Difference between revisions of "Timezone Vulnerability"

From The iPhone Wiki
Jump to: navigation, search
(Total rewrite based on new information from HITB talk)
(mention the crashing with separate page)
Line 6: Line 6:
 
BLX _chmod
 
BLX _chmod
   
This means <code>chmod("/private/var/db/timezone",0777)</code> without any further checks and is executed on every launch. By setting a symbolic link on <code>/var/db/timezone</code> though [[MobileBackup]] and pointing the symlink to any other file and crashing [[lockdownd]] by sending it a malformed property list to make it relaunch (another probably non-exploitable vulnerability) causes it to perform the actual permission change on any file.
+
This means <code>chmod("/private/var/db/timezone",0777)</code> without any further checks and is executed on every launch. By setting a symbolic link on <code>/var/db/timezone</code> though [[MobileBackup]] and pointing the symlink to any other file and crashing [[lockdownd]] by sending it a malformed property list (see [[Malformed PairRequest]]) to make it relaunch causes it to perform the actual permission change on any file.
   
 
This vulnerability is '''CVE-2013-0979''' and Apple describes it in the iOS 6.1.3 security fixes like this:
 
This vulnerability is '''CVE-2013-0979''' and Apple describes it in the iOS 6.1.3 security fixes like this:
Line 24: Line 24:
 
== See Also ==
 
== See Also ==
 
* [[Symbolic Link Vulnerability]]
 
* [[Symbolic Link Vulnerability]]
  +
* [[Malformed PairRequest]]
   
 
== References ==
 
== References ==

Revision as of 09:27, 15 April 2013

There is a flaw in lockdownd:

MOVW   R0, #(aPrivateVarDbTi-0x4DB8A) ; "/private/var/db/timezone"
MOVW   R1, #0x1FF                     ; mode_t -> 0777
MOVT.W R0, #4
ADD    R0, PC                         ; char *
BLX    _chmod

This means chmod("/private/var/db/timezone",0777) without any further checks and is executed on every launch. By setting a symbolic link on /var/db/timezone though MobileBackup and pointing the symlink to any other file and crashing lockdownd by sending it a malformed property list (see Malformed PairRequest) to make it relaunch causes it to perform the actual permission change on any file.

This vulnerability is CVE-2013-0979 and Apple describes it in the iOS 6.1.3 security fixes like this:

Lockdown
Impact: A local user may be able to change permissions on arbitrary files
Description: When restoring from backup, lockdownd changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path.

Usage

Credits

See Also

References