CVE-2013-0964

From The iPhone Wiki
Revision as of 02:16, 31 January 2013 by Http (talk | contribs) (initial page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Initially discovered by Mark Dowd and Tarjei Mandt and presented at HiTB 2012 in Kuala Lumpur, this vulnerability allows userland processes access to the first page of the kernel, because the copyin and copyout arguments were not checked for ranges when the length is small enough. It was fixed with the release of iOS 6.1.

Description of Apple:

Impact: A user-mode process may be able to access the first page of kernel memory
Description: The iOS kernel has checks to validate that the user-mode pointer and length passed to the copyin and copyout functions would not result in a user-mode process being able to directly access kernel memory. The checks were not being used if the length was smaller than one page. This issue was addressed through additional validation of the arguments to copyin and copyout.

planetbeing said he worked out a nice jailbreak for it, that will never see the light of day. i0n1c answered it is difficult to exploit it in a stable way and he would like to see a description.

TODO: Describe copyin/copyout functions and the fix in detail.

TODO: Describe how this can get exploited in a stable way.

References

Tango Utilities-terminal.png This firmware article is a "stub", an incomplete page. Please add more content to this article and remove this tag.