search

sensepost / objection

📱 objection - runtime mobile exploration
GNU General Public License v3.0
7.3k stars 836 forks source link

Apps using iCloud Keychain fail on dumping keychain #229

Open aph3rson opened 5 years ago

aph3rson commented 5 years ago

Describe the bug If an app is using iCloud Keychain, running ios keychain dump causes an error.

I'm not sure if this is due to using iCloud Keychain, or if it's exposing a bug in another piece of functionality.

To Reproduce Steps to reproduce the behavior:

  1. Connect to an app utilizing iCloud Keychain
  2. Run command ios keychain dump

Expected behavior Dumping the keychain contents (if iCloud Keychain secrets aren't supported, print other secrets on the device).

Evidence / Logs / Screenshots

> objection --debug --network --host 10.11.12.13 --gadget "com.corp.app" explore
[debug] Agent path is: c:\python37\lib\site-packages\objection\agent.js
[debug] Injecting agent...
Using networked device @`10.11.12.13:27042`
[debug] Attempting to attach to process: `com.corp.app`
[debug] Unable to find process: `com.corp.app`, attempting spawn
[debug] PID `726` spawned, attaching...
[debug] Resuming PID `726`
Agent injected and responds ok!

     _     _         _   _
 ___| |_  |_|___ ___| |_|_|___ ___
| . | . | | | -_|  _|  _| | . |   |
|___|___|_| |___|___|_| |_|___|_|_|
        |___|(object)inject(ion) v1.6.3

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.corp.app on (iPad: 11.4) [net] # ios keychain dump
Note: You may be asked to authenticate using the devices passcode or TouchID
Save the output by adding `--json keychain.json` to this command
Dumping the iOS keychain...
A Frida agent exception has occurred.
TypeError: undefined not callable (property 'keyEnumerator' of [object Object])
    at [anon] (duk_js_call.c:2870)
    at src/ios/keychain.ts:190
    at src/ios/keychain.ts:112
    at map (native)
    at src/ios/keychain.ts:140
    at frida/runtime/message-dispatcher.js:45
    at o (frida/runtime/message-dispatcher.js:25)

Python stack trace: Traceback (most recent call last):
  File "c:\python37\lib\site-packages\objection\console\repl.py", line 371, in start_repl
    self.run_command(document)
  File "c:\python37\lib\site-packages\objection\console\repl.py", line 185, in run_command
    exec_method(arguments)
  File "c:\python37\lib\site-packages\objection\commands\ios\keychain.py", line 65, in dump
    keychain = api.ios_keychain_list()
  File "c:\python37\lib\site-packages\frida\core.py", line 322, in method
    return script._rpc_request('call', js_name, args)
  File "c:\python37\lib\site-packages\frida\core.py", line 250, in _rpc_request
    raise result[2]
frida.core.RPCException: TypeError: undefined not callable (property 'keyEnumerator' of [object Object])
    at [anon] (duk_js_call.c:2870)
    at src/ios/keychain.ts:190
    at src/ios/keychain.ts:112
    at map (native)
    at src/ios/keychain.ts:140
    at frida/runtime/message-dispatcher.js:45
    at o (frida/runtime/message-dispatcher.js:25)

Environment (please complete the following information):

Additional context Other apps using the Keychain seem to work fine.

leonjza commented 5 years ago

This looks like a problem with the ACL decoding logic here. I don't have an app atm the I know uses iCloud Keychain, but I think a start may be to do a debugDump on the constraints variable and inspect what we are working with there.

aph3rson commented 5 years ago

I know this is a bit late, but Safari is one such app that could be tested - there's instructions on how to make Safari use the iCloud keychain here.