|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Jailbreak Exploits"
m (→Pangu (7.1 / 7.1.1 / 7.1.2): copy/paste fail) |
(more exploit description updates) |
||
| Line 166: | Line 166: | ||
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0) |
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0) |
||
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}}) |
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}}) |
||
| − | * mach_port_kobject |
+ | * mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects |
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}}) |
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}}) |
||
* "syslogd chown" vulnerability |
* "syslogd chown" vulnerability |
||
| Line 182: | Line 182: | ||
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking) |
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking) |
||
* a sandboxing problem in debugserver ({{cve|2014-4457}}) |
* a sandboxing problem in debugserver ({{cve|2014-4457}}) |
||
| + | * mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects |
||
| − | * the same/a similar kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) |
||
| + | * the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) |
||
* enable-dylibs-to-override-cache |
* enable-dylibs-to-override-cache |
||
* a new ovelapping segment attack ({{cve|2014-4455}}) |
* a new ovelapping segment attack ({{cve|2014-4455}}) |
||
| Line 190: | Line 191: | ||
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com]) |
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com]) |
||
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem |
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem |
||
| − | * [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/ |
+ | * [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache |
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load |
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load |
||
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative) |
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative) |
||
| − | * enable-dylibs-to-override-cache - |
+ | * enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache) |
* MobileStorageMounter exploit ({{cve|2015-1062}}) |
* MobileStorageMounter exploit ({{cve|2015-1062}}) |
||
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}}) |
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}}) |
||
| Line 200: | Line 201: | ||
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses |
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses |
||
| − | * mach_port_kobject exploit |
+ | * mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects |
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory |
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory |
||
=== [[TaiG]] (8.1.3 / 8.2 / 8.3) === |
=== [[TaiG]] (8.1.3 / 8.2 / 8.3) === |
||
| − | * [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI |
+ | * [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI |
| − | * enable-dylibs-to-override-cache - |
+ | * enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis) |
* (rest currently unknown) |
* (rest currently unknown) |
||
Revision as of 19:35, 26 June 2015
This page lists the exploits used in jailbreaks.
Contents
- 1 Common exploits which are used in order to jailbreak different versions of iOS
- 2 Programs which are used in order to jailbreak different versions of iOS
- 3 Programs which are used in order to jailbreak 1.x
- 4 Programs which are used in order to jailbreak 2.x
- 5 Programs which are used in order to jailbreak 3.x
- 6 Programs which are used in order to jailbreak 4.x
- 7 Programs which are used in order to jailbreak 5.x
- 8 Programs which are used in order to jailbreak 6.x
- 9 Programs which are used in order to jailbreak 7.x
- 10 Programs which are used in order to jailbreak 8.x
Common exploits which are used in order to jailbreak different versions of iOS
- Pwnage + Pwnage 2.0 (together to jailbreak the iPhone 3G)
- ARM7 Go (from iOS 2.1.1) (for tethered jailbreak on iPod touch 2G)
- 0x24000 Segment Overflow (for untethered jailbreak on iPhone 3GS with old bootrom and iPod touch 2G with old bootrom; another exploit as the limera1n Exploit is required)
- limera1n Exploit (for tethered jailbreak on iPhone 3GS, iPod touch 3G, iPad, iPhone 4, iPod touch 4G and Apple TV 2G)
- usb_control_msg(0xA1, 1) Exploit (also known as "steaks4uce") (for tethered jailbreak on iPod touch 2G)
Programs which are used in order to jailbreak different versions of iOS
PwnageTool (2.0 - 5.1.1)
- uses different common exploits
- uses the exploits listed below to untether up to iOS 5.1.1
redsn0w (3.0 - 6.0)
- uses different common exploits
- uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
- uses the exploits listed below to untether up to iOS 5.1.1
sn0wbreeze (3.1.3 - 6.1.3)
- uses different common exploits
- uses the exploits listed below to untether up to iOS 6.1.2
Programs which are used in order to jailbreak 1.x
AppTapp Installer (1.0 / 1.0.1 / 1.0.2)
- iBoot
cp-command exploit
iBrickr (1.0 / 1.0.1 / 1.0.2)
- iBoot
cp-command exploit
AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)
- libtiff exploit (Adapted from the PSP scene, used by JailbreakMe) (CVE-2006-3459)
OktoPrep (1.1.2)
"Upgrade" to 1.1.2 from a jailborken 1.1.1
Soft Upgrade (1.1.3)
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2
ZiPhone (1.1.3 / 1.1.4 /1.1.5)
iLiberty / iLiberty+ (1.1.3 / 1.1.4 /1.1.5)
Programs which are used in order to jailbreak 2.x
QuickPwn (2.0 - 2.2.1)
- uses Pwnage and Pwnage 2.0
Redsn0w Lite (2.1.1)
- ARM7 Go (for iPod touch 2G only)
Programs which are used in order to jailbreak 3.x
purplera1n (3.0)
blackra1n (3.1.2)
Spirit (3.1.2 / 3.1.3 / 3.2)
JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)
- Malformed CFF Vulnerability (CVE-2010-1797)
- Incomplete Codesign Exploit
- IOSurface Kernel Exploit (CVE-2010-2973)
limera1n / greenpois0n (3.2.2)
- uses different common exploits
- Packet Filter Kernel Exploit
Programs which are used in order to jailbreak 4.x
JailbreakMe 2.0 / Star (4.0 / 4.0.1)
- Malformed CFF Vulnerability (CVE-2010-1797)
- Incomplete Codesign Exploit
- IOSurface Kernel Exploit (CVE-2010-2973)
limera1n / (4.0 / 4.0.1 / 4.0.2 / 4.1)
- uses different common exploits
- Packet Filter Kernel Exploit
greenpois0n (4.1)
- uses different common exploits
- Packet Filter Kernel Exploit
greenpois0n (4.2.1)
- uses different common exploits
- HFS Legacy Volume Name Stack Buffer Overflow
JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)
JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)
Except for the iPod touch 3G on iOS 4.3.1.
- T1 Font Integer Overflow (CVE-2011-0226)
- IOMobileFrameBuffer Privilege Escalation Exploit (CVE-2011-0227)
i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)
used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3
Programs which are used in order to jailbreak 5.x
unthredera1n (5.0 / 5.0.1 / 5.1 / 5.1.1)
Except for the iPad 3
- MobileBackup2 Copy Exploit
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- AMFID code signing evasion (CVE-2013-0977)
- launchd.conf untether
- Timezone Vulnerability
Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)
- Racoon String Format Overflow Exploit (CVE-2012-0646) (used both for payload injection and untether)
- HFS Heap Overflow (CVE-2012-0642)
- unknown exploit (CVE-2012-0643)
Corona Untether (5.0.1)
- Racoon String Format Overflow Exploit (CVE-2012-0646)
- HFS Heap Overflow (CVE-2012-0642)
- unknown exploit (CVE-2012-0643)
Absinthe 2.0 and Rocky Racoon Untether (5.1.1)
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
- MobileBackup2 Copy Exploit
Programs which are used in order to jailbreak 6.x
evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)
- Symbolic Link Vulnerability (CVE-2013-0979)
- Timezone Vulnerability
- Shebang Trick (CVE-2013-5154)
- AMFID code signing evasion
- launchd.conf untether
- IOUSBDeviceFamily Vulnerability (CVE-2013-0981)
- ARM Exception Vector Info Leak (CVE-2013-0978)
- dynamic memmove() locating
- vm_map_copy_t corruption for arbitrary memory disclosure
- kernel memory write via ROP gadget
- Overlapping Segment Attack (CVE-2013-0977)
p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)
- posix_spawn kernel information leak (CVE-2013-3954) (by i0n1c)
- posix_spawn kernel exploit (CVE-2013-3954) (by i0n1c)
- mach_msg_ool_descriptor_ts for heap shaping (CVE-2013-3953)
- AMFID_code_signing_evasi0n7 (CVE-2014-1273)
- DeveloperDiskImage race condition (by comex)
- launchd.conf untether
Programs which are used in order to jailbreak 7.x
evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)
This section is a stub; it is incomplete. Please add more content to this section and remove this tag.
- Symbolic Link Vulnerability (CVE-2013-5133)
- AMFID_code_signing_evasi0n7 (CVE-2014-1273)
- CrashHouseKeeping chmod vulnarability (CVE-2014-1272)
- ptmx_get_ioctl ioctl crafted call (CVE-2014-1278)
Geeksn0w (7.1 / 7.1.1 / 7.1.2)
- limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4
Pangu (7.1 / 7.1.1 / 7.1.2)
- Mach-O OSBundleHeaders info leak (CVE-2014-4491) (Pangu v1.0.0)
- AppleKeyStore::initUserClient info leak (CVE-2014-4407) (Pangu >v1.0.0)
- break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (CVE-2014-4422)
- mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
- IOSharedDataQueue notification port overwrite (CVE-2014-4461)
- "syslogd chown" vulnerability
- enterprise certificate (no real exploit, used for initial "unsigned" code execution)
- "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386)
- /tmp/bigfile (a big file for improvement of the reliability of a race condition)
- VoIP backgrounding trick (used to auto restart the app)
- hidden segment attack
Programs which are used in order to jailbreak 8.x
Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)
- an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
- enterprise certificate (inside the IPA)
- a kind of dylib injection into a system process (see IPA)
- a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
- a sandboxing problem in debugserver (CVE-2014-4457)
- mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
- the same kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w)
- enable-dylibs-to-override-cache
- a new ovelapping segment attack (CVE-2014-4455)
- Mach-O OSBundleHeaders info leak (CVE-2014-4491)
TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)
(See also details at newosxbook.com)
- A new AFC symlink attack (CVE-2014-4480) - to get onto the device filesystem
- DeveloperDiskImage race condition (by comex, also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
- A new overlapping segment attack [in a modified version], dyld, (CVE-2014-4455) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
- libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
- enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
- MobileStorageMounter exploit (CVE-2015-1062)
- Backup exploit used to access restricted parts of the filesystem (CVE-2015-1087)
Kernel:
- Mach-O OSBundleHeaders info leak (CVE-2014-4491) - leaks slid addresses
- mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
- IOHIDFamily Kernel exploit (CVE-2014-4487) - to overwrite memory
TaiG (8.1.3 / 8.2 / 8.3)
- DeveloperDiskImage race condition (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
- enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
- (rest currently unknown)
