The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Racoon String Format Overflow Exploit"
(initial page) |
m (patch'd) |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
The exploitation of the format string vulnerability is different than what was done in 2001. |
The exploitation of the format string vulnerability is different than what was done in 2001. |
||
− | For the jailbreak to be applied at boot, racoon is started by a [[launchd]] [[plist]] file, executing the command: <code>racoon -f racoon-exploit.conf</code> |
+ | For the jailbreak to be applied at boot, racoon is started by a [[launchd]] [[PList File Format|plist]] file, executing the command: <code>racoon -f racoon-exploit.conf</code> |
− | racoon-exploit.conf is a large configuration file exploiting the format string bug to get the unsigned code started |
+ | racoon-exploit.conf is a large (682KB) configuration file exploiting the format string bug to get the unsigned code started and looks like this: |
+ | sainfo address ::1 icmp6 address ::1 icmp6 { |
||
+ | my_identifier user_fqdn "%224u%402$hhn"; |
||
+ | my_identifier user_fqdn "%207u%619$hhn"; |
||
+ | my_identifier user_fqdn "%225u%402$hhn"; |
||
+ | my_identifier user_fqdn "%227u%619$hhn"; |
||
+ | my_identifier user_fqdn "%226u%402$hhn"; |
||
+ | my_identifier user_fqdn "%39u%619$hhn"; |
||
+ | ... |
||
+ | my_identifier user_fqdn "%55u%625$hhn"; |
||
+ | my_identifier user_fqdn "%214u%619$hhn"; |
||
+ | my_identifier user_fqdn "%204u%625$hhn"; |
||
+ | } |
||
The format string bug is utilized to copy the ROP bootstrap payload to the memory and to execute it by overwriting a saved LR in the racoon stack by a stack pivot gadget. |
The format string bug is utilized to copy the ROP bootstrap payload to the memory and to execute it by overwriting a saved LR in the racoon stack by a stack pivot gadget. |
||
Line 12: | Line 24: | ||
The ROP exploit payload triggers the kernel exploit (see [[HFS Heap Overflow]]). |
The ROP exploit payload triggers the kernel exploit (see [[HFS Heap Overflow]]). |
||
+ | |||
+ | The exploit wasn't patched until 13.3.1, with a CVE ID of [https://www.cve.org/CVERecord?id=CVE-2020-3840 CVE-2020-3840]. |
||
==Credit== |
==Credit== |
Latest revision as of 16:45, 12 July 2022
Using a fuzzer, a format string vulnerability in the racoon configuration parsing code was found. racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.
The exploitation of the format string vulnerability is different than what was done in 2001.
For the jailbreak to be applied at boot, racoon is started by a launchd plist file, executing the command: racoon -f racoon-exploit.conf
racoon-exploit.conf is a large (682KB) configuration file exploiting the format string bug to get the unsigned code started and looks like this:
sainfo address ::1 icmp6 address ::1 icmp6 { my_identifier user_fqdn "%224u%402$hhn"; my_identifier user_fqdn "%207u%619$hhn"; my_identifier user_fqdn "%225u%402$hhn"; my_identifier user_fqdn "%227u%619$hhn"; my_identifier user_fqdn "%226u%402$hhn"; my_identifier user_fqdn "%39u%619$hhn"; ... my_identifier user_fqdn "%55u%625$hhn"; my_identifier user_fqdn "%214u%619$hhn"; my_identifier user_fqdn "%204u%625$hhn"; }
The format string bug is utilized to copy the ROP bootstrap payload to the memory and to execute it by overwriting a saved LR in the racoon stack by a stack pivot gadget.
The ROP bootstrap payload copies the ROP exploit payload from the payload file which is distributed with Corona then stack pivot to it. The idea is to escape from format strings as fast as possible, because they are CPU time consuming.
The ROP exploit payload triggers the kernel exploit (see HFS Heap Overflow).
The exploit wasn't patched until 13.3.1, with a CVE ID of CVE-2020-3840.
Credit
- pod2g for finding this vulnerability and writing a working exploit
References
This article is a "stub", an incomplete page. Please add more content to this article and remove this tag. |