objection
objection copied to clipboard
sensepost
Apps using iCloud Keychain fail on dumping keychain
Describe the bug
If an app is using iCloud Keychain, running ios keychain dump causes an error.
I'm not sure if this is due to using iCloud Keychain, or if it's exposing a bug in another piece of functionality.
To Reproduce Steps to reproduce the behavior:
- Connect to an app utilizing iCloud Keychain
- Run command
ios keychain dump
Expected behavior Dumping the keychain contents (if iCloud Keychain secrets aren't supported, print other secrets on the device).
Evidence / Logs / Screenshots
> objection --debug --network --host 10.11.12.13 --gadget "com.corp.app" explore
[debug] Agent path is: c:\python37\lib\site-packages\objection\agent.js
[debug] Injecting agent...
Using networked device @`10.11.12.13:27042`
[debug] Attempting to attach to process: `com.corp.app`
[debug] Unable to find process: `com.corp.app`, attempting spawn
[debug] PID `726` spawned, attaching...
[debug] Resuming PID `726`
Agent injected and responds ok!
_ _ _ _
___| |_ |_|___ ___| |_|_|___ ___
| . | . | | | -_| _| _| | . | |
|___|___|_| |___|___|_| |_|___|_|_|
|___|(object)inject(ion) v1.6.3
Runtime Mobile Exploration
by: @leonjza from @sensepost
[tab] for command suggestions
com.corp.app on (iPad: 11.4) [net] # ios keychain dump
Note: You may be asked to authenticate using the devices passcode or TouchID
Save the output by adding `--json keychain.json` to this command
Dumping the iOS keychain...
A Frida agent exception has occurred.
TypeError: undefined not callable (property 'keyEnumerator' of [object Object])
at [anon] (duk_js_call.c:2870)
at src/ios/keychain.ts:190
at src/ios/keychain.ts:112
at map (native)
at src/ios/keychain.ts:140
at frida/runtime/message-dispatcher.js:45
at o (frida/runtime/message-dispatcher.js:25)
Python stack trace: Traceback (most recent call last):
File "c:\python37\lib\site-packages\objection\console\repl.py", line 371, in start_repl
self.run_command(document)
File "c:\python37\lib\site-packages\objection\console\repl.py", line 185, in run_command
exec_method(arguments)
File "c:\python37\lib\site-packages\objection\commands\ios\keychain.py", line 65, in dump
keychain = api.ios_keychain_list()
File "c:\python37\lib\site-packages\frida\core.py", line 322, in method
return script._rpc_request('call', js_name, args)
File "c:\python37\lib\site-packages\frida\core.py", line 250, in _rpc_request
raise result[2]
frida.core.RPCException: TypeError: undefined not callable (property 'keyEnumerator' of [object Object])
at [anon] (duk_js_call.c:2870)
at src/ios/keychain.ts:190
at src/ios/keychain.ts:112
at map (native)
at src/ios/keychain.ts:140
at frida/runtime/message-dispatcher.js:45
at o (frida/runtime/message-dispatcher.js:25)
Environment (please complete the following information):
- Device: iPad 6th gen
- OS: iOS 11.4, Windows host
- Frida Version 12.6.4 (frida-server)
- Objection Version: 1.6.3
Additional context Other apps using the Keychain seem to work fine.
This looks like a problem with the ACL decoding logic here. I don't have an app atm the I know uses iCloud Keychain, but I think a start may be to do a debugDump on the constraints variable and inspect what we are working with there.
