KeyChain dump not working when TouchID or FaceID is used for authentication

[ghost]

Is it possible to modify the «https://github.com/chaitin/passionfruit/blob/master/agent/keychain.js» in order to list the keychain items and their attributes when TouchID or FaceID s used for authentication?

For some reason, when TouchID is active in the application, no data is displayed.

MWR needle has a great example (I'm using this script currently): https://github.com/mwrlabs/needle/blob/master/needle/modules/storage/data/keychain_dump_frida.py

[ChiChou]

I've encountered the problem that adding too much hook will slow down the launch of application, which caused the target app crash immediately. I temporary disabled some hooks in this commit https://github.com/chaitin/passionfruit/commit/7ced7a642ee261ddb6d5160efa714b1cc5551861, including the TouchID bypass hook.

Thank you for reporting the issue! Will find out a better approach.

[ghost]

Thanks for considering. It's such a great application and a lifesaver. I've used it recently for testing an application using FaceID authentication.

[ghost]

@ChiChou Have you had the chance to look into it?

[ChiChou]

@antoniozekic Oh sorry It's Chinese New Year holiday now

[ChiChou]

Just pushed a temporary workaround to the master branch. git pull && npm install && cd gui && npm install to upgrade.

Should add a preference page to control touch id bypass and other hooks. But I can't tell when it will be shipped.

[ghost]

Thanks, I'll check it out right away.

[ChiChou]

Actually the Touch ID / Face ID bypass is here: https://github.com/chaitin/passionfruit/blob/17d0aea/agent/app/ui.js#L10

The problem is my only jailbroken device that physically supports touch id is on iOS 11, and I am waiting for the stable Cydia.

[ghost]

I've tried the fix but the whole app just wasn't working (just listing), so I'll try again to make sure it's because of my setup, however it was just git pull && npm install && cd gui && npm install.

[ChiChou]

Cydia for iOS 11 is out, but seems like frida is broken. Need an app to reproduce this

[ghost]

Frida is working for me on iOS 11.0.3 and 11.1.1 so I can try...

[ChiChou]

Finally frida for iOS 11 is out. Will investigate it tomorrow.

[ghost]

Great! Please let me know if I can help with testing! I do own iOS 11.1.2 device and have an application that uses TouchID for authentication.

[ghost]

@ChiChou Hi! Have you by any chance had the time to look at this?

[ChiChou]

Try this branch? https://github.com/chaitin/passionfruit/tree/fix/touchid

https://github.com/chaitin/passionfruit/commit/8b286263c2e805c9e263c653cdb762f61136d984

[ghost]

I get the TouchID prompt and after the confirmation the result is: "Empty result"

[ChiChou]

Which app

[ghost]

An application I'm pentesting available only via TestFlight. However, the same problem persists on other apps that have TouchID login such as Box, Simplenote, Telegram, Outlook.

[ChiChou]

Are you on the fix/touchid branch?

git fetch origin
git checkout fix/touchid
npm run dev

[ghost]

I'm 100% sure that I'm on a fix/touchid branch. I even double-checked it now.

[ChiChou]

Does this standalone script work for you app?

$ frida -U TheApp

And paste this

method = ObjC.classes.LAContext['- evaluatePolicy:localizedReason:reply:'];
method.implementation = ObjC.implement(method, function (self, sel, policy, reason, reply) {
  const callback = new ObjC.Block(ptr(reply));
  callback.implementation(1, null);
})

It should bypass the prompt (if as expected)

[ghost]

[iPhone::TheApp]-> method = ObjC.classes.LAContext['- evaluatePolicy:localizedReason:reply:']; method.implementation = ObjC.implement(method, function (self, sel, policy, reason, reply) { const callback = new ObjC.Block(ptr(reply)); callback.implementation(1, null); }) "0x101e78000" [iPhone::TheApp]->

[ghost]

Needle has this option which is working: https://github.com/mwrlabs/needle/blob/master/needle/modules/storage/data/keychain_dump_frida.py

Sorry for referencing another tool...

[ChiChou]

Did the prompt show?

I've successfully used this on Safari password manager.

[ghost]

Prompt showed successfully.

[ChiChou]

That's not successful... It is expected to bypass the dialog

[ghost]

Is there any hope that this can be solved and that passionfruit can show keychain items? I haven't been successful on displaying keychain items on iOS 9.x, 10.x or 11.x on any application...

[ChiChou]

Wish this commit could help... https://github.com/chaitin/passionfruit/commit/1b79c84891408971afea06a742ce95786e65407e

[ChiChou]

Finally I can reproduce it on Safari

[ChiChou]

Okay I know what it is

query.setObject_forKey_(
      Module.findExportByName('Security', 'kSecUseAuthenticationUIFail')!.readPointer(),
      Module.findExportByName('Security', 'kSecUseAuthenticationUI')!.readPointer())