Watch the 'Dream Team' of iPhone hackers detail the Absinthe Jailbreak at HITB2012 in this video posted by the conference.
---
Shortly after the release of Corona, @xvolks came to @pod2g with an interesting observation. He noticed it was possible to inject format strings into racoon through the vpn configuration in the iPhone settings app.
Unfortunately, the injection was limited to only 254 characters, and besides that racoon was also heavily sandboxed. @p0sixninja came up with the solution of injecting an 'include' command into the configuration to load commands from an outside controllable source that also conforms to racoon's sandbox restrictions. Only one file was located that is allowed by racoon's sandbox profile and is also writable from outside, in this case using the mobile backup protocol.
Now that we found a way to inject a payload of any size, our next two biggest challenges were to bypass ASLR and the sandbox. ASLR bypass was trivial, since dynamic linker cache slide is only updated once every reboot, using an otherwise useless NULL pointer dereference bug and the ability to read crashreports off the device allowed easy calculation for input to @pod2g ROP generation code.
Sandbox bypass was a little less trivial and involved new exploits deep in the bowels of the XNU kernel. The idea presented by @p0sixninja was to use the debugging system calls to attach to an outside process not contained by sandbox and get it to do our bidding. Some mach ninja from @planetbeing allowed us to inject data reliable onto another process's stack and using debugging apis we were able to jump into crafted ROP payload within that process which then proceeded to use launchctl to re-execute racoon (without ASLR and without racoon's sandbox container) to perform the mounting of our rogue HFS image and perform the final kernel exploit hassle free. After the kernel was exploited and patched, it was just a matter of moving the Corona untethered exploit files into place to be executed on each boot.
---
If you missed their presentation on the Corona jailbreak you can check it out here.
Read More
---
Shortly after the release of Corona, @xvolks came to @pod2g with an interesting observation. He noticed it was possible to inject format strings into racoon through the vpn configuration in the iPhone settings app.
Unfortunately, the injection was limited to only 254 characters, and besides that racoon was also heavily sandboxed. @p0sixninja came up with the solution of injecting an 'include' command into the configuration to load commands from an outside controllable source that also conforms to racoon's sandbox restrictions. Only one file was located that is allowed by racoon's sandbox profile and is also writable from outside, in this case using the mobile backup protocol.
Now that we found a way to inject a payload of any size, our next two biggest challenges were to bypass ASLR and the sandbox. ASLR bypass was trivial, since dynamic linker cache slide is only updated once every reboot, using an otherwise useless NULL pointer dereference bug and the ability to read crashreports off the device allowed easy calculation for input to @pod2g ROP generation code.
Sandbox bypass was a little less trivial and involved new exploits deep in the bowels of the XNU kernel. The idea presented by @p0sixninja was to use the debugging system calls to attach to an outside process not contained by sandbox and get it to do our bidding. Some mach ninja from @planetbeing allowed us to inject data reliable onto another process's stack and using debugging apis we were able to jump into crafted ROP payload within that process which then proceeded to use launchctl to re-execute racoon (without ASLR and without racoon's sandbox container) to perform the mounting of our rogue HFS image and perform the final kernel exploit hassle free. After the kernel was exploited and patched, it was just a matter of moving the Corona untethered exploit files into place to be executed on each boot.
---
If you missed their presentation on the Corona jailbreak you can check it out here.
Read More