Difference between revisions of "Malformed PairRequest"

From The iPhone Wiki
Jump to: navigation, search
(how lockdownd is crashed)
 
m (new Accuvant blog link (thanks Britta), here also missing)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
 
By sending [[lockdownd]] a malformed property list for the [[PairRequest]] command causes [[lockdownd]] to crash and restart. This is probably non-exploitable, but it is used in the [[Timezone Vulnerability]] to restart [[lockdownd]] to change file permissions.
 
By sending [[lockdownd]] a malformed property list for the [[PairRequest]] command causes [[lockdownd]] to crash and restart. This is probably non-exploitable, but it is used in the [[Timezone Vulnerability]] to restart [[lockdownd]] to change file permissions.
   
  +
Normally, [[lockdownd]] expects data (NSData) to be sent as the PairRequest. However, [[evasi0n]] sends a boolean (NSNumber) which causes lockdownd to crash with an Objective-C unrecognized selector error.
TODO: Describe the malformed plist that is being sent and describe the bug that causes the crash.
 
  +
 
__NOTOC__
 
__NOTOC__
 
== Usage ==
 
== Usage ==
Line 14: Line 15:
 
== References ==
 
== References ==
 
* [http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Pod2g,%20Planetbeing,%20Musclenerd%20and%20Pimskeks%20aka%20Evad3rs%20-%20Swiping%20Through%20Modern%20Security%20Features.pdf Slides from HITB presentation in Amsterdam 2013]
 
* [http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Pod2g,%20Planetbeing,%20Musclenerd%20and%20Pimskeks%20aka%20Evad3rs%20-%20Swiping%20Through%20Modern%20Security%20Features.pdf Slides from HITB presentation in Amsterdam 2013]
* [http://blog.accuvantlabs.com/blog/bthomas/evasi0n-jailbreaks-userland-component Accuvant Labs analysis of evasi0n]
+
* [http://blog.accuvant.com/bthomasaccuvant/evasi0n-jailbreaks-userland-component/ Accuvant Labs analysis of evasi0n]
   
 
[[Category:Exploits]]
 
[[Category:Exploits]]

Latest revision as of 22:30, 30 December 2013

By sending lockdownd a malformed property list for the PairRequest command causes lockdownd to crash and restart. This is probably non-exploitable, but it is used in the Timezone Vulnerability to restart lockdownd to change file permissions.

Normally, lockdownd expects data (NSData) to be sent as the PairRequest. However, evasi0n sends a boolean (NSNumber) which causes lockdownd to crash with an Objective-C unrecognized selector error.


Usage

Credits

See Also

References