The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Malformed PairRequest"
(how lockdownd is crashed) |
m (new Accuvant blog link (thanks Britta), here also missing) |
||
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
By sending [[lockdownd]] a malformed property list for the [[PairRequest]] command causes [[lockdownd]] to crash and restart. This is probably non-exploitable, but it is used in the [[Timezone Vulnerability]] to restart [[lockdownd]] to change file permissions. |
By sending [[lockdownd]] a malformed property list for the [[PairRequest]] command causes [[lockdownd]] to crash and restart. This is probably non-exploitable, but it is used in the [[Timezone Vulnerability]] to restart [[lockdownd]] to change file permissions. |
||
+ | Normally, [[lockdownd]] expects data (NSData) to be sent as the PairRequest. However, [[evasi0n]] sends a boolean (NSNumber) which causes lockdownd to crash with an Objective-C unrecognized selector error. |
||
− | TODO: Describe the malformed plist that is being sent and describe the bug that causes the crash. |
||
+ | |||
__NOTOC__ |
__NOTOC__ |
||
== Usage == |
== Usage == |
||
Line 14: | Line 15: | ||
== References == |
== References == |
||
* [http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Pod2g,%20Planetbeing,%20Musclenerd%20and%20Pimskeks%20aka%20Evad3rs%20-%20Swiping%20Through%20Modern%20Security%20Features.pdf Slides from HITB presentation in Amsterdam 2013] |
* [http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Pod2g,%20Planetbeing,%20Musclenerd%20and%20Pimskeks%20aka%20Evad3rs%20-%20Swiping%20Through%20Modern%20Security%20Features.pdf Slides from HITB presentation in Amsterdam 2013] |
||
− | * [http://blog. |
+ | * [http://blog.accuvant.com/bthomasaccuvant/evasi0n-jailbreaks-userland-component/ Accuvant Labs analysis of evasi0n] |
[[Category:Exploits]] |
[[Category:Exploits]] |
Latest revision as of 22:30, 30 December 2013
By sending lockdownd a malformed property list for the PairRequest command causes lockdownd to crash and restart. This is probably non-exploitable, but it is used in the Timezone Vulnerability to restart lockdownd to change file permissions.
Normally, lockdownd expects data (NSData) to be sent as the PairRequest. However, evasi0n sends a boolean (NSNumber) which causes lockdownd to crash with an Objective-C unrecognized selector error.