Difference between revisions of "CVE-2013-0964"

From The iPhone Wiki
Jump to: navigation, search
(initial page)
 
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Initially discovered by [[mdowd|Mark Dowd]] and [[kernelpool|Tarjei Mandt]] and presented at [[HiTB]] 2012 in Kuala Lumpur, this vulnerability allows userland processes access to the first page of the kernel, because the copyin and copyout arguments were not checked for ranges when the length is small enough. It was fixed with the release of iOS 6.1.
+
'''CVE-2013-0964''' is an [[exploit|vulnerability]] in the [[kernel]] of [[iOS]]. It was initially discovered by [[mdowd|Mark Dowd]] and [[kernelpool|Tarjei Mandt]] who presented it at [[HiTB]] 2012 in Kuala Lumpur. This vulnerability allows userland processes access to the first page of the kernel, because the <code>copyin</code> and <code>copyout</code> arguments were not checked for their range when the length is small enough. Apple patched the vulnerability in iOS 6.1.
   
  +
== Credit ==
Description of Apple:
 
  +
* [[mdowd|Mark Dowd]]
  +
* [[kernelpool|Tarjei Mandt]]
   
  +
== Apple's description ==
 
<cite>
 
<cite>
 
Impact: A user-mode process may be able to access the first page of kernel memory<br/>
 
Impact: A user-mode process may be able to access the first page of kernel memory<br/>
Line 8: Line 11:
 
</cite>
 
</cite>
   
  +
== Jailbreak ==
[[User:Planetbeing|planetbeing]] said he worked out a nice jailbreak for it, that will never see the light of day. [[i0n1c]] answered it is difficult to exploit it in a stable way and he would like to see a description.
 
  +
[[User:Planetbeing|planetbeing]] states that he worked out a nice [[jailbreak]] for it, that will never see the light of day. [[i0n1c]] responded that it is difficult to exploit it in a stable way and he would like to see a description for it.
   
  +
== First page of memory ==
  +
The first page of kernel memory (and eDRAM) contains the sleep token. The sleep token is used from LLB to resume the system and restore its context accordingly. To jump back to the kernel, the LLB checks for the 'MOSX,SUSP' signature in the image and then calls 'jump_to' to exit the bootloader and return control to the OS.
  +
  +
== Process ==
 
TODO: Describe copyin/copyout functions and the fix in detail.
 
TODO: Describe copyin/copyout functions and the fix in detail.
   
 
TODO: Describe how this can get exploited in a stable way.
 
TODO: Describe how this can get exploited in a stable way.
   
===References===
+
== References ==
*[http://support.apple.com/kb/HT5642 Apple: iOS 6.1 Software Update]
+
# [http://support.apple.com/kb/HT5642 Apple: iOS 6.1 Software Update]
  +
*[http://conference.hackinthebox.org/hitbsecconf2012kul/materials/D1T2%20-%20Mark%20Dowd%20&amp;%20Tarjei%20Mandt%20-%20iOS6%20Security.pdf Mark Dowd & Tarjei Mandt's iOS6 presentation at HITB 2012 KUL D1T2]
 
  +
== External Links ==
*[https://twitter.com/planetbeing/status/296050713874796544 Planetbeing saying he had a jailbreak for it]
 
  +
* Mark Dowd & Tarjei Mandt's [http://conference.hackinthebox.org/hitbsecconf2012kul/materials/D1T2%20-%20Mark%20Dowd%20&amp;%20Tarjei%20Mandt%20-%20iOS6%20Security.pdf iOS6 presentation at HITB 2012 KUL D1T2]
*[https://twitter.com/i0n1c/status/296163383357620225 i0n1c saying it's difficult to exploit it stable]
 
  +
* [https://twitter.com/planetbeing/status/296050713874796544 Planetbeing saying he had a jailbreak for it]
  +
* [https://twitter.com/i0n1c/status/296163383357620225 i0n1c saying it's difficult to exploit it stable]
   
{{stub|firmware}}
+
{{stub|exploit}}
 
[[Category:Exploits]]
 
[[Category:Exploits]]

Latest revision as of 15:43, 18 August 2013

CVE-2013-0964 is an vulnerability in the kernel of iOS. It was initially discovered by Mark Dowd and Tarjei Mandt who presented it at HiTB 2012 in Kuala Lumpur. This vulnerability allows userland processes access to the first page of the kernel, because the copyin and copyout arguments were not checked for their range when the length is small enough. Apple patched the vulnerability in iOS 6.1.

Credit

Apple's description

Impact: A user-mode process may be able to access the first page of kernel memory
Description: The iOS kernel has checks to validate that the user-mode pointer and length passed to the copyin and copyout functions would not result in a user-mode process being able to directly access kernel memory. The checks were not being used if the length was smaller than one page. This issue was addressed through additional validation of the arguments to copyin and copyout.

Jailbreak

planetbeing states that he worked out a nice jailbreak for it, that will never see the light of day. i0n1c responded that it is difficult to exploit it in a stable way and he would like to see a description for it.

First page of memory

The first page of kernel memory (and eDRAM) contains the sleep token. The sleep token is used from LLB to resume the system and restore its context accordingly. To jump back to the kernel, the LLB checks for the 'MOSX,SUSP' signature in the image and then calls 'jump_to' to exit the bootloader and return control to the OS.

Process

TODO: Describe copyin/copyout functions and the fix in detail.

TODO: Describe how this can get exploited in a stable way.

References

  1. Apple: iOS 6.1 Software Update

External Links

Tango Utilities-terminal.png This exploit article is a "stub", an incomplete page. Please add more content to this article and remove this tag.