Chronic Dev Team member, Pod2G, has provided some more details about the Corona untether that has been used by the iPhone Dev team and Chronic Dev team in Redsn0w and Corona Untether jailbreak app for iOS 5.0.1.
Pod2G explains what he was up against and how he managed to discover the userland and the kernel exploit.
Pod2G writes that Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0. Corona does it another way.
Before the trick security researchers used was to include the untethering payload as a data page (as opposed to a code page) in the Mach-O binary. The advantage of a data page was that the Macho-O loader didn't check its authenticity. ROP is used so that code execution happens without writing executable code but rather by utilizing existing signed code in the dyld cache. To have the ROP started by the Mach-O loader, they relied on different technics found by @comex, either the interposition exploit or the initializer exploit.
He goes on to say in iOS 5.0, data pages need also to be signed by Apple for the loader to authenticate the binary. @i0n1c seems to be able to pass through these verifications though. We may see this in the 5.1 jailbreak.
Thus, for Corona, he searched for a way to start unsigned code at boot without using the Mach-O loader. That's why he looked for vulnerabilities in existing Apple binaries that he could call using standard launchd plist mechanisms.
He says using a fuzzer, he found after some hours of work that there's a format string vulnerability in theracoon configuration parsing code! racoon is the IPsec IKE daemon. It comes by default with iOS and is started when you setup an IPsec connection
For the jailbreak to be applied at boot, racoon is started by a launchd plist file, executing the command : racoon -f racoon-exploit.conf
racoon-exploit.conf is a large configuration file exploiting the format string bug to get the unsigned code started.
The format string bug is utilized to copy the ROP bootstrap payload to the memory and to execute it by overwriting a saved LR in the racoon stack by a stack pivot gadget.
The ROP bootstrap payload copies the ROP exploit payload from the payload file which is distributed with Corona then stack pivot to it. The idea is to escape from format strings as fast as possible, because they are CPU time consuming.
The ROP exploit payload triggers the kernel exploit.
For more info, visit his blog in the source link.
pod2G is currently working on the untethered jailbreak for iPhone 4S and iPad 2 hasn't provided any update on it.
- source: pod2g's blog
Pod2G explains what he was up against and how he managed to discover the userland and the kernel exploit.
Pod2G writes that Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0. Corona does it another way.
Before the trick security researchers used was to include the untethering payload as a data page (as opposed to a code page) in the Mach-O binary. The advantage of a data page was that the Macho-O loader didn't check its authenticity. ROP is used so that code execution happens without writing executable code but rather by utilizing existing signed code in the dyld cache. To have the ROP started by the Mach-O loader, they relied on different technics found by @comex, either the interposition exploit or the initializer exploit.
He goes on to say in iOS 5.0, data pages need also to be signed by Apple for the loader to authenticate the binary. @i0n1c seems to be able to pass through these verifications though. We may see this in the 5.1 jailbreak.
Thus, for Corona, he searched for a way to start unsigned code at boot without using the Mach-O loader. That's why he looked for vulnerabilities in existing Apple binaries that he could call using standard launchd plist mechanisms.
He says using a fuzzer, he found after some hours of work that there's a format string vulnerability in theracoon configuration parsing code! racoon is the IPsec IKE daemon. It comes by default with iOS and is started when you setup an IPsec connection
For the jailbreak to be applied at boot, racoon is started by a launchd plist file, executing the command : racoon -f racoon-exploit.conf
racoon-exploit.conf is a large configuration file exploiting the format string bug to get the unsigned code started.
The format string bug is utilized to copy the ROP bootstrap payload to the memory and to execute it by overwriting a saved LR in the racoon stack by a stack pivot gadget.
The ROP bootstrap payload copies the ROP exploit payload from the payload file which is distributed with Corona then stack pivot to it. The idea is to escape from format strings as fast as possible, because they are CPU time consuming.
The ROP exploit payload triggers the kernel exploit.
For more info, visit his blog in the source link.
pod2G is currently working on the untethered jailbreak for iPhone 4S and iPad 2 hasn't provided any update on it.
- source: pod2g's blog
0 comments:
Post a Comment
Comments must be related to the above Article. Don't SPAM.