Difference between revisions of "Jailbreak Exploits"

This page lists the exploits used in jailbreaks.

Common exploits

These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

• Pwnage + Pwnage 2.0 (together to jailbreak the iPhone, iPod touch (1st generation), and iPhone 3G)
• ARM7 Go (from iOS 2.1.1) (for tethered jailbreak on iPod touch 2G)
• 0x24000 Segment Overflow (for untethered jailbreak on iPhone 3GS with old bootrom and iPod touch 2G with old bootrom; another exploit as the limera1n Exploit is required)
• limera1n Exploit (for tethered jailbreak on iPhone 3GS, iPod touch 3G, iPad, iPhone 4, iPod touch 4G and Apple TV 2G)
• usb_control_msg(0xA1, 1) Exploit (also known as "steaks4uce") (for tethered jailbreak on iPod touch 2G)

Jailbreak Programs

PwnageTool (2.0 - 5.1.1)

• uses different common exploits
• uses the exploits listed below to untether up to iOS 5.1.1

redsn0w (3.0 - 6.0)

• uses different common exploits
• uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
• uses the exploits listed below to untether up to iOS 5.1.1

sn0wbreeze (3.1.3 - 6.1.3)

• uses different common exploits
• uses the exploits listed below to untether up to iOS 6.1.2

Programs used to jailbreak 1.x

AppTapp Installer (1.0 / 1.0.1 / 1.0.2)

• iBoot cp-command exploit

iBrickr (1.0 / 1.0.1 / 1.0.2)

• iBoot cp-command exploit

AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)

• libtiff exploit (Adapted from the PSP scene, used by JailbreakMe) (CVE-2006-3459)

OktoPrep (1.1.2)

"Upgrade" to 1.1.2 from a jailborken 1.1.1

• mknod

Soft Upgrade (1.1.3)

"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

ZiPhone (1.1.3 / 1.1.4 /1.1.5)

• Ramdisk Hack

iLiberty / iLiberty+ (1.1.3 / 1.1.4 /1.1.5)

Programs used to jailbreak 2.x

QuickPwn (2.0 - 2.2.1)

• uses Pwnage and Pwnage 2.0

Redsn0w Lite (2.1.1)

• ARM7 Go (for iPod touch 2G only)

Programs used to jailbreak 3.x

purplera1n (3.0)

• iBoot Environment Variable Overflow (CVE-2009-2795)
• uses 0x24000 Segment Overflow

blackra1n (3.1.2)

• usb_control_msg(0x21, 2) Exploit (CVE-2010-0038)
• uses 0x24000 Segment Overflow

Spirit (3.1.2 / 3.1.3 / 3.2)

• MobileBackup Copy Exploit
• Incomplete Codesign Exploit
• BPF_STX Kernel Write Exploit

JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)

• Malformed CFF Vulnerability (CVE-2010-1797)
• Incomplete Codesign Exploit
• IOSurface Kernel Exploit (CVE-2010-2973)

limera1n / greenpois0n (3.2.2)

• uses different common exploits
• Packet Filter Kernel Exploit

Programs used to jailbreak 4.x

JailbreakMe 2.0 / Star (4.0 / 4.0.1)

• Malformed CFF Vulnerability (CVE-2010-1797)
• Incomplete Codesign Exploit
• IOSurface Kernel Exploit (CVE-2010-2973)

limera1n / (4.0 / 4.0.1 / 4.0.2 / 4.1)

• uses different common exploits
• Packet Filter Kernel Exploit

greenpois0n (4.1)

• uses different common exploits
• Packet Filter Kernel Exploit

greenpois0n (4.2.1)

• uses different common exploits
• HFS Legacy Volume Name Stack Buffer Overflow

JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)

• T1 Font Integer Overflow (CVE-2011-0226)
• HFS Legacy Volume Name Stack Buffer Overflow

JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)

Except for the iPod touch 3G on iOS 4.3.1.

• T1 Font Integer Overflow (CVE-2011-0226)
• IOMobileFrameBuffer Privilege Escalation Exploit (CVE-2011-0227)

i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)

used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3

• ndrv_setspec() Integer Overflow

Programs used to jailbreak 5.x

unthredera1n (5.0 / 5.0.1 / 5.1 / 5.1.1)

Except for the iPad 3

• MobileBackup2 Copy Exploit
• a new Packet Filter Kernel Exploit (CVE-2012-3728)
• AMFID code signing evasion (CVE-2013-0977)
• launchd.conf untether
• Timezone Vulnerability

Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)

• Racoon String Format Overflow Exploit (CVE-2012-0646) (used both for payload injection and untether)
• HFS Heap Overflow (CVE-2012-0642)
• unknown exploit (CVE-2012-0643)

Corona Untether (5.0.1)

• Racoon String Format Overflow Exploit (CVE-2012-0646)
• HFS Heap Overflow (CVE-2012-0642)
• unknown exploit (CVE-2012-0643)

Absinthe 2.0 and Rocky Racoon Untether (5.1.1)

• a new Packet Filter Kernel Exploit (CVE-2012-3728)
• Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
• MobileBackup2 Copy Exploit

Programs used to jailbreak 6.x

evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)

• Symbolic Link Vulnerability (CVE-2013-0979)
• Timezone Vulnerability
• Shebang Trick (CVE-2013-5154)
• AMFID code signing evasion
• launchd.conf untether
• IOUSBDeviceFamily Vulnerability (CVE-2013-0981)
• ARM Exception Vector Info Leak (CVE-2013-0978)
• dynamic memmove() locating
• vm_map_copy_t corruption for arbitrary memory disclosure
• kernel memory write via ROP gadget
• Overlapping Segment Attack (CVE-2013-0977)

p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)

• posix_spawn kernel information leak (CVE-2013-3954) (by i0n1c)
• posix_spawn kernel exploit (CVE-2013-3954) (by i0n1c)
• mach_msg_ool_descriptor_ts for heap shaping (CVE-2013-3953)
• AMFID_code_signing_evasi0n7 (CVE-2014-1273)
• DeveloperDiskImage race condition (by comex)
• launchd.conf untether

Programs used to jailbreak 7.x

evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

• Symbolic Link Vulnerability (CVE-2013-5133)
• AMFID_code_signing_evasi0n7 (CVE-2014-1273)
• CrashHouseKeeping chmod vulnarability (CVE-2014-1272)
• ptmx_get_ioctl ioctl crafted call (CVE-2014-1278)

Geeksn0w (7.1 / 7.1.1 / 7.1.2)

• limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4

Pangu (7.1 / 7.1.1 / 7.1.2)

• Mach-O OSBundleHeaders info leak (CVE-2014-4491) (Pangu v1.0.0)
• AppleKeyStore::initUserClient info leak (CVE-2014-4407) (Pangu >v1.0.0)
• break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (CVE-2014-4422)
• mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
• IOSharedDataQueue notification port overwrite (CVE-2014-4461)
• "syslogd chown" vulnerability
• enterprise certificate (no real exploit, used for initial "unsigned" code execution)
• "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386)
• /tmp/bigfile (a big file for improvement of the reliability of a race condition)
• VoIP backgrounding trick (used to auto restart the app)
• hidden segment attack

Programs used to jailbreak 8.x

Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)

• an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
• enterprise certificate (inside the IPA)
• a kind of dylib injection into a system process (see IPA)
• a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
• a sandboxing problem in debugserver (CVE-2014-4457)
• mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
• the same kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
• enable-dylibs-to-override-cache
• a new ovelapping segment attack (CVE-2014-4455)

TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)

(See also details at newosxbook.com)

• A new AFC symlink attack (CVE-2014-4480) - to get onto the device filesystem
• DeveloperDiskImage race condition (by comex, also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
• A new overlapping segment attack [in a modified version], dyld, (CVE-2014-4455) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
• libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
• enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
• MobileStorageMounter exploit (CVE-2015-1062)
• Backup exploit used to access restricted parts of the filesystem (CVE-2015-1087)

Kernel:

• Mach-O OSBundleHeaders info leak (CVE-2014-4491) - leaks slid addresses
• mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
• IOHIDFamily Kernel exploit (CVE-2014-4487) - to overwrite memory

TaiG (8.1.3 / 8.2 / 8.3 / 8.4) and PPJailbreak

(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)

• DeveloperDiskImage race condition (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
• enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
• Symbolic linking to AFC (CVE-2015-5746)
• Backup exploit to write to protected regions of the disk (CVE-2015-5752)
• Code signing exploit (CVE-2015-3802)
• Code signing exploit (CVE-2015-3803)
• Code signing exploit (CVE-2015-3805)
• Code signing exploit (CVE-2015-3806)
• IOHIDFamily exploit (CVE-2015-5774)
• Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling (CVE-2015-5766)

Programs used to jailbreak 9.x

Pangu9 (9.0 / 9.0.1 / 9.0.2)

• Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. (CVE-2015-7037)
• MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. (CVE-2015-7051)
• IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. (CVE-2015-6974)
• dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency (CVE-2015-7079)
• Racing KPP for some of the patches.
• AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. (CVE-2015-7055)

Pangu9 (9.1)

• unknown

Pangu9 (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3)

• IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. (CVE-2016-4654)