December 29, 2024

Pod2g Posts Details on How Corona Untethered Jailbreak Works

Posted January 2, 2012 at 8:41pm by iClarified · 35381 views
Pod2g has posted some details on how the Corona untethered jailbreak works.

In a new post on his blog, pod2g notes that Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0 so Corona had to do it another way.

For Corona, I searched for a way to start unsigned code at boot without using the Mach-O loader. That's why I searched for vulnerabilities in existing Apple binaries that I could call using standard launchd plist mechanisms.

Using a fuzzer, I found after some hours of work that there's a format string vulnerability in the racoon configuration parsing code ! racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.

Now you got it, Corona is an anagram of racoon :-) .


Pod2g notes that the the ROP exploit payload triggers a kernel exploit that relies on an HFS heap overflow bug he found earlier.

I don't know exactly what happens in the kernel code, I never figured it out exactly, I found it by fuzzing the HFS btree parser. I just realized that it is a heap overflow in the zone allocator, so I started to try to mount clean, overflowed and payload images in a Heap Feng Shui way :-) And hey, that worked :p Thanks to @i0n1c for his papers on this subject.

Read More