Difference between revisions of "IOSurface Kernel Exploit"

From The iPhone Wiki
Jump to: navigation, search
m (Added CVE (hopefully the right one) and Category)
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
This vulnerability, along with the [[Malformed_CFF_Vulnerability]], was used in [[Star]]/[[JailbreakMe]] 2.0. It is a buffers overflow in the handling of the [http://iphonedevwiki.net/index.php/IOCoreSurfaceRoot kernel-extension for managing pixel buffers] used to get root privileges.
+
This vulnerability, along with the [[Malformed CFF Vulnerability]], was used in [[Star]]/[[JailbreakMe]] 2.0. It is a buffer overflow in the handling of the [http://iphonedevwiki.net/index.php/IOCoreSurfaceRoot kernel-extension for managing pixel buffers] used to get root privileges.
   
  +
== Credit ==
  +
[[User:Comex|comex]]
   
== exploit ==
+
== Exploit ==
   
Selector 19 was Vulnerability to a buffers overflow that allow access to the root filesystem without making the kernel fail signature checks
+
Selector 19 was vulnerable to a buffer overflow that would allow access to the root filesystem without making the kernel fail signature check
   
 
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"
 
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"
Line 54: Line 56:
 
| 21 || removeSurfaceNotify || 24 bytes of stuff || -
 
| 21 || removeSurfaceNotify || 24 bytes of stuff || -
 
|}
 
|}
  +
== Sources ==
 
  +
*http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2973
== Credit ==
 
[[User:Comex|comex]]
+
[[Category:Exploits]]

Latest revision as of 20:22, 9 July 2011

This vulnerability, along with the Malformed CFF Vulnerability, was used in Star/JailbreakMe 2.0. It is a buffer overflow in the handling of the kernel-extension for managing pixel buffers used to get root privileges.

Credit

comex

Exploit

Selector 19 was vulnerable to a buffer overflow that would allow access to the root filesystem without making the kernel fail signature check

Selector Action Input Output
0 lookupFromMachPort - 1,208 bytes of stuff
1 release IOSurfaceID surfaceID -
2 lock struct IOSurfaceLockArg 1,208 bytes of stuff
3 unlock struct IOSurfaceLockArg struct IOSurfaceLockSeedArg
4 lockPlane struct IOSurfaceLockArg 1,208 bytes of stuff
5 unlockPlane struct IOSurfaceLockArg struct IOSurfaceLockSeedArg
6 lookup void* ??? 1,208 bytes of stuff
7 setYCbCrMatrix IOSurfaceID surfaceID, uint32_t YCbCrMatrix -
8 wrapClientImage 28 bytes of stuff 1,208 bytes of stuff
9 wrapClientMemory void* param0, void* param1 1,208 bytes of stuff
10 getYCbCrMatrix IOSurfaceID surfaceID uint32_t YCbCrMatrix
11 setValue ? -
12 getValueMethod ? ?
13 kIOSurfaceMethodRemoveValue ? -
14 bindAccel IOSurfaceID surfaceID, void* unknown0, void* unknown4 -
15 bindAccelOnPlane IOSurfaceID surfaceID, void* param1, void* param2, size_t planeIndex -
16 readLimits - 20 bytes of stuff.
17 kIOSurfaceMethodIncrementUseCount IOSurfaceID surfaceID -
18 kIOSurfaceMethodDecrementUseCount IOSurfaceID surfaceID -
19 ? void* ??? void* ???
20 setSurfaceNotify 24 bytes of stuff -
21 removeSurfaceNotify 24 bytes of stuff -

Sources