Difference between revisions of "Timezone Vulnerability"

From The iPhone Wiki
Jump to: navigation, search
m (Http moved page Malformed PairRequest to Timezone Vulnerability without leaving a redirect: there seems to be no malformed PairRequest)
(Total rewrite based on new information from HITB talk)
Line 1: Line 1:
  +
There is a flaw in [[lockdownd]]:
According the the Accuvant Labs analysis, sending [[lockdownd]] a malformed [[PairRequest]] command causes [[lockdownd]] to change the permissions like <code>chmod 777 file</code> making it accessible to mobile (and all users). It isn't clear whether this vulnerability is in [[lockdownd]] or in an underlying library or framework, so more analysis of this vulnerability is necessary.
 
  +
MOVW R0, #(aPrivateVarDbTi-0x4DB8A) ; "/private/var/db/timezone"
  +
MOVW R1, #0x1FF ; mode_t -> 0777
  +
MOVT.W R0, #4
  +
ADD R0, PC ; char *
  +
BLX _chmod
   
  +
This means <code>chmod("/private/var/db/timezone",0777)</code> without any further checks and is executed on every launch. By setting a symbolic link on <code>/var/db/timezone</code> though [[MobileBackup]] and pointing the symlink to any other file and crashing [[lockdownd]] by sending it a malformed property list to make it relaunch (another probably non-exploitable vulnerability) causes it to perform the actual permission change on any file.
This vulnerability (or together with [[Symbolic Link Vulnerability]]?) is CVE-2013-0979.
 
   
Apple's description in the iOS 6.1.3 security fixes:
+
This vulnerability is '''CVE-2013-0979''' and Apple describes it in the iOS 6.1.3 security fixes like this:
   
 
<cite>
 
<cite>
Line 10: Line 15:
 
Description: When restoring from backup, [[lockdownd]] changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path.
 
Description: When restoring from backup, [[lockdownd]] changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path.
 
</cite>
 
</cite>
  +
__NOTOC__
 
 
== Usage ==
 
== Usage ==
 
* [[evasi0n|evasi0n jailbreak]]
 
* [[evasi0n|evasi0n jailbreak]]
Line 21: Line 26:
   
 
== References ==
 
== References ==
  +
* [http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Pod2g,%20Planetbeing,%20Musclenerd%20and%20Pimskeks%20aka%20Evad3rs%20-%20Swiping%20Through%20Modern%20Security%20Features.pdf Slides from HITB presentation in Amsterdam 2013]
 
* [http://blog.accuvantlabs.com/blog/bthomas/evasi0n-jailbreaks-userland-component Accuvant Labs analysis of evasi0n]
 
* [http://blog.accuvantlabs.com/blog/bthomas/evasi0n-jailbreaks-userland-component Accuvant Labs analysis of evasi0n]
 
* [http://support.apple.com/kb/HT5704 Apple's iOS 6.1.3 security fixes]
 
* [http://support.apple.com/kb/HT5704 Apple's iOS 6.1.3 security fixes]

Revision as of 09:22, 15 April 2013

There is a flaw in lockdownd:

MOVW   R0, #(aPrivateVarDbTi-0x4DB8A) ; "/private/var/db/timezone"
MOVW   R1, #0x1FF                     ; mode_t -> 0777
MOVT.W R0, #4
ADD    R0, PC                         ; char *
BLX    _chmod

This means chmod("/private/var/db/timezone",0777) without any further checks and is executed on every launch. By setting a symbolic link on /var/db/timezone though MobileBackup and pointing the symlink to any other file and crashing lockdownd by sending it a malformed property list to make it relaunch (another probably non-exploitable vulnerability) causes it to perform the actual permission change on any file.

This vulnerability is CVE-2013-0979 and Apple describes it in the iOS 6.1.3 security fixes like this:

Lockdown
Impact: A local user may be able to change permissions on arbitrary files
Description: When restoring from backup, lockdownd changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path.

Usage

Credits

See Also

References