|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "IOSurface Kernel Exploit"
(i think it is correct) |
m (Added CVE (hopefully the right one) and Category) |
||
| (5 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
| − | This vulnerability, along with the [[ |
+ | This vulnerability, along with the [[Malformed CFF Vulnerability]], was used in [[Star]]/[[JailbreakMe]] 2.0. It is a buffer overflow in the handling of the [http://iphonedevwiki.net/index.php/IOCoreSurfaceRoot kernel-extension for managing pixel buffers] used to get root privileges. |
| + | == Credit == |
||
| + | [[User:Comex|comex]] |
||
| − | == |
+ | == Exploit == |
| − | Selector 19 was |
+ | Selector 19 was vulnerable to a buffer overflow that would allow access to the root filesystem without making the kernel fail signature check |
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1" |
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1" |
||
| Line 54: | Line 56: | ||
| 21 || removeSurfaceNotify || 24 bytes of stuff || - |
| 21 || removeSurfaceNotify || 24 bytes of stuff || - |
||
|} |
|} |
||
| + | == Sources == |
||
| − | |||
| + | *http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2973 |
||
| − | == Credit == |
||
| − | [[ |
+ | [[Category:Exploits]] |
Latest revision as of 20:22, 9 July 2011
This vulnerability, along with the Malformed CFF Vulnerability, was used in Star/JailbreakMe 2.0. It is a buffer overflow in the handling of the kernel-extension for managing pixel buffers used to get root privileges.
Credit
Exploit
Selector 19 was vulnerable to a buffer overflow that would allow access to the root filesystem without making the kernel fail signature check
| Selector | Action | Input | Output |
|---|---|---|---|
| 0 | lookupFromMachPort | - | 1,208 bytes of stuff |
| 1 | release | IOSurfaceID surfaceID | - |
| 2 | lock | struct IOSurfaceLockArg | 1,208 bytes of stuff |
| 3 | unlock | struct IOSurfaceLockArg | struct IOSurfaceLockSeedArg |
| 4 | lockPlane | struct IOSurfaceLockArg | 1,208 bytes of stuff |
| 5 | unlockPlane | struct IOSurfaceLockArg | struct IOSurfaceLockSeedArg |
| 6 | lookup | void* ??? | 1,208 bytes of stuff |
| 7 | setYCbCrMatrix | IOSurfaceID surfaceID, uint32_t YCbCrMatrix | - |
| 8 | wrapClientImage | 28 bytes of stuff | 1,208 bytes of stuff |
| 9 | wrapClientMemory | void* param0, void* param1 | 1,208 bytes of stuff |
| 10 | getYCbCrMatrix | IOSurfaceID surfaceID | uint32_t YCbCrMatrix |
| 11 | setValue | ? | - |
| 12 | getValueMethod | ? | ? |
| 13 | kIOSurfaceMethodRemoveValue | ? | - |
| 14 | bindAccel | IOSurfaceID surfaceID, void* unknown0, void* unknown4 | - |
| 15 | bindAccelOnPlane | IOSurfaceID surfaceID, void* param1, void* param2, size_t planeIndex | - |
| 16 | readLimits | - | 20 bytes of stuff. |
| 17 | kIOSurfaceMethodIncrementUseCount | IOSurfaceID surfaceID | - |
| 18 | kIOSurfaceMethodDecrementUseCount | IOSurfaceID surfaceID | - |
| 19 | ? | void* ??? | void* ??? |
| 20 | setSurfaceNotify | 24 bytes of stuff | - |
| 21 | removeSurfaceNotify | 24 bytes of stuff | - |
