|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Malformed PairRequest"
(how lockdownd is crashed) |
(Explained the crash a bit) |
||
| Line 1: | Line 1: | ||
By sending [[lockdownd]] a malformed property list for the [[PairRequest]] command causes [[lockdownd]] to crash and restart. This is probably non-exploitable, but it is used in the [[Timezone Vulnerability]] to restart [[lockdownd]] to change file permissions. |
By sending [[lockdownd]] a malformed property list for the [[PairRequest]] command causes [[lockdownd]] to crash and restart. This is probably non-exploitable, but it is used in the [[Timezone Vulnerability]] to restart [[lockdownd]] to change file permissions. |
||
| + | Normally, [[lockdownd]] expects data (NSData) to be sent as the PairRequest. However, [[evasi0n]] sends a boolean (NSNumber) which causes lockdownd to crash with an Objective-C unrecognized selector error. |
||
| − | TODO: Describe the malformed plist that is being sent and describe the bug that causes the crash. |
||
| + | |||
__NOTOC__ |
__NOTOC__ |
||
== Usage == |
== Usage == |
||
Revision as of 15:16, 6 October 2013
By sending lockdownd a malformed property list for the PairRequest command causes lockdownd to crash and restart. This is probably non-exploitable, but it is used in the Timezone Vulnerability to restart lockdownd to change file permissions.
Normally, lockdownd expects data (NSData) to be sent as the PairRequest. However, evasi0n sends a boolean (NSNumber) which causes lockdownd to crash with an Objective-C unrecognized selector error.
