Difference between revisions of "AMFID code signing evasi0n7"

By creating a dylib without code, just redefining the signed code verification function with a "return ok" method from another signed library and using text relocation, the entire code signing requirement gets circumvented.

In p0sixspwn, the _.dylib redefines these functions:

• _kMISValidationOptionValidateSignatureOnly (_kCFUserNotificationTokenKey from CoreFoundation)
• _kMISValidationOptionExpectedHash (_kCFUserNotificationTimeoutKey from CoreFoundation)
• _MISValidateSignature (_CFEqual from CoreFoundation)

TODO: some more detailed description missing here.

Usage

• p0sixspwn jailbreak
• evasi0n7 jailbreak

See Also

• CVE-2014-1273

Credit

• planetbeing
• maybe others too