The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

HFS Heap Overflow

From The iPhone Wiki
Revision as of 08:08, 10 February 2012 by JonathanSeals (talk | contribs) (References)
Jump to: navigation, search

By fuzzing the HFS btree parser, a heap overflow in the zone allocator was found. Mounting a clean, overflowed and payload images in a Heap Feng Shui way worked. The kernel heap overflow exploit copies 0x200 bytes from the vnimage.payload file to the kernel sysent, replacing a syscall to a write anywhere gadget. Some syscalls (first 0xA0 bytes and the last 6 bytes) are trashed in the operation because the HFS protocol needed to be respected. So these bytes are restored as fast as possible to get a stable exploit, then the write anywhere is used to copy the kernel exploit and jump to it. The kernel exploit just patches the kernel security features, as usual.

Credit

  • pod2g for finding the vulnerability and writing the exploit
  • i0n1c for his papers on Heap Feng Shui

References

Apple-logo.png This article is a "stub", an incomplete page. Please add more content to this article and remove this tag.
Retrieved from "https://www.theiphonewiki.com/w/index.php?title=HFS_Heap_Overflow&oldid=24534"