless by PWN24K. What is Rootless?  Sources within Apple are particularly enthusiastic about a new security system called Rootless,
Page 7: How to get the Root in Rootless by PWN24K. What is Rootless?  Sources within Apple are particularly enthusiastic about a new security system called Rootless,

How does rootless work cont2 The second part to rootless is a Profile

Folder containing .sb “sandbox configurations” for multiple parts of the system ex applications, system files, directories, all the good stuff needing protected

This profile folder is most likely Sandboxed itself so if you managed to escape a mobile sandbox and obtain root it still wouldn't do you any good

Page 8: How to get the Root in Rootless by PWN24K. What is Rootless?  Sources within Apple are particularly enthusiastic about a new security system called Rootless,
Page 9: How to get the Root in Rootless by PWN24K. What is Rootless?  Sources within Apple are particularly enthusiastic about a new security system called Rootless,

How can we disable this

Apple Claims it will be possible to Enable and Disable this with OSX but not iOS, end of jailbreaking? Not a chance

It is infact possible to disable Rootless in both OSX and iOS you would just need to go about doing it in a different method ;-)

Page 10: How to get the Root in Rootless by PWN24K. What is Rootless?  Sources within Apple are particularly enthusiastic about a new security system called Rootless,

How to disable Rootless Cont If your on OSX Terminal can be utilized

to disable Rootless temporarily as I am going to show allowing you inject a Payload into the system “Jailbreak”

The method would be relatively the same for IOS but terminal is not a option and would require a Kernel EXEC vuln to achieve the process

Page 11: How to get the Root in Rootless by PWN24K. What is Rootless?  Sources within Apple are particularly enthusiastic about a new security system called Rootless,

PoC to Temp Disable Rootless First off you need to get codesigning out of the

way by passing the cs_enforecement_disable=1 boot-arg This tells AppleMobileFileIntegrity to not codesign any binaries or scripts

Now we can execute our code unsigned Now we navigate to “cd

/System/Library/LaunchDaemons Next we can utilize Launchctl to unload the

sandboxd daemon Launchctl unload –w

Page 12: How to get the Root in Rootless by PWN24K. What is Rootless?  Sources within Apple are particularly enthusiastic about a new security system called Rootless,

PoC to Temp Disable Rootless cont Now sandboxing and rootless is temporarily disabled

allowing us to Inject our custom code achieve Full Root access and patch out Rootless all together

But Wait!! After your code has been injected and rootless patched out you MUST reload the sandboxd daemon or suffer a bootloop!

So navigate back to “cd /System/Library/LaunchDaemons”

And then “launchctl load –w

Now Sandboxing is re-enabled but rootless isnt cause you patched that out right? ;)

Page 13: How to get the Root in Rootless by PWN24K. What is Rootless?  Sources within Apple are particularly enthusiastic about a new security system called Rootless,


The process of disabling rootless between OSX and iOS is pretty much the same, yet there are a lot of different obstacles to over come in iOS that you do not have to worry about in OSX, in perspective as long as you can find a Kernel Vulnerability in the system Rootless can be disabled and the system can be Jailbroken

Page 14: How to get the Root in Rootless by PWN24K. What is Rootless?  Sources within Apple are particularly enthusiastic about a new security system called Rootless,