Saturday, March 30, 2013

TiVo App - cdata.p12 & ssdata.p12

After seeing these p12 files earlier, I was curious what they were for.

ssdata.p12


A quick search in IDA Pro turned up its usage location:



It appears that the method "connection:didReceiveAuthenticationChallenge" on the Transcoder object uses the "ssdata" string to call "extractClientCertInfo:withDateInfo:withSecIdentity:withClientCerts".

Looking at the iOS NSUrlConnectioNDelegate object documentation (https://developer.apple.com/library/mac/#documentation/Foundation/Reference/NSURLConnectionDelegate_Protocol/Reference/Reference.html):

connection:didReceiveAuthenticationChallenge:

Sent when a connection must authenticate a challenge in order to download its request.
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
Parameters
connection
The connection sending the message.
challenge
The challenge that connection must authenticate in order to download its request.

This method must be getting called during an NSUrl request when the host is asking us to provide authentication, probably a client SSL certificate (ssdata).


Digging into the "extractClientCertInfo:withDateInfo:withSecIdentity:withClientCerts" code we see that it calls SecPKCS12Import.

; R0 = [Passphrase!] Arg 1 [r3] from extractClientCertInfo_withDateInfo_withSecIdentity_withClientCerts__ (withDateInfo is the fake argument name)
; R1 = File Contents of a P12 file
; R2 = [FileName] Arg 0 [r2] passed into SecurityUtils extractClientCertInfo_withDateInfo_withSecIdentity_withClientCerts__
; Stack 0x04 = Pointer to an array of items to be populated by this function

;CFArrayRef keyref = NULL;
; OSStatus sanityChesk = SecPKCS12Import((__bridge CFDataRef) p12Data, 
    ;                                     (__bridge CFDictionaryRef) [NSDictionary dictionaryWithObject:password 
    ;                                                               forKey:(__bridge id)kSecImportExportPassphrase], 
    ;                                   &keyref);
; The complete p12 content will be in the keystore array.

It is clear that the "withDateInfo" argument is actually the .p12 file's password.  Looking back at what this argument is passed in as...

LDR             R4, [R2] ; _OBJC_CLASS_$_SecurityUtils
MOV             R2, (cfstr_Myw3O - 0x11A42C) ; "/MyW3}O aoG"
LDR             R0, [R3] ; _OBJC_CLASS_$_SUtils
MOVW            R3, #0x6E1A
LDR             R1, [R1] ; "dateTransform:other:"
MOVT.W          R3, #0x47
ADD             R2, PC  ; "/MyW3}O aoG"
ADD             R3, PC  ; "x$+2"
BLX             _objc_msgSend
MOV             R3, R0
It appears that SecurityUtils."dateTransform:other"() returns our password, it appears to take in the parameters "/MyW3}O aoG" & "x$+2".

Looking for other instances of dateTransform being called, I find TcpConnection."useSSL"() also calls it in the exact same fashion as Transcoder."connection:didReceiveAuthenticationChallenge"().  Except this time the parameters for dateTransform are "\x02\\|X\x02u\x1B\x06\x14O{c" & "a$+5" and it uses the "cdata" file.

This tells me that every TCPConnection object using SSL will automatically includes the SSL Client certificate CData.  This means that the IPScanner must be using this while scanning the network...

Looking at the disassembly for "dateTransform:other" we see that its code is obfuscated, making it nearly impossible to decypher.  This definitely isn't going to work...



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)