Slide 1
Slide 1
Slide 1
Slide 1
Slide 1
Slide 1

PRESENTATION MATERIALS

PHOTOS / VIDEOS

Official conference photos and HD videos will be made available in the next 2-3 weeks. Please follow @hitbsecconf on Twitter for links or join our Facebook Group

Joshua Hill (@p0sixninja), Cyril (@pod2g) & Nikias Bassen (@pimskeks)

PRESENTATION TITLE: Part 1: Corona Jailbreak for iOS 5.0.1

PRESENTATION ABSTRACT:

GreenPois0n Absinthe was built upon @pod2g’s Corona untether jailbreak to create the first public jailbreak for the iPhone 4S and iPad 2 on for the 5.0.1 firmware. In this paper, we present a chain of multiple exploits to accomplish sandbox breakout, kernel unsigned code injection and execution that result in a fully-featured and untethered jailbreak.

Corona is an acronym for “racoon”, which is the primary victim for this attack. A format string vulnerability was located in racoon’s error handling routines, allowing the researchers to write arbitrary data to racoon’s stack, one byte at a time, if they can control racoon’s configuration file. Using this technique researchers were able to build a ROP payload on racoon’s stack to mount a rogue HFS volume that injects code at the kernel level and patch its code-signing routines.

The original Corona untether exploit made use of the LimeRa1n bootrom exploit as an injection vector, to allow developers to disable ASLR and sandboxing, and call racoon with a custom configuration script. This however left it unusable for newer A5 devices like the iPad2 and iPhone 4S, which weren’t exploitable to LimeRa1n, so another injection vector was needed.

ABOUT JOSHUA HILL (@p0sixninja)

Joshua Hill (@p0sixninja) is an independent Security Researcher for zImperium, as well as leader of the Chronic Dev Team and chief architect behind GreenPois0n, a cross-platform toolkit used by millions of people around the world to jailbreak their iOS mobile devices.

ABOUT CYRIL (@pod2g)

Cyril (@pod2g) is an iPhone hacker who has discovered and exploited several bootrom exploits on iDevices, including 24kpwn, steaks4uce, and SHAtter, as well as several userland and kernel exploits that have been used in various jailbreak tools. He’s a member of Chronic-Dev Team and the original author the of Corona untether jailbreak.

ABOUT NIKIAS BASSEN (@pimskeks)

Nikias Bassen (@pimskeks) is a Chronic-Dev Team member and main developer of libimobiledevice, usbmuxd, and other related projects that form an open source implementation of communication and service protocols for iDevices. He found several flaws in the iDevice service protocols that also helped creating Absinthe.

Okura Hotel Amsterdam
Ferdinand Bolstraat 333, 1072 LH Amsterdam,
The Netherlands

1-Day Intensive Training Sessions – 21st of May / 0900 – 1800

 

SPECIAL OPS 1  - WIRELESS SECURITY KUNGF00

SPECIAL OPS 2  – THE ART OF EXPLOITING SQL INJECTION FLAWS

SPECIAL OPS 3 – MOBILE APPLICATION HACKING – ATTACK & DEFENSE



2-Day Hands on Training Sessions – 22nd – 23rd of May / 0900 – 1800

TECH TRAINING 1  – HUNTING WEB ATTACKERS

TECH TRAINING 2  – ADVANCED LINUX EXPLOITATION METHODS

TECH TRAINING 3  - ADVANCED APPLICATION HACKING – ATTACKS, EXPLOITS & DEFENSE

 

 



3-Day Hands on Training Sessions – 21st, 22nd & 23rd of May / 0900 – 1800

TECH TRAINING 4  – THE EXPLOIT LABORATORY: ADVANCED EDITION




QUAD TRACK CONFERENCE – 24th & 25th of May / 0900 – 1800

Featuring keynotes by BRUCE SCHNEIER and ANDY ELLIS



EVENT ORGANIZER

LOCAL PARTNER

PLATINUM SPONSORS

GOLD SPONSORS

TITANIUM SPONSOR (POST CONFERENCE RECEPTION + SPEAKER RECEPTION)

SILVER SPONSOR

HACKWEEKDAY SPONSOR

ALCO_PWN SPONSOR (POST CONFERENCE RECEPTION)

HITB LAB / SIGINT SPONSOR

NETWORK SPONSORS AND UPLINK

ADDITIONAL SUPPORT BY

SUPPORTING MEDIA

FRIENDS OF HITB

Copyright © 2012 Hack In The Box | http://www.hackinthebox.org

<<
( / 10 )
>>