Added technique for analyzing entitlements (#2884)

* Added technique for analyzing entitlements * Improve linting * More linting * Final lints * Update techniques/ios/MASTG-TECH-0111.md --------- Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
OWASP · Sep 4, 2024 · 49f77b7 · 49f77b7
1 parent a83f71b
commit 49f77b7
Show file tree

Hide file tree

Showing 9 changed files with 169 additions and 137 deletions.
diff --git a/docs/contributing/5_Style_Guide.md b/docs/contributing/5_Style_Guide.md
@@ -376,11 +376,11 @@ Markdown blockquotes can be used for comments in the documents by using `>`
 
 Use code blocks when including sample code, shell commands, and paths. In Markdown, code blocks are denoted by triple backticks (` ``` `). GitHub also supports syntax highlighting for a variety of languages. For example, a Java code block should be annotated as follows:
 
-```markdown
-    ```java
-    public static void main(String[] args) { System.out.println(" Hello World!"); } } ;
-    ```
+````markdown
+```java
+public static void main(String[] args) { System.out.println(" Hello World!"); } } ;
 ```
+````
 
 This produces the following result:
 
@@ -390,12 +390,12 @@ public static void main(String[] args) { System.out.println(" Hello World!"); }
 
 When including shell commands, make sure to use the correct language for syntax highlighting (e.g. `shell` or `bash`) and remove any host names and usernames from the command prompt, e.g.:
 
-```markdown
-    ```shell
-    $ echo 'Hello World'
-    Hello World
-    ```
+````markdown
+```shell
+$ echo 'Hello World'
+Hello World
 ```
+````
 
 When a command requires parameters that need to be modified by the reader, surround them with angle brackets:
 

diff --git a/techniques/ios/MASTG-TECH-0056.md b/techniques/ios/MASTG-TECH-0056.md
@@ -50,7 +50,7 @@ ipainstaller App_name.ipa
 
 ## ios-deploy
 
-On macOS you can also use the @MASTG-TOOL-0054/ tool to install iOS apps from the command line. You'll need to unzip your IPA since ios-deploy uses the app bundles to install apps.
+On macOS you can also use the @MASTG-TOOL-0054 tool to install iOS apps from the command line. You'll need to unzip your IPA since ios-deploy uses the app bundles to install apps.
 
 ```bash
 unzip Name.ipa

diff --git a/techniques/ios/MASTG-TECH-0084.md b/techniques/ios/MASTG-TECH-0084.md
@@ -55,55 +55,55 @@ Note: On iOS 12 and higher, use the following procedure to sign the debugserver
 
 2) Connect to the device via SSH and create the file, named entitlements.xml, with the following content:
 
-    ```xml
-    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-    <plist version="1.0">
-    <dict>
-        <key>platform-application</key>
-        <true/>
-        <key>com.apple.private.security.no-container</key>
-        <true/>
-        <key>com.apple.private.skip-library-validation</key>
-        <true/>
-        <key>com.apple.backboardd.debugapplications</key>
-        <true/>
-        <key>com.apple.backboardd.launchapplications</key>
-        <true/>
-        <key>com.apple.diagnosticd.diagnostic</key>
-        <true/>
-        <key>com.apple.frontboard.debugapplications</key>
-        <true/>
-        <key>com.apple.frontboard.launchapplications</key>
-        <true/>
-        <key>com.apple.security.network.client</key>
-        <true/>
-        <key>com.apple.security.network.server</key>
-        <true/>
-        <key>com.apple.springboard.debugapplications</key>
-        <true/>
-        <key>com.apple.system-task-ports</key>
-        <true/>
-        <key>get-task-allow</key>
-        <true/>
-        <key>run-unsigned-code</key>
-        <true/>
-        <key>task_for_pid-allow</key>
-        <true/>
-    </dict>
-    </plist>
-    ```
-
-3) Type the following command to sign the debugserver binary:
-
-    ```bash
-    ldid -Sentitlements.xml debugserver
-    ```
+   ```xml
+   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+   <plist version="1.0">
+   <dict>
+      <key>platform-application</key>
+      <true/>
+      <key>com.apple.private.security.no-container</key>
+      <true/>
+      <key>com.apple.private.skip-library-validation</key>
+      <true/>
+      <key>com.apple.backboardd.debugapplications</key>
+      <true/>
+      <key>com.apple.backboardd.launchapplications</key>
+      <true/>
+      <key>com.apple.diagnosticd.diagnostic</key>
+      <true/>
+      <key>com.apple.frontboard.debugapplications</key>
+      <true/>
+      <key>com.apple.frontboard.launchapplications</key>
+      <true/>
+      <key>com.apple.security.network.client</key>
+      <true/>
+      <key>com.apple.security.network.server</key>
+      <true/>
+      <key>com.apple.springboard.debugapplications</key>
+      <true/>
+      <key>com.apple.system-task-ports</key>
+      <true/>
+      <key>get-task-allow</key>
+      <true/>
+      <key>run-unsigned-code</key>
+      <true/>
+      <key>task_for_pid-allow</key>
+      <true/>
+   </dict>
+   </plist>
+   ```
+
+3) Type the following command to sign the debugserver binary using @MASTG-TOOL-0111:
+
+   ```bash
+   ldid -Sentitlements.xml debugserver
+   ```
 
 4) Verify that the debugserver binary can be executed via the following command:
 
-    ```bash
-    ./debugserver
-    ```
+```bash
+./debugserver
+```
 
 You can now attach debugserver to any process running on the device.
 

diff --git a/techniques/ios/MASTG-TECH-0111.md b/techniques/ios/MASTG-TECH-0111.md
@@ -0,0 +1,93 @@
+---
+title: Extracting Entitlements from MachO Binaries
+platform: ios
+---
+
+To extract the entitlements from a MachO binary, the following tools can be used:
+
+- @MASTG-TOOL-0111
+- @MASTG-TOOL-0105
+- @MASTG-TOOL-0101
+
+The following examples use these tools on the main binary of @MASTG-APP-0028, which contains two architectures.
+
+## ldid
+
+The entitlements can be extracted using `ldid -e <binary>`. The `-A` flag is added to specify the desired architecture (16777228:0, which is CPU_TYPE_ARM64:CPU_SUBTYPE_ARM64_ALL):
+
+```bash
+$ldid -e -A16777228:0 iGoat-Swift.app/iGoat-Swift
+```
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>application-identifier</key>
+    <string>TNAJ496RHB.OWASP.iGoat-Swift</string>
+    <key>com.apple.developer.team-identifier</key>
+    <string>TNAJ496RHB</string>
+    <key>get-task-allow</key>
+    <true/>
+    <key>keychain-access-groups</key>
+    <array>
+        <string>TNAJ496RHB.OWASP.iGoat-Swift</string>
+    </array>
+</dict>
+</plist>
+```
+
+## ipsw
+
+The entitlements can be extracted using `ipsw macho info -e <binary>`. The `-a` flag is added to specify the desired architecture:
+
+```bash
+$ ipsw macho info -e iGoat-Swift.app/iGoat-Swift -a arm64
+```
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>application-identifier</key>
+    <string>TNAJ496RHB.OWASP.iGoat-Swift</string>
+    <key>com.apple.developer.team-identifier</key>
+    <string>TNAJ496RHB</string>
+    <key>get-task-allow</key>
+    <true/>
+    <key>keychain-access-groups</key>
+    <array>
+        <string>TNAJ496RHB.OWASP.iGoat-Swift</string>
+    </array>
+</dict>
+</plist>
+```
+
+## codesign
+
+The entitlements can be extracted using `codesign -d --entitlements - <binary>`. Make sure to include the `-` as the argument for the `--entitlements` flag:
+
+```bash
+$ codesign -d --entitlements - iGoat-Swift.app/iGoat-Swift
+```
+
+```code
+Executable=/Users/owasp/iGoat/Payload/iGoat-Swift.app/iGoat-Swift
+[Dict]
+    [Key] application-identifier
+    [Value]
+        [String] TNAJ496RHB.OWASP.iGoat-Swift
+    [Key] com.apple.developer.team-identifier
+    [Value]
+        [String] TNAJ496RHB
+    [Key] get-task-allow
+    [Value]
+        [Bool] true
+    [Key] keychain-access-groups
+    [Value]
+        [Array]
+            [String] TNAJ496RHB.OWASP.iGoat-Swift
+
+```
diff --git a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069.md b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069.md
@@ -78,59 +78,7 @@ and then search for the Entitlements key region (`<key>Entitlements</key>`).
 
 ### Review Entitlements Embedded in the Compiled App Binary
 
-If you only have the app's IPA or simply the installed app on a jailbroken device, you normally won't be able to find `.entitlements` files. This could be also the case for the `embedded.mobileprovision` file. Still, you should be able to extract the entitlements property lists from the app binary yourself (see @MASTG-TECH-0054).
-
-The following steps should work even when targeting an encrypted binary. If for some reason they don't, you'll have to decrypt and extract the app with e.g. Clutch (if compatible with your iOS version), frida-ios-dump or similar.
-
-#### Extracting the Entitlements Plist from the App Binary
-
-If you have the app binary on your computer, one approach is to use binwalk to extract (`-e`) all XML files (`-y=xml`):
-
-```bash
-$ binwalk -e -y=xml ./Telegram\ X
-
-DECIMAL       HEXADECIMAL     DESCRIPTION
---------------------------------------------------------------------------------
-1430180       0x15D2A4        XML document, version: "1.0"
-1458814       0x16427E        XML document, version: "1.0"
-```
-
-Or you can use radare2 (`-qc` to _quietly_ run one command and exit) to search all strings on the app binary (`izz`) containing "PropertyList" (`~PropertyList`):
-
-```bash
-$ r2 -qc 'izz~PropertyList' ./Telegram\ X
-
-0x0015d2a4 ascii <?xml version="1.0" encoding="UTF-8" standalone="yes"?>\n<!DOCTYPE plist PUBLIC
-"-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">\n<plist version="1.0">
-...<key>com.apple.security.application-groups</key>\n\t\t<array>
-\n\t\t\t<string>group.ph.telegra.Telegraph</string>...
-
-0x0016427d ascii H<?xml version="1.0" encoding="UTF-8"?>\n<!DOCTYPE plist PUBLIC
-"-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">\n<plist version="1.0">\n
-<dict>\n\t<key>cdhashes</key>...
-```
-
-In both cases (binwalk or radare2) we were able to extract the same two `plist` files. If we inspect the first one (0x0015d2a4) we see that we were able to completely recover the [original entitlements file from Telegram](https://github.com/peter-iakovlev/Telegram-iOS/blob/77ee5c4dabdd6eb5f1e2ff76219edf7e18b45c00/Telegram-iOS/Telegram-iOS-AppStoreLLC.entitlements "Telegram-iOS-AppStoreLLC.entitlements original file").
-
-> Note: the `strings` command will not help here as it will not be able to find this information. Better use grep with the `-a` flag directly on the binary or use radare2 (`izz`)/rabin2 (`-zz`).
-
-If you access the app binary on the jailbroken device (e.g via SSH), you can use grep with the `-a, --text` flag (treats all files as ASCII text):
-
-```bash
-$ grep -a -A 5 'PropertyList' /var/containers/Bundle/Application/
-    15E6A58F-1CA7-44A4-A9E0-6CA85B65FA35/Telegram X.app/Telegram\ X
-
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-    <dict>
-        <key>com.apple.security.application-groups</key>
-        <array>
-        ...
-```
-
-Play with the `-A num, --after-context=num` flag to display more or less lines. You may use tools like the ones we presented above as well, if you have them also installed on your jailbroken iOS device.
-
-> This method should work even if the app binary is still encrypted (it was tested against several App Store apps).
+If you only have the app's IPA or simply the installed app on a jailbroken device, you normally won't be able to find `.entitlements` files. This could also be the case for the `embedded.mobileprovision` file. Still, you should be able to extract the entitlements property lists from the app binary yourself (see @MASTG-TECH-0111).
 
 #### Source Code Inspection
 

diff --git a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070.md b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070.md
@@ -40,7 +40,7 @@ Here's an example from Telegram's `.entitlements` file:
 
 More detailed information can be found in the [archived Apple Developer Documentation](https://developer.apple.com/library/archive/documentation/General/Conceptual/AppSearch/UniversalLinks.html#//apple_ref/doc/uid/TP40016308-CH12-SW2 "Preparing Your App to Handle Universal Links").
 
-If you don't have the original source code you can still search for them, as explained in "Entitlements Embedded in the Compiled App Binary".
+If you don't have the original source code you can extract them from the MachO file as explained in @MASTG-TECH-0111.
 
 ### Retrieving the Apple App Site Association File
 

diff --git a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0082.md b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0082.md
@@ -13,35 +13,13 @@ masvs_v1_levels:
 
 ## Static Analysis
 
-Inspect the app entitlements and check the value of `get-task-allow` key. If it is set to `true`, the app is debuggable.
-
-Using @MASTG-TOOL-0101 and @MASTG-APP-0028:
+Extract the entitlements from the app (@MASTG-TECH-0111) and check the value of the `get-task-allow` key. If it is set to `true`, the app is debuggable.
 
 ```bash
-$ codesign -d --entitlements - iGoat-Swift.app
-
-Executable=/Users/owasp/iGoat-Swift/Payload/iGoat-Swift.app/iGoat-Swift
-[Dict]
-    [Key] application-identifier
-    [Value]
-        [String] TNAJ496RHB.OWASP.iGoat-Swift
-    [Key] com.apple.developer.team-identifier
-    [Value]
-        [String] TNAJ496RHB
-    [Key] get-task-allow
-    [Value]
-        [Bool] true
-    [Key] keychain-access-groups
-    [Value]
-        [Array]
-            [String] TNAJ496RHB.OWASP.iGoat-Swift
-````
-
-Using ldid:
-
-```xml
 $ ldid -e iGoat-Swift.app/iGoat-Swift
+```
 
+```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
@@ -62,6 +40,6 @@ $ ldid -e iGoat-Swift.app/iGoat-Swift
 
 ## Dynamic Analysis
 
-Check whether you can attach a debugger directly, using Xcode. Next, check if you can debug the app on a jailbroken device after Clutching it. This is done using the debug-server which comes from the BigBoss repository at Cydia.
+Check whether you can attach a debugger directly, as explained in @MASTG-TECH-0084.
 
 Note: if the application is equipped with anti-reverse engineering controls, then the debugger can be detected and stopped.
diff --git a/tools/ios/MASTG-TOOL-0105.md b/tools/ios/MASTG-TOOL-0105.md
@@ -1,5 +1,5 @@
 ---
-title: IPSW
+title: ipsw
 platform: ios
 source: https://github.com/blacktop/ipsw
 host:

diff --git a/tools/ios/MASTG-TOOL-0111.md b/tools/ios/MASTG-TOOL-0111.md
@@ -0,0 +1,13 @@
+---
+title: ldid
+platform: ios
+source: https://github.com/ProcursusTeam/ldid
+host:
+- windows
+- linux
+- macOS
+---
+
+ldid is a Link Identity Editor created by Saurik. It allows you to view and update the entitlements of a MachO binary.
+
+The original source can be found at [https://git.saurik.com/ldid.git](https://git.saurik.com/ldid.git), while precompiled versions are available from the [ProcursusTeam's repo](https://github.com/ProcursusTeam/ldid).