Joshua Hill (@p0sixninja), Cyril (@pod2g), David Wang (@planetbeing) & Nikias Bassen (@pimskeks)
PRESENTATION TITLE: Part 2: Absinthe Jailbreak for iOS 5.0.1
Shortly after the release of Corona, @xvolks came to @pod2g with an interesting observation. He noticed it was possible to inject format strings into racoon through the vpn configuration in the iPhone settings app.
Unfortunately, the injection was limited to only 254 characters, and besides that racoon was also heavily sandboxed. @p0sixninja came up with the solution of injecting an ‘include’ command into the configuration to load commands from an outside controllable source that also conforms to racoon’s sandbox restrictions. Only one file was located that is allowed by racoon’s sandbox profile and is also writable from outside, in this case using the mobile backup protocol.
Now that we found a way to inject a payload of any size, our next two biggest challenges were to bypass ASLR and the sandbox. ASLR bypass was trivial, since dynamic linker cache slide is only updated once every reboot, using an otherwise useless NULL pointer dereference bug and the ability to read crashreports off the device allowed easy calculation for input to @pod2g ROP generation code.
Sandbox bypass was a little less trivial and involved new exploits deep in the bowels of the XNU kernel. The idea presented by @p0sixninja was to use the debugging system calls to attach to an outside process not contained by sandbox and get it to do our bidding. Some mach ninja from @planetbeing allowed us to inject data reliable onto another process’s stack and using debugging apis we were able to jump into crafted ROP payload within that process which then proceeded to use launchctl to re-execute racoon (without ASLR and without racoon’s sandbox container) to perform the mounting of our rogue HFS image and perform the final kernel exploit hassle free. After the kernel was exploited and patched, it was just a matter of moving the Corona untethered exploit files into place to be executed on each boot.
ABOUT JOSHUA HILL (@p0sixninja)
Joshua Hill (@p0sixninja) is an independent Security Researcher for zImperium, as well as leader of the Chronic Dev Team and chief architect behind GreenPois0n, a cross-platform toolkit used by millions of people around the world to jailbreak their iOS mobile devices.
ABOUT CYRIL (@pod2g)
Cyril (@pod2g) is an iPhone hacker who has discovered and exploited several bootrom exploits on iDevices, including 24kpwn, steaks4uce, and SHAtter, as well as several userland and kernel exploits that have been used in various jailbreak tools. He’s a member of Chronic-Dev Team and the original author the of Corona untether jailbreak.
ABOUT DAVID WANG (@planetbeing)
David Wang (@planetbeing) is a member of the iPhone Dev Team and former developer of many iOS jailbreak tools including redsn0w, xpwn, and QuickPwn. He is also the first to have ported the Linux kernel and Android to iOS devices.
ABOUT NIKIAS BASSEN (@pimskeks)
Nikias Bassen (@pimskeks) is a Chronic-Dev Team member and main developer of libimobiledevice, usbmuxd, and other related projects that form an open source implementation of communication and service protocols for iDevices. He found several flaws in the iDevice service protocols that also helped creating Absinthe.
Okura Hotel Amsterdam
Ferdinand Bolstraat 333, 1072 LH Amsterdam,
1-Day Intensive Training Sessions – 21st of May / 0900 – 1800
SPECIAL OPS 1 - WIRELESS SECURITY KUNGF00
SPECIAL OPS 2 – THE ART OF EXPLOITING SQL INJECTION FLAWS
SPECIAL OPS 3 – MOBILE APPLICATION HACKING – ATTACK & DEFENSE
2-Day Hands on Training Sessions – 22nd – 23rd of May / 0900 – 1800
TECH TRAINING 1 – HUNTING WEB ATTACKERS
TECH TRAINING 2 – ADVANCED LINUX EXPLOITATION METHODS
TECH TRAINING 3 - ADVANCED APPLICATION HACKING – ATTACKS, EXPLOITS & DEFENSE
3-Day Hands on Training Sessions – 21st, 22nd & 23rd of May / 0900 – 1800
TECH TRAINING 4 – THE EXPLOIT LABORATORY: ADVANCED EDITION