Difference between revisions of "Posix spawn kernel information leak"

From The iPhone Wiki
Jump to: navigation, search
(Links)
m (Remove bold headings; typo fix)
 
(3 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Vulnerability used in [[p0sixspwn]]
+
A vulnerability used in [[p0sixspwn]].
   
== '''Vulnerability Part 1''' ==
+
== Vulnerability Part 1 ==
   
There is an information leak vulnerabilty, which can be exploited to retrieve leaked bytes from the kernel heap. If you carefully craft the data's size, you can leak bytes from the heap using a ''PSFA_OPEN'' file action. The Size is crafted so that the beginning of the file name is within the buffer and the rest is taken in the heap, then you can use ''fcntl(F_GETPATH)'' to get the leaked bytes.
+
There is an information leak vulnerability, which can be exploited to retrieve leaked bytes from the kernel heap. If you carefully craft the data's size, you can leak bytes from the heap using a ''PSFA_OPEN'' file action. The Size is crafted so that the beginning of the file name is within the buffer and the rest is taken in the heap, then you can use ''fcntl(F_GETPATH)'' to get the leaked bytes.
   
== '''Vulnerability Part 2''' ==
+
== Vulnerability Part 2 ==
   
The ''posix_spawn()'' vulnerability isn't just a way to leak memory, this is also a race condition exploit, but you need a way to re-read the memory, and then write outside the buffer, then finaally you need to sync with a secondary thread via file locking. Like this ''open(..., O_EXLOCK )''. The p0sixspwn jailbreak also utilizes another exploit to change the ''fd_ofileflags'' relocation path.
+
The ''posix_spawn()'' vulnerability isn't just a way to leak memory, this is also a race condition exploit, but you need a way to re-read the memory, and then write outside the buffer, then finally you need to sync with a secondary thread via file locking. Like this ''open(..., O_EXLOCK )''. The p0sixspwn jailbreak also utilizes another exploit to change the ''fd_ofileflags'' relocation path.
   
== '''Credit''' ==
+
== Credit ==
   
 
[[I0n1c]]
 
[[I0n1c]]
   
== '''Links''' ==
+
== Links ==
   
[http://antid0te.com/syscan_2013/SyScan2013_Mountain_Lion_iOS_Vulnerabilities_Garage_Sale_Whitepaper.pdf Writeup by i0n1c p. 20 ff.]
+
* [http://antid0te.com/syscan_2013/SyScan2013_Mountain_Lion_iOS_Vulnerabilities_Garage_Sale_Whitepaper.pdf Writeup by i0n1c p. 20 ff.]
[http://conference.hitb.org/hitbsecconf2013kul/materials/D2T2%20-%20Stefan%20Esser%20-%20Tales%20from%20iOS%206%20Exploitation%20and%20iOS%207%20Security%20Changes.pdf i0n1c's writeup]
+
* [http://conference.hitb.org/hitbsecconf2013kul/materials/D2T2%20-%20Stefan%20Esser%20-%20Tales%20from%20iOS%206%20Exploitation%20and%20iOS%207%20Security%20Changes.pdf i0n1c's writeup]
  +
  +
[[Category:Exploits]]

Latest revision as of 00:34, 24 January 2016

A vulnerability used in p0sixspwn.

Vulnerability Part 1

There is an information leak vulnerability, which can be exploited to retrieve leaked bytes from the kernel heap. If you carefully craft the data's size, you can leak bytes from the heap using a PSFA_OPEN file action. The Size is crafted so that the beginning of the file name is within the buffer and the rest is taken in the heap, then you can use fcntl(F_GETPATH) to get the leaked bytes.

Vulnerability Part 2

The posix_spawn() vulnerability isn't just a way to leak memory, this is also a race condition exploit, but you need a way to re-read the memory, and then write outside the buffer, then finally you need to sync with a secondary thread via file locking. Like this open(..., O_EXLOCK ). The p0sixspwn jailbreak also utilizes another exploit to change the fd_ofileflags relocation path.

Credit

I0n1c

Links