RSS

Disable ASLR on iOS applications

May 23

ASLR – Address Space Layout Randomization is an important exploit mitigation technique introduced in iOS 4.3. ASLR makes the remote exploitation of memory corruption vulnerabilities significantly more difficult by randomizing the application objects location in the memory. By default iOS applications uses limited ASLR and only randomizes part of the objects in the memory. The image compares the different memory sections for partial and full ASLR applications.

partial vs full ASLR - iOS

In order to take full advantage of the ASLR, the application has to compile with -fPIE -pie flag (“Generate Position-Dependent Code” build option in Xcode). This flag is automatically checked by default in the latest version of the XCode (from iOS 6). So, all the applications that are compiled in the latest SDK will automatically use full ASLR. To find out whether the application is compiled with PIE flag or not, connect the iPhone over SSH and execute the below command.

Otool –Vh ApplicaitonBinary

PIE enabled iOS app

The above image shows PIE at the end of the file header. It indicates that the Facebook application is compiled with PIE flag and uses the full ASLR.

During the pentest, ASLR might cause issues while reversing or decrypting the application. To overcome this problem, Peter Fillmore wrote an awesome tool removePIE that can be used to disable the ASLR of an iOS application. It disables the ASLR by flipping the PIE flag.

Steps to disable the ASLR of an iOS Application:

1. Download removePIE.zip and extract it.
2. Copy removePIE to the iPhone using the below SCP command (password is alpine).

SCP removePIE root@iPhoneIP:/var/root

3. The SCP command copies the removePIE file into /var/root directory on the iPhone. This can be verified by connecting to the iPhone over SSH.

copy removePIE to iPhone

4. Copy removePIE to the corresponding application’s home directory.

removePIE to application directory

5. To disable ASLR of an application, run the removePIE command on the application binary.

./removePIE ApplicationBinary

disable ASLR of iOS app

The above command takes a backup of the application binary, then flips the PIE flag and disables the ASLR. This can be confirmed by running the otool -Vh ApplicationBinary command.

PIE disabled

The above image does not show PIE flag in the file header. It confirms that the Facebook application no more uses the full ASLR.

Note: removePIE does not accept the application path as an argument. Supplying the binary path to the program, ends up with segment fault:11 exception. 

References:
1. http://www.peterfillmore.com/2013/01/removepie-tool-for-disabling-aslr-on.html
2. iOS 4 security evaluation white paper by Dai Zovi

 

Posted by on May 23, 2013 in iPhone

5 Comments

Tags: , , ,

5 responses to “Disable ASLR on iOS applications

  1. BZ

    May 25, 2013 at 9:16 pm

    Look at the source code this tool. File name is declared with a char array with 80 bytes. If include the path, it may cause an error.

     
  2. Thomac

    June 28, 2014 at 11:13 am

    I cannot download your removePIE.zip. I’m using OSX Meverick and the downloaded file is removePIE (without .zip) Tried copy the file directly and ran it from ssh. Also tried rename the file to .zip but then cannot extract it. Is there any issue with the file?

     
    • satishb3

      June 29, 2014 at 11:30 am

      Its working fine from myside. Here is the download link – http://www.securitylearn.net/wp-content/uploads/tools/iOS/removePIE.zip

      You don’t require removePIE anymore. Clutch latest version automatically takes care of ASLR while decrypting.

       
      • TeNeX

        October 21, 2015 at 11:07 am

        where i can get a gdb working version for ios 8.1.x ?
        and how to bypass aslr or use something like removev PIE to backtrace errors?

         
        • satishb3

          October 23, 2015 at 5:58 pm

          There is no tool available for 8.x to remove PIE. You can use clutch to decrypt ios apps and it works most of the time.

           

Leave a Reply

Your email address will not be published. Required fields are marked *