Difference between revisions of "Jailbreak Exploits"

From The iPhone Wiki
Jump to: navigation, search
m (TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2))
(Quit attributing every single kernel bug to 10n1c. Just because he whines doesn't mean he owns them all. 4491 was known before him)
Line 185: Line 185:
 
* enable-dylibs-to-override-cache
 
* enable-dylibs-to-override-cache
 
* a new ovelapping segment attack ({{cve|2014-4455}})
 
* a new ovelapping segment attack ({{cve|2014-4455}})
* i0n1c's Kernel info leak ({{cve|2014-4491}})
+
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}})
   
 
=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
 
=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
 
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
 
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
 
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
 
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
  +
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}})
  +
* IOHID memory overwrite
 
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
 
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
 
* A new overlapping segment attack [in a modified version] ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
 
* A new overlapping segment attack [in a modified version] ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual
+
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
 
* enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache
 
* enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache
 
* MobileStorageMounter exploit ({{cve|2015-1062}})
 
* MobileStorageMounter exploit ({{cve|2015-1062}})

Revision as of 21:07, 15 April 2015

This page lists the exploits used in jailbreaks.

Contents

Common exploits which are used in order to jailbreak different versions of iOS

Programs which are used in order to jailbreak different versions of iOS

PwnageTool (2.0 - 5.1.1)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 5.1.1

redsn0w (3.0 - 6.0)

  • uses different common exploits
  • uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
  • uses the exploits listed below to untether up to iOS 5.1.1

sn0wbreeze (3.1.3 - 6.1.3)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 6.1.2

Programs which are used in order to jailbreak 1.x

AppTapp Installer (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

iBrickr (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)

OktoPrep (1.1.2)

"Upgrade" to 1.1.2 from a jailborken 1.1.1

Soft Upgrade (1.1.3)

"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

ZiPhone (1.1.3 / 1.1.4 /1.1.5)

iLiberty / iLiberty+ (1.1.3 / 1.1.4 /1.1.5)

Programs which are used in order to jailbreak 2.x

QuickPwn (2.0 - 2.2.1)

Redsn0w Lite (2.1.1)

Programs which are used in order to jailbreak 3.x

purplera1n (3.0)

blackra1n (3.1.2)

Spirit (3.1.2 / 3.1.3 / 3.2)

JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)

limera1n / greenpois0n (3.2.2)

Programs which are used in order to jailbreak 4.x

JailbreakMe 2.0 / Star (4.0 / 4.0.1)

limera1n / (4.0 / 4.0.1 / 4.0.2 / 4.1)

greenpois0n (4.1)

greenpois0n (4.2.1)

JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)

JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)

Except for the iPod touch 3G on iOS 4.3.1.

i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)

used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3

Programs which are used in order to jailbreak 5.x

unthredera1n (5.0 / 5.0.1 / 5.1 / 5.1.1)

Except for the iPad 3

Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)

Corona Untether (5.0.1)

Absinthe 2.0 and Rocky Racoon Untether (5.1.1)

  • a new Packet Filter Kernel Exploit (CVE-2012-3728)
  • Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
  • MobileBackup2 Copy Exploit

Programs which are used in order to jailbreak 6.x

evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)

p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)

Programs which are used in order to jailbreak 7.x

evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

Geeksn0w (7.1 / 7.1.1 / 7.1.2)

Pangu (7.1 / 7.1.1 / 7.1.2)

  • i0n1c's Infoleak vulnerability (Pangu v1.0.0)
  • break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
  • LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) (CVE-2014-4388)
  • TempSensor kernel exploit (Pangu 1.1.0) (CVE-2014-4388)
  • "syslogd chown" vulnerability
  • enterprise certificate (no real exploit, used for initial "unsigned" code execution)
  • "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386)
  • /tmp/bigfile (a big file for improvement of the reliability of a race condition)
  • VoIP backgrounding trick (used to auto restart the app)
  • hidden segment attack
  • IOKit crafted call maker utility (CVE-2014-4407)

Programs which are used in order to jailbreak 8.x

Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)

  • an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
  • enterprise certificate (inside the IPA)
  • a kind of dylib injection into a system process (see IPA)
  • a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
  • a sandboxing problem in debugserver (CVE-2014-4457)
  • the same/a similar kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w)
  • enable-dylibs-to-override-cache
  • a new ovelapping segment attack (CVE-2014-4455)
  • Mach-O OSBundleHeaders info leak (CVE-2014-4491)

TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)

(See also details at newosxbook.com)

  • A new AFC symlink attack (CVE-2014-4480) - to get onto the device filesystem
  • Mach-O OSBundleHeaders info leak (CVE-2014-4491)
  • IOHID memory overwrite
  • DeveloperDiskImage race condition (by comex, also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
  • A new overlapping segment attack [in a modified version] (CVE-2014-4455) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
  • libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
  • enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache
  • MobileStorageMounter exploit (CVE-2015-1062)
  • Backup exploit used to access restricted parts of the filesystem (CVE-2015-1087)

Kernel:

  • MachOBundleHeaders - to leak kernel addresses (slid)
  • mach_port_kobject exploit - to defeat KASLR
  • IOHIDFamily Kernel exploit (CVE-2014-4487) - to overwrite memory