Sandbox Profiles

[retr0devops]

Hi, I studied the features of the exploit. Here an idea arose, since we can replace files, is it possible to change the Sandbox profiles? Allow or grant read-write rights. I'm talking about profiles located in /System/Library/Sandbox/Profiles

[retr0devops]

As I noticed, if the exploit rebinds files, then why not try to rebind functions (replace functions, call them, and so on)

[zhuowei]

I don't think you can overwrite code since code signing would prevent the modified executable from launching.
Sandbox profiles might work: that's a clever idea. I'm not sure when they're read though. If you get that working, let me know.

[retr0devops]

Unfortunately, the above method does not work. We need to look for other ways to use this exploit 🫤

[retr0devops]

I'm opening this topic again, details have appeared.
Viewing of Sandbox profiles was carried out on iOS 14, but real experiments were carried out on iOS 16 (experiments related to file substitution through this exploit) Naturally, nothing worked, because the paths in iOS 14 and iOS 16 are different.

iOS 14: /System/Library/Sandbox/Profiles
iOS 16: /System/Library/PrivateFrameworks/AuthKit…/com.apple.akd.sb.

However, right now I don't have one hundred percent conclusions about whether it will be useful. I will be glad if someone tells me about the purpose of this file. After reviewing it, I thought that he was responsible for the rights in the Sandbox, but in fact it may be otherwise. A lot of questions in this case, why in AuthKit?

Another "novelty" of iOS 16 is that almost every framework has its own sandboxed profile, which prohibits or allows access to it via look-up. I will attach images below.

The first image is the expected file of the general sandbox, the second image is a sample profile of the sandbox framework.

Now we need a tests.