Weapons-grade KEXT loading and unprofessional competition

Yesterday evening a link was shared on Twitter that lead to a posting in a forum on OS X and iOS internals. The posting contained a question about kernel extension (KEXT) loading on the iOS platform. The answer was more or less that iOS is a very locked down platform and trying to load a KEXT will result in the kernel erroring out with the message that the feature is unimplemented. So far so good. But the answer continued to claim that software bringing KEXT loading back to iOS would be weapons-grade/0-day caliber.

B) You can patch back the kextloading portion. But that’s a bit out of scope for this answer (not to mention weapon-grade/0-day caliber, so you’ll excuse for keeping quiet on this)

This kind of answer is bad, really bad. We are living in times were security research is threatened by export regulations that try to classify every day work objects of security researchers as dual-use or weapons technology. In these times we really cannot have people running around claiming that even loading a kernel extension to add new features to a running kernel is weapons technology. So naturally I was tweeting about this with the well deserved #WTF hash-tag.

What happens next could be best described as an all out attack from the Twitter Account @Technologeeks that is the company account of Jonathan Levin who wrote the forum posting. It started with a slandering tweet claiming that I would only share information for money and then would whine if people actually make use of that info.

At least he GETS a response. That’s more than “I kn0w, will teach y0u f0r $$$, and y0u can never use it 0r I will whine incessantly”

The ironical thing here is that when this initial unprovoked attack from @Technologeeks happened the guy who originally asked the question about KEXT loading already had an answer from me, because he asked me the same question by e-mail. He also had access to the iOS kext loader that I use in my trainings for debugging purposes, etc. Anyway the proper response for this all out attack on me from a competing company (they also sell OS X trainings) was to call the person a jerk.

What happened next was even more surreal. The @technologeeks Twitter account immediately invoked Godwins law and switched to nazi-slang by saying:

All Hail Esser!B)u r l33t.We (and everyone)sucks.All vulns/0days (c) über alle! So quit following us(&try to be a bit polite)

As a german this is not surprising, because sooner or later in an internet discussion someone will bring up nazis or nazi terminology to describe “germans”. Anyway at this point I was more or less explaining that people should be aware that these attacks were coming from a company that also offers OS X trainings. So these attacks were coming from a direct competitor.

At this point I was not really interested in this nonsense anymore until I was made aware of Jonathan Levin continuing the attacks in his private forum, as you can read here:

Responding to that with “#WTF” as he did, and then calling me (via our team handle) a “jerk” (in an apparently by now deleted tweet) is childish and insulting, and so the reaction was harsh. When Mr. Esser accused us further of slandering him and stealing his courses, which is an outright *lie* (there was not a single tweet to that extent or anything which even mentioned him up to this morning) , the situation escalated further. It’s one thing to behave in a rude, childish manner. It’s quite another to spread lies.

But let it be perfectly clear – Our methods @Technologeeks are pure, and we never once tried to denigrate, steal customers, steal material, slander him, or any of the propaganda and entirely false accusations that he is spreading to his devout throng of followers. Heck, I never even met the guy (and not sure I want to after this!).

This statement is outrageous and I am only writing this blog post here at all, because the Twitter account keeps repeating similar nonsense over and over again.

  • the tweet in which I called the person attacking me a jerk was never deleted – and why would I
  • at no point in time anyone accused them of stealing our courses – this is a made up story to make me look bad
  • it is slander to claim attendees of our trainings are not allowed to use what they learn
  • when this kind of slander comes from the competition I will defend myself against it
  • there is nothing “pure” in your methods when you accuse your competition of things that never happened
  • and it is just bad bad taste and makes you a horrible human being when you use nazi terminology to attack someone who disagrees with you

Anyway all of this blog posting would not have been necessary if Jonathan Levin had handled the unprofessional behaviour of whoever is in charge of the @Technologeeks account and had actually extended a real apology that is not wrapped into more wrong claims. Also instead of just shutting up, they keep pointing the finger in my direction on their Twitter account.

So long. I wish you all a nice weekend and I will announce some new OS X and iOS kernel  internals for security researcher training very soon.

iOS Kernel Exploitation Trainings, 0-days and Students reselling them

Some people who have no background in iOS exploitation cannot understand why I used 0-day vulnerabilities in my classes instead of old bugs and why I am angry that ONE student of hundred was reselling them.

Most of the people questioning the legitimacy of my anger have never prepared a training course themselves. They do not understand that collecting material and writing it all together. Thinking up an agenda. Writing demo code, finding some demo vulnerabilities. And and and… takes multiple months of work. At the end of this work you do one training and what you get for that seems much on the first view but they do not take into account the costs for the hotel, the costs for travelling, the costs of printing material, the cost for food and many other costs. So that at the end of the day the payment per preparation+training day is very small compared to having e.g. worked on one auditing project for 2 months.

In the case of iOS it is even worse because we have to buy enough iPads for multiple trainings beforehand so that we can keep them on a jailbreakable version. Because in iOS you cannot simply downgrade and install an old firmware. This means doing the first iOS training will leave you with nearly 0 profit.

This means the only way to financially benefit from doing trainings is to repeat these training courses. So you have to reuse the material. But the problem with that is that people will not sign up for courses if you promise to teach them about iOS 7 when iOS 8 is already out. So you have to adjust your training material all the time. Apple and iOS is a really quick moving target with every year a new major version out. But security features also change between minor versions so you have to adjust for that, too. You have to create new examples or change old ones. So in order to not have to change all the stuff again and again you mix in some 0-day vulnerabilities that will stay alive even after you do the training.

When I do this I only use information leak 0-day vulnerabilities, because I do not want to hand my students memory corruptions or similar bugs that could be used immediately to break into other people’s systems. However even the information leak 0-days and the fact that I guide my students in the course to discover them for themselves is a good lesson inside the course. When I do this I introduce these parts with the message: “the following bugs are not mentioned on slides, because we do not want to give them out/let Apple know about them”. So far only one student considered that to be an invitation to take these bugs and make money out of them by reselling them and distributing them to the whole world. (Said student took even more like code from the training and linked it without permission in his commercial product, but that is not the topic here…)

So to summarize this: You cannot compare iOS training courses to other courses where you can just install an old version of the OS / software and use old bugs. For iOS you have to deal with the problem that you need to offer bugs that work with relatively new versions of the OS. And when a student makes these bugs publicly known he just destroyed weeks of work for you, because you have to find a solution to the problem. In my case I was relatively lucky because Apple needed 7 months to actually kill the problems, so I could easily reuse the bugs.

But that is not all. The fact that this guy stole the bug and disclosed it to the world had a negative impact on our training sales. I had people come up to me and say: “Yeah I did not sign up for your class, because I believe after you got burned by that guy, you will not show us good stuff anymore.”

So maybe people will realize that taking material from a training to enrich yourself has negative consequences for the trainer and destroys his work of weeks. And it also disrupts his possibility to sell further trainings. So yes I am angry at people who want to destroy my business.

But the story does not end here. The student who took the bugs did not stop there. The jailbreak he released had code in it to make it unusable for my further training courses. It took about one EXTRA week to work through the heavy obfuscation that they used to change the jailbreak to apply the correct kernel patches and not destroy the kernel’s mach-o header in memory. So he did not only take my stuff to create this jailbreak, he also deliberately designed this jailbreak so that I cannot make use of it in trainings. This is just malicious and makes me wonder if disrupting my business was an original goal of his.

Pangu Jailbreak Team keeps on lying

You might have seen my previous blogpost from yesterday exposing how Pangu wanted to pay me with stolen Apple property for my silence about them stealing my work.

It was expected that they would fire back in some way. So they publish more of the conversation between me and @windknown. As you can see from this conversation I told him that I will never ever trust him again if they go forward with releasing stuff based on my work. And what follows is his desperate attempt to pay me with stolen property or money for the bugs they had already taken.

But Pangu and some others keep on bringing up these bugs and that they have been taken from the training. They ignore the far bigger issue that code from the training that does not come with a license that would allow it, was directly linked into their jailbreak. I repeatedly have proven this to be fact, although they did try to hide it by using obfuscation. And even in the ppuntether binaries it is easily visible that they used my code, because they forgot to strip the symbols.

Of course the Pangu posting goes on claiming that they only looked for these cables, because I asked them todo so for my iBoot work etc… Only problem with that lie is that I do not work on iBoot vulnerabilities. Also if it were true why didn’t I take them up to the offer to just pay me off with money and a cable. Yes why? Maybe because I had no interest at all in the cable. Maybe because I did not want to have anything todo with stolen property.

They also claim again that they did not offer to buy vulnerabilities from me for the jailbreak which is a lie. Actually right after the training when @windknown was asking me to come to his hotel room (there are several witnesses for this) this was all he wanted to talk about. He wanted to buy vulnerabilities/exploits from me for Pangu. But at that time I did not know the name. Keeping that in mind “Pangu” never actually paid for the training. Instead some other company did.

I really don’t know what deep problem Pangu has to admit that they offered multiple parties money to buy vulnerabilities. Maybe it is a “cultural thing” as @windknown used as excuse, maybe they really want/need the world to believe that this is all their own work…
Maybe… Or maybe they really never bought a vulnerability because despite their offers no one wanted to sell to them.

Furthermore Pangu claims I am delusional for saying that one of their friends asked during the QA session of my talk if I could provide evidence. I do not know in what world they are living. But there were several hundred people in the SyScan audience who heard him say that he is a friend of Pangu and that they wanted to know if I had any evidence. Everyone around this guy could see that he was on the phone/or chatting with someone while asking this question.

Keep repeating your lies Pangu …

Just keep repeating …

Jailbreaking, China and Playing the Racial Discrimination Card

Dont miss the update to this posting because Pangu replied back to this posting with a ton of lies.

A number of people might know that not long ago I gave a talk titled “iOS 678 Security – A study in fail” at SyScan 2015. Within this talk I was exposing the really bad security track record of Apple Security since the iOS 6 jailbreak in early 2013. I showed in detail how Apple kept ignoring vital elements of the exploitation chains, which made succeeding jailbreaks easier, because they could reuse previous techniques developed by the evad3rs. I also showed how Apple repeatedly failed to fix the same vulnerabilities over and over again, which again helped a lot in the development of the iOS 7.x and iOS 8.x jailbreaks. I ended my presentation (as previously announced) with a discussion of the new phenomenon that iOS jailbreaks are coming from China since mid-2014. As part of this discussion I was comparing previous jailbreaks that were all made by western security researchers and hackers with those new Chinese ones. During that talk i exposed a number of things that the guys behind Pangu did not want to see exposed to the public so they wrote a big blogpost accusing me of racial discrimination to distract people from the presented facts.

During the talk I was presenting a number of facts about previous jailbreaks.

  • previous jailbreaks were made by people from western countries
  • these jailbreakers used methods for jailbreaking that tried hard to not violate copyrights, contracts, software licenses, which severely limited them
  • they were releasing a lot of open source code for other iOS researchers to use
  • they applied kernel patches like task_for_pid0 in their jailbreaks to be completely open for other researchers that need to have access to the kernel
  • they did not get paid (“sponsored”) but tried to get by with donations
  • they basically made peanuts compared to information security companies who used their work to offer professional iOS consultings, forensics, etc…
  • and I also mentioned how this all combined made them decide to move away to different targets

After presenting the past of jailbreaking I switched over to the new breed of jailbreaks that all come from China.

  • I mentioned that all jailbreaks since then came from Chinese hackers – which is a fact
  • I mentioned that these new jailbreaks are financed by Chinese app stores, which is a fact and kinda admitted by Pangu and TaiG and easily visible from the fact that they bundle these app stores. However Pangu wants to stress that this is not payment but “sponsoring” and they make fun of the one million USD number that I mentioned. Well I remember a conversation with a leading Pangu member in his hotel room where he told me when he was trying to buy vulnerabilities from me: “you know these numbers they are rumoring about how much evad3rs made? They are real.” Also the offer of “up to 1 mio sponsoring” was sent by email to several different people involved in iOS jailbreaking by different Chinese companies in 2012/2013.
  • I mentioned that Chinese jailbreakers have been trying to buy/acquire vulnerabilities to achieve jailbreaks. This is a fact I know, because different teams repeatedly tried to buy from me and I also show a Twitter discussion on my slides that shows that Pangu offered 100k USD dollars to another jailbreaker. It is questionable how they can afford that if they really only get “sponsored” to buy new iDevices. But it is also questionable how they can afford to organize security conferences in expensive chinese hotels when they only get these small amounts.
    And btw. here are Twitter DMs from the Pangu member that attended my training in which he basically admits that he talked about buying/selling vulnerabilities for/to Pangu, something Pangu has officially stated to never do.
    Pangu_Offering_Money_To_Buy_Stolen_Vulnerabilities_After_The_Fact
  • BTW: The people behind TaiG even have a website were they ask the community to share vulnerabilities – they do not even try to hide it
  • I continued to state that Chinese jailbreaks have been using shady methods like “stolen” enterprise certificates in their jailbreaks. Which was then disputed by Pangu. They claim those enterprise certificates were neither stolen nor leaked and they would be so cheap that they could simply buy them. But stating that they basically admitted in public that they have signed/would sign an iOS Enterprise Development Program contract with Apple to get a cert and then violate the contract by using it in a jailbreak. I do not know if admitting that in public was a good idea considering the amount of lawyers Apple has.
  • I then stated that so far Chinese jailbreaks have incorporated a lot of code written by other people that was either public or private and they did not take into consideration that things like software licenses exist. For example they took software from my training that does not come with a license that would allow world wide distribution. They have also taken code from planetbeing that was put on GitHub without a license, which makes it kinda unfree. Pangu keeps mentioning that they did not sign an NDA for my training and somehow believe that makes it okay to take actual software (not mere vulnerabilities) written by me and release it under their own name.
  • The next thing I discussed was how lucky the Chinese jailbreakers were that Apple did repeatedly fail to fix vulnerabilities, which allowed them to reuse the same stuff over and over again.
  • I then stated that a lot of the techniques and vulnerabilities (chains) they used were initially invented and discovered by westerners like the evad3rs or myself, which is a fact. Keep in mind that most of their initial code execution and incomplete code signing exploits are just the bugs from evasi0n/evasi0n7 that Apple repeatedly did not fix correctly.

I then closed that chapter with a description of what the new breed of jailbreakers have done for the community so far.

  • I explained that so far they have not released any code that would help other researcher to get into it, like previous jailbreakers did. (So far they only discussed some of the vulnerabilities they used after Apple finally fixed them)
  • I stated that Chinese jailbreaks have been heavily obfuscated to the point that they even bought commercial grade obfuscation software for it, which is a simple fact.
  • I said that they intentionally removed kernel patches like task_for_pid0 to stop other researchers from using their jailbreaks as basis for their own work. This is however only true for Pangu, who even have the code to do the patch in their jailbreak, but intentionally not call it. The people behind TaiG however do apply the patch, which shows that they are more open.
  • I also stated the fact that both Pangu and TaiG apply kernel patches in a destructive way. TaiG e.g. does overwrite the beginning of the kernel’s TEXT segment in memory and Pangu just trashes the kernel’s mach-o header in memory. This is most probably done because this header is required by other researcher’s to reconstruct the kernel binary from memory and I already established that Pangu does not want other researchers to be able to perform their work.

To summarize this I was presenting a number of facts about previous and current jailbreaks. There was no racial discrimination in my talk. I was merely pointing out facts that are observable by anyone who takes a look at the details. And yes I called Chinese people Chinese.

However since the blog post from Pangu that was written to discredit me I get pestered by some Chinese people who accuse me of racial discrimination and threaten me or my family. Fact is I have nothing against Chinese people in general. Actually I have a number of close Chinese friends who would die laughing if I told them that someone accused me of being racist towards China. Nevertheless I cannot stand people who want to be called security researchers, while they base all their work on shady and questionable methods. I also hate the fact that Pangu believes they can get away with openly lying to everyone, because they believe I have no proof for any of my claims. They even let one of their friends ask in the QA session of my talk at SyScan if I had physical proof for some of the things, so that they could get away with claiming that this is not true…

And because of this unbelievable behaviour on their part and their repeated attempts to make me look like the one having done wrong, I decided to do something that I normally would not have done (if they hadn’t actually attacked me like this in public). If you take a look at the picture below you will see that this is a lightning cable. The special thing about this lightning cable is that it is offering a serial connection to newer iOS devices that is otherwise not available. This is something that helps during the development of kernel/iBoot exploits (if you already have some working exploits). Security researchers like Ramtin Amin have created similar cables by reversing the protocol. The cable you see here however is not one of those. The photo of the cable you see here was sent to me by a member of Pangu who bragged about his friend having gotten a cable. He also told me that I should not discuss this on e.g. Twitter, because that would make getting these cables harder and harder. Apparently these cables are stolen from Apple or Apple partners and the penalty for this has been getting harsher, which made it more difficult to acquire.

PANGUCABLE

While the person of Pangu did only say that “his friend” has gotten the cable, he later wanted to pay me off with such a cable after he realized that I was absolutely not okay with Pangu taking my vulnerabilities and my software without a license, as you can see here.

Pangu_Wanting_To_Pay_Me_By_Stolen_Apple_Lightning_Debugging_Cable

I think all this combined clearly shows that the people behind Pangu do not care about intellectual property, they do not care about software licenses, they do not care about violating contracts (with Apple) and they even traffic stolen goods.

You have to decide for yourself if you think these people deserve to be called “security researchers” instead of shady hackers. You also have to decide for yourself if you consider them to be a trustworthy party to provide future jailbreaks for devices that contain your personal and private data like your nude pictures 😛

I am curious what kind of response we will get from Pangu now that I have provided evidence.

Dont miss the update to this posting because Pangu replied back to this posting with a ton of lies.

iPad mini – NO SCADA 0day REMOTE CODE EXECUTION

It seems people get impatient because I announced some blog posting a while ago but then due to unforeseen circumstances did not finish and publish it, yet. So for all those waiting I created a little video of NO SCADA 0day REMOTE CODE EXECUTION. Just imagine me opening a shell on my MacBook and entering at the same time:

./exploit 10.114.117.114

And yes that device is an iPad mini… And yes the original posting will follow soon…

Coming soon…

After two years of not blogging and spending way to much time on Twitter, I decided it is time to return to blogging. In the coming week I will start with several new postings about various iOS kernel exploitation topics, discuss some of my private bugs and techniques that Apple has killed with the iOS 6 update, will discuss some of the new security features and will also drop an iOS 6 kernel 0-day in the near future. So stay tuned…