The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "IOSurface Kernel Exploit"
(i think it is correct) |
|||
Line 1: | Line 1: | ||
− | This vulnerability, along with the [[Malformed_CFF_Vulnerability]], was used in [[Star]]/[[JailbreakMe]] 2.0. It is a buffers overflow in the handling of the [http://iphonedevwiki.net/index.php/IOCoreSurfaceRoot kernel-extension for managing pixel buffers] |
+ | This vulnerability, along with the [[Malformed_CFF_Vulnerability]], was used in [[Star]]/[[JailbreakMe]] 2.0. It is a buffers overflow in the handling of the [http://iphonedevwiki.net/index.php/IOCoreSurfaceRoot kernel-extension for managing pixel buffers] used to get root privileges. |
Revision as of 12:26, 13 October 2010
This vulnerability, along with the Malformed_CFF_Vulnerability, was used in Star/JailbreakMe 2.0. It is a buffers overflow in the handling of the kernel-extension for managing pixel buffers used to get root privileges.
exploit
Selector 19 was Vulnerability to a buffers overflow that allow access to the root filesystem without making the kernel fail signature checks
Selector | Action | Input | Output |
---|---|---|---|
0 | lookupFromMachPort | - | 1,208 bytes of stuff |
1 | release | IOSurfaceID surfaceID | - |
2 | lock | struct IOSurfaceLockArg | 1,208 bytes of stuff |
3 | unlock | struct IOSurfaceLockArg | struct IOSurfaceLockSeedArg |
4 | lockPlane | struct IOSurfaceLockArg | 1,208 bytes of stuff |
5 | unlockPlane | struct IOSurfaceLockArg | struct IOSurfaceLockSeedArg |
6 | lookup | void* ??? | 1,208 bytes of stuff |
7 | setYCbCrMatrix | IOSurfaceID surfaceID, uint32_t YCbCrMatrix | - |
8 | wrapClientImage | 28 bytes of stuff | 1,208 bytes of stuff |
9 | wrapClientMemory | void* param0, void* param1 | 1,208 bytes of stuff |
10 | getYCbCrMatrix | IOSurfaceID surfaceID | uint32_t YCbCrMatrix |
11 | setValue | ? | - |
12 | getValueMethod | ? | ? |
13 | kIOSurfaceMethodRemoveValue | ? | - |
14 | bindAccel | IOSurfaceID surfaceID, void* unknown0, void* unknown4 | - |
15 | bindAccelOnPlane | IOSurfaceID surfaceID, void* param1, void* param2, size_t planeIndex | - |
16 | readLimits | - | 20 bytes of stuff. |
17 | kIOSurfaceMethodIncrementUseCount | IOSurfaceID surfaceID | - |
18 | kIOSurfaceMethodDecrementUseCount | IOSurfaceID surfaceID | - |
19 | ? | void* ??? | void* ??? |
20 | setSurfaceNotify | 24 bytes of stuff | - |
21 | removeSurfaceNotify | 24 bytes of stuff | - |