|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Malformed PairRequest"
(Explained the crash a bit) |
m (new Accuvant blog link (thanks Britta), here also missing) |
||
| Line 15: | Line 15: | ||
== References == |
== References == |
||
* [http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Pod2g,%20Planetbeing,%20Musclenerd%20and%20Pimskeks%20aka%20Evad3rs%20-%20Swiping%20Through%20Modern%20Security%20Features.pdf Slides from HITB presentation in Amsterdam 2013] |
* [http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Pod2g,%20Planetbeing,%20Musclenerd%20and%20Pimskeks%20aka%20Evad3rs%20-%20Swiping%20Through%20Modern%20Security%20Features.pdf Slides from HITB presentation in Amsterdam 2013] |
||
| − | * [http://blog. |
+ | * [http://blog.accuvant.com/bthomasaccuvant/evasi0n-jailbreaks-userland-component/ Accuvant Labs analysis of evasi0n] |
[[Category:Exploits]] |
[[Category:Exploits]] |
||
Latest revision as of 22:30, 30 December 2013
By sending lockdownd a malformed property list for the PairRequest command causes lockdownd to crash and restart. This is probably non-exploitable, but it is used in the Timezone Vulnerability to restart lockdownd to change file permissions.
Normally, lockdownd expects data (NSData) to be sent as the PairRequest. However, evasi0n sends a boolean (NSNumber) which causes lockdownd to crash with an Objective-C unrecognized selector error.
