IOSurface Kernel Exploit

From The iPhone Wiki
Revision as of 20:22, 9 July 2011 by Jacob (talk | contribs) (Added CVE (hopefully the right one) and Category)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This vulnerability, along with the Malformed CFF Vulnerability, was used in Star/JailbreakMe 2.0. It is a buffer overflow in the handling of the kernel-extension for managing pixel buffers used to get root privileges.

Credit

comex

Exploit

Selector 19 was vulnerable to a buffer overflow that would allow access to the root filesystem without making the kernel fail signature check

Selector Action Input Output
0 lookupFromMachPort - 1,208 bytes of stuff
1 release IOSurfaceID surfaceID -
2 lock struct IOSurfaceLockArg 1,208 bytes of stuff
3 unlock struct IOSurfaceLockArg struct IOSurfaceLockSeedArg
4 lockPlane struct IOSurfaceLockArg 1,208 bytes of stuff
5 unlockPlane struct IOSurfaceLockArg struct IOSurfaceLockSeedArg
6 lookup void* ??? 1,208 bytes of stuff
7 setYCbCrMatrix IOSurfaceID surfaceID, uint32_t YCbCrMatrix -
8 wrapClientImage 28 bytes of stuff 1,208 bytes of stuff
9 wrapClientMemory void* param0, void* param1 1,208 bytes of stuff
10 getYCbCrMatrix IOSurfaceID surfaceID uint32_t YCbCrMatrix
11 setValue ? -
12 getValueMethod ? ?
13 kIOSurfaceMethodRemoveValue ? -
14 bindAccel IOSurfaceID surfaceID, void* unknown0, void* unknown4 -
15 bindAccelOnPlane IOSurfaceID surfaceID, void* param1, void* param2, size_t planeIndex -
16 readLimits - 20 bytes of stuff.
17 kIOSurfaceMethodIncrementUseCount IOSurfaceID surfaceID -
18 kIOSurfaceMethodDecrementUseCount IOSurfaceID surfaceID -
19 ? void* ??? void* ???
20 setSurfaceNotify 24 bytes of stuff -
21 removeSurfaceNotify 24 bytes of stuff -

Sources