Watch the 'Dream Team' of iPhone hackers detail the Absinthe Jailbreak at HITB2012 in this video posted by the conference.
---
Shortly after the release of Corona, @xvolks came to @pod2g with an interesting observation. He noticed it was possible to inject format strings into racoon through the vpn configuration in the iPhone settings app.
Unfortunately, the injection was limited to only 254 characters, and besides that racoon was also heavily sandboxed. @p0sixninja came up with the solution of injecting an 'include' command into the configuration to load commands from an outside controllable source that also conforms to racoon's sandbox restrictions. Only one file was located that is allowed by racoon's sandbox profile and is also writable from outside, in this case using the mobile backup protocol.
Now that we found a way to inject a payload of any size, our next two biggest challenges were to bypass ASLR and the sandbox. ASLR bypass was trivial, since dynamic linker cache slide is only updated once every reboot, using an otherwise useless NULL pointer dereference bug and the ability to read crashreports off the device allowed easy calculation for input to @pod2g ROP generation code.
Sandbox bypass was a little less trivial and involved new exploits deep in the bowels of the XNU kernel. The idea presented by @p0sixninja was to use the debugging system calls to attach to an outside process not contained by sandbox and get it to do our bidding. Some mach ninja from @planetbeing allowed us to inject data reliable onto another process's stack and using debugging apis we were able to jump into crafted ROP payload within that process which then proceeded to use launchctl to re-execute racoon (without ASLR and without racoon's sandbox container) to perform the mounting of our rogue HFS image and perform the final kernel exploit hassle free. After the kernel was exploited and patched, it was just a matter of moving the Corona untethered exploit files into place to be executed on each boot.
---
If you missed their presentation on the Corona jailbreak you can check it out here.
Read More
1 comments [add] | 3917 viewsRecent Apple News Entries
2012-06-23 05:28:48 - Watch the 'Dream Team' of iPhone Hackers Detail the Absinthe Jailbreak [Video]
2012-06-23 02:54:25 - Google Lowers Pricing on Google Maps API
2012-06-23 01:35:13 - Judge Throws Out Apple vs. Motorola Case With Prejudice
2012-06-23 00:09:13 - Next Generation iMac Will Not Have Retina Display?
2012-06-22 23:53:12 - Microsoft Surface to Start at $599 for RT Model, $999 for Pro Model?
2012-06-22 20:13:49 - Official Wimbledon App Released for 2012 Championships
2012-06-22 20:07:28 - Vacation Blackouts Suggest Late July Launch of OS X Mountain Lion
2012-06-22 20:02:13 - Judge Limits Apple/Samsung Exhibits Allowed in Trial
2012-06-22 19:53:54 - Ed Catmull and Larry Ellison Remember Steve Jobs [Video]
2012-06-22 19:22:44 - Radiolab Releases App for the iPhone, iPod Touch
[more][rss]
Follow iClarified
The iClarified Newsletter is sent once a day and includes any news or tutorials posted in the last 24 hours. To signup for the Newsletter click here. Make sure you choose "Yes" to be added to our Mailing List.colton dixon jenny mccarthy houston weather dwyane wade magic mike trailer the night they drove old dixie down levon
No comments:
Post a Comment