Difference between revisions of "Jailbreak Exploits"

From The iPhone Wiki
Jump to: navigation, search
(added CVEs from `APPLE-SA-2015-01-27-1 Apple TV 7.0.3')
(template)
Line 30: Line 30:
   
 
=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
 
=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459 CVE-2006-3459])
+
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})
   
 
=== [[mknod|OktoPrep]] (1.1.2) ===
 
=== [[mknod|OktoPrep]] (1.1.2) ===
Line 53: Line 53:
 
== Programs which are used in order to jailbreak 3.x ==
 
== Programs which are used in order to jailbreak 3.x ==
 
=== [[purplera1n]] (3.0) ===
 
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2795 CVE-2009-2795])
+
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
 
* uses [[0x24000 Segment Overflow]]
 
* uses [[0x24000 Segment Overflow]]
   
 
=== [[blackra1n]] (3.1.2) ===
 
=== [[blackra1n]] (3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0038 CVE-2010-0038])
+
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
 
* uses [[0x24000 Segment Overflow]]
 
* uses [[0x24000 Segment Overflow]]
   
Line 66: Line 66:
   
 
=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
 
=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1797 CVE-2010-1797])
+
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
 
* [[Incomplete Codesign Exploit]]
 
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2973 CVE-2010-2973])
+
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})
   
 
=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
 
=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
Line 76: Line 76:
 
== Programs which are used in order to jailbreak 4.x ==
 
== Programs which are used in order to jailbreak 4.x ==
 
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
 
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1797 CVE-2010-1797])
+
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
 
* [[Incomplete Codesign Exploit]]
 
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2973 CVE-2010-2973])
+
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})
   
 
=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
 
=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
Line 93: Line 93:
   
 
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
 
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226 CVE-2011-0226])
+
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
 
* [[HFS Legacy Volume Name Stack Buffer Overflow]]
 
* [[HFS Legacy Volume Name Stack Buffer Overflow]]
   
 
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
 
=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
 
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1.
 
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226 CVE-2011-0226])
+
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0227 CVE-2011-0227])
+
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})
   
 
=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
 
=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
Line 109: Line 109:
 
Except for the [[iPad 3]]
 
Except for the [[iPad 3]]
 
* MobileBackup2 Copy Exploit
 
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3728 CVE-2012-3728])
+
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0977 CVE-2013-0977])
+
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
 
* [[launchd.conf untether]]
 
* [[launchd.conf untether]]
 
* [[Timezone Vulnerability]]
 
* [[Timezone Vulnerability]]
   
 
=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
 
=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0646 CVE-2012-0646]) (used both for payload injection and untether)
+
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0642 CVE-2012-0642])
+
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
  +
* unknown exploit ({{cve|2012-0643}})
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0643 CVE-2012-0643]
 
   
 
=== [[Corona|Corona Untether]] (5.0.1) ===
 
=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0646 CVE-2012-0646])
+
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0642 CVE-2012-0642])
+
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
  +
* unknown exploit ({{cve|2012-0643}})
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0643 CVE-2012-0643]
 
   
 
=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
 
=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3728 CVE-2012-3728])
+
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3727 CVE-2012-3727])
+
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
 
* MobileBackup2 Copy Exploit
 
* MobileBackup2 Copy Exploit
   
 
== Programs which are used in order to jailbreak 6.x ==
 
== Programs which are used in order to jailbreak 6.x ==
 
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
 
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0979 CVE-2013-0979])
+
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
 
* [[Timezone Vulnerability]]
 
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5154 CVE-2013-5154])
+
* [[Shebang Trick]] ({{cve|2013-5154}})
 
* [[AMFID code signing evasion]]
 
* [[AMFID code signing evasion]]
 
* [[launchd.conf untether]]
 
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0981 CVE-2013-0981])
+
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0978 CVE-2013-0978])
+
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
 
* [[dynamic memmove() locating]]
 
* [[dynamic memmove() locating]]
 
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
 
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
 
* [[kernel memory write via ROP gadget]]
 
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0977 CVE-2013-0977])
+
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})
   
 
=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
 
=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3954 CVE-2013-3954]) (by [[i0n1c]])
+
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3954 CVE-2013-3954]) (by [[i0n1c]])
+
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3953 CVE-2013-3953])
+
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
 
* [[AMFID_code_signing_evasi0n7]]
 
* [[AMFID_code_signing_evasi0n7]]
 
* [[DeveloperDiskImage race condition]] (by [[comex]])
 
* [[DeveloperDiskImage race condition]] (by [[comex]])
Line 154: Line 154:
 
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
 
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
 
{{Section Stub}}
 
{{Section Stub}}
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5133 CVE-2013-5133]
 
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1272 CVE-2014-1272]
 
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1273 CVE-2014-1273]
 
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1278 CVE-2014-1278]
 
 
* [[Symbolic Link Vulnerability]]
 
* [[Symbolic Link Vulnerability]]
  +
* unknown exploits ({{cve|2013-5133}}, {{cve|2014-1272}}, {{cve|2014-1273}}, {{cve|2014-1278}})
   
 
=== [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) ===
 
=== [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) ===
Line 166: Line 163:
 
* [[i0n1c]]'s Infoleak vulnerability (Pangu v1.0.0)
 
* [[i0n1c]]'s Infoleak vulnerability (Pangu v1.0.0)
 
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
 
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
* LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4388 CVE-2014-4388])
+
* LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) ({{cve|2014-4388}})
* TempSensor kernel exploit (Pangu 1.1.0) ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4388 CVE-2014-4388])
+
* TempSensor kernel exploit (Pangu 1.1.0) ({{cve|2014-4388}})
 
* "syslogd chown" vulnerability
 
* "syslogd chown" vulnerability
 
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
 
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4386 CVE-2014-4386])
+
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
 
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
 
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
 
* VoIP backgrounding trick (used to auto restart the app)
 
* VoIP backgrounding trick (used to auto restart the app)
 
* hidden segment attack
 
* hidden segment attack
  +
* unknown exploit ({{cve|2014-4407}}
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4407 CVE-2014-4407]
 
   
 
== Programs which are used in order to jailbreak 8.x ==
 
== Programs which are used in order to jailbreak 8.x ==

Revision as of 19:14, 27 January 2015

This page lists the exploits used in jailbreaks.

Contents

Common exploits which are used in order to jailbreak different versions of iOS

Programs which are used in order to jailbreak different versions of iOS

PwnageTool (2.0 - 5.1.1)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 5.1.1

redsn0w (3.0 - 6.0)

  • uses different common exploits
  • uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
  • uses the exploits listed below to untether up to iOS 5.1.1

sn0wbreeze (3.1.3 - 6.1.3)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 6.1.2

Programs which are used in order to jailbreak 1.x

AppTapp Installer (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

iBrickr (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)

OktoPrep (1.1.2)

"Upgrade" to 1.1.2 from a jailborken 1.1.1

Soft Upgrade (1.1.3)

"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

ZiPhone (1.1.3 / 1.1.4 /1.1.5)

iLiberty / iLiberty+ (1.1.3 / 1.1.4 /1.1.5)

Programs which are used in order to jailbreak 2.x

QuickPwn (2.0 - 2.2.1)

Redsn0w Lite (2.1.1)

Programs which are used in order to jailbreak 3.x

purplera1n (3.0)

blackra1n (3.1.2)

Spirit (3.1.2 / 3.1.3 / 3.2)

JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)

limera1n / greenpois0n (3.2.2)

Programs which are used in order to jailbreak 4.x

JailbreakMe 2.0 / Star (4.0 / 4.0.1)

limera1n / (4.0 / 4.0.1 / 4.0.2 / 4.1)

greenpois0n (4.1)

greenpois0n (4.2.1)

JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)

JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)

Except for the iPod touch 3G on iOS 4.3.1.

i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)

used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3

Programs which are used in order to jailbreak 5.x

unthredera1n (5.0 / 5.0.1 / 5.1 / 5.1.1)

Except for the iPad 3

Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)

Corona Untether (5.0.1)

Absinthe 2.0 and Rocky Racoon Untether (5.1.1)

  • a new Packet Filter Kernel Exploit (CVE-2012-3728)
  • Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
  • MobileBackup2 Copy Exploit

Programs which are used in order to jailbreak 6.x

evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)

p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)

Programs which are used in order to jailbreak 7.x

evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

Geeksn0w (7.1 / 7.1.1 / 7.1.2)

Pangu (7.1 / 7.1.1 / 7.1.2)

  • i0n1c's Infoleak vulnerability (Pangu v1.0.0)
  • break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
  • LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0) (CVE-2014-4388)
  • TempSensor kernel exploit (Pangu 1.1.0) (CVE-2014-4388)
  • "syslogd chown" vulnerability
  • enterprise certificate (no real exploit, used for initial "unsigned" code execution)
  • "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386)
  • /tmp/bigfile (a big file for improvement of the reliability of a race condition)
  • VoIP backgrounding trick (used to auto restart the app)
  • hidden segment attack
  • unknown exploit (CVE-2014-4407

Programs which are used in order to jailbreak 8.x

Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)

  • an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
  • enterprise certificate (inside the IPA)
  • a kind of dylib injection into a system process (see IPA)
  • a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
  • a sandboxing problem in debugserver (CVE-2014-4457)
  • the same/a similar kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w)
  • enable-dylibs-to-override-cache
  • unknown exploits (CVE-2014-4455, CVE-2014-4491

TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)