Difference between revisions of "Jailbreak Exploits"

From The iPhone Wiki
Jump to: navigation, search
m (Move Pangu9.1-9.3.3 sections into 9.x)
(Changed header names.)
Line 1: Line 1:
 
This page lists the '''exploits''' used in [[jailbreak]]s.
 
This page lists the '''exploits''' used in [[jailbreak]]s.
   
== Common exploits which are used in order to jailbreak different versions of iOS ==
+
== Common exploits ==
  +
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[N82AP|iPhone 3G]])
 
  +
  +
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch (1st generation)]], and [[N82AP|iPhone 3G]])
 
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch 2G]])
 
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch 2G]])
 
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
 
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
Line 8: Line 10:
 
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch 2G]])
 
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch 2G]])
   
  +
== Jailbreak Programs ==
== Programs which are used in order to jailbreak different versions of iOS ==
 
 
=== [[PwnageTool]] (2.0 - 5.1.1) ===
 
=== [[PwnageTool]] (2.0 - 5.1.1) ===
 
* uses different common exploits
 
* uses different common exploits
Line 22: Line 24:
 
* uses the exploits listed below to untether up to iOS 6.1.2
 
* uses the exploits listed below to untether up to iOS 6.1.2
   
== Programs which are used in order to jailbreak 1.x ==
+
== Programs used to jailbreak 1.x ==
 
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
 
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
 
* iBoot <code>cp</code>-command exploit
 
* iBoot <code>cp</code>-command exploit
Line 44: Line 46:
 
=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 /1.1.5) ===
 
=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 /1.1.5) ===
   
== Programs which are used in order to jailbreak 2.x ==
+
== Programs used to jailbreak 2.x ==
 
=== [[QuickPwn]] (2.0 - 2.2.1) ===
 
=== [[QuickPwn]] (2.0 - 2.2.1) ===
 
* uses [[Pwnage]] and [[Pwnage 2.0]]
 
* uses [[Pwnage]] and [[Pwnage 2.0]]
Line 51: Line 53:
 
* [[ARM7 Go]] (for [[N72AP|iPod touch 2G]] only)
 
* [[ARM7 Go]] (for [[N72AP|iPod touch 2G]] only)
   
== Programs which are used in order to jailbreak 3.x ==
+
== Programs used to jailbreak 3.x ==
 
=== [[purplera1n]] (3.0) ===
 
=== [[purplera1n]] (3.0) ===
 
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
 
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
Line 74: Line 76:
 
* [[Packet Filter Kernel Exploit]]
 
* [[Packet Filter Kernel Exploit]]
   
== Programs which are used in order to jailbreak 4.x ==
+
== Programs used to jailbreak 4.x ==
 
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
 
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
 
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
 
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
Line 105: Line 107:
 
* [[ndrv_setspec() Integer Overflow]]
 
* [[ndrv_setspec() Integer Overflow]]
   
== Programs which are used in order to jailbreak 5.x ==
+
== Programs used to jailbreak 5.x ==
 
=== [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) ===
 
=== [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) ===
 
Except for the [[iPad 3]]
 
Except for the [[iPad 3]]
Line 129: Line 131:
 
* MobileBackup2 Copy Exploit
 
* MobileBackup2 Copy Exploit
   
== Programs which are used in order to jailbreak 6.x ==
+
== Programs used to jailbreak 6.x ==
 
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
 
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
 
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
 
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
Line 151: Line 153:
 
* [[launchd.conf untether]]
 
* [[launchd.conf untether]]
   
== Programs which are used in order to jailbreak 7.x ==
+
== Programs used to jailbreak 7.x ==
 
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
 
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
 
{{Section Stub}}
 
{{Section Stub}}
Line 175: Line 177:
 
* hidden segment attack
 
* hidden segment attack
   
== Programs which are used in order to jailbreak 8.x ==
+
== Programs used to jailbreak 8.x ==
 
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
 
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
 
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
 
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
Line 216: Line 218:
 
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})
 
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})
   
== Programs which are used in order to jailbreak 9.x ==
+
== Programs used to jailbreak 9.x ==
 
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2) ===
 
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2) ===
 
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
 
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})

Revision as of 21:38, 8 August 2016

This page lists the exploits used in jailbreaks.

Contents

Common exploits

These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

Jailbreak Programs

PwnageTool (2.0 - 5.1.1)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 5.1.1

redsn0w (3.0 - 6.0)

  • uses different common exploits
  • uses the same exploits as Absinthe and Absinthe 2.0 to jailbreak iOS 5.0/5.0.1 and 5.1.1
  • uses the exploits listed below to untether up to iOS 5.1.1

sn0wbreeze (3.1.3 - 6.1.3)

  • uses different common exploits
  • uses the exploits listed below to untether up to iOS 6.1.2

Programs used to jailbreak 1.x

AppTapp Installer (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

iBrickr (1.0 / 1.0.1 / 1.0.2)

  • iBoot cp-command exploit

AppSnapp/JailbreakMe 1.0 (1.0 / 1.0.1 / 1.0.2 / 1.1.1)

OktoPrep (1.1.2)

"Upgrade" to 1.1.2 from a jailborken 1.1.1

Soft Upgrade (1.1.3)

"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

ZiPhone (1.1.3 / 1.1.4 /1.1.5)

iLiberty / iLiberty+ (1.1.3 / 1.1.4 /1.1.5)

Programs used to jailbreak 2.x

QuickPwn (2.0 - 2.2.1)

Redsn0w Lite (2.1.1)

Programs used to jailbreak 3.x

purplera1n (3.0)

blackra1n (3.1.2)

Spirit (3.1.2 / 3.1.3 / 3.2)

JailbreakMe 2.0 / Star (3.1.2 / 3.1.3 / 3.2 / 3.2.1)

limera1n / greenpois0n (3.2.2)

Programs used to jailbreak 4.x

JailbreakMe 2.0 / Star (4.0 / 4.0.1)

limera1n / (4.0 / 4.0.1 / 4.0.2 / 4.1)

greenpois0n (4.1)

greenpois0n (4.2.1)

JailbreakMe 3.0 / Saffron (4.2.6 / 4.2.7 / 4.2.8)

JailbreakMe 3.0 / Saffron (4.3 / 4.3.1 / 4.3.2 / 4.3.3)

Except for the iPod touch 3G on iOS 4.3.1.

i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3)

used in redsn0w to untether iOS 4.3.1 / 4.3.2 / 4.3.3

Programs used to jailbreak 5.x

unthredera1n (5.0 / 5.0.1 / 5.1 / 5.1.1)

Except for the iPad 3

Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)

Corona Untether (5.0.1)

Absinthe 2.0 and Rocky Racoon Untether (5.1.1)

  • a new Packet Filter Kernel Exploit (CVE-2012-3728)
  • Racoon DNS4/WINS4 table buffer overflow (CVE-2012-3727)
  • MobileBackup2 Copy Exploit

Programs used to jailbreak 6.x

evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)

p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)

Programs used to jailbreak 7.x

evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)

This section is a stub; it is incomplete. Please add more content to this section and remove this tag.

Geeksn0w (7.1 / 7.1.1 / 7.1.2)

Pangu (7.1 / 7.1.1 / 7.1.2)

  • Mach-O OSBundleHeaders info leak (CVE-2014-4491) (Pangu v1.0.0)
  • AppleKeyStore::initUserClient info leak (CVE-2014-4407) (Pangu >v1.0.0)
  • break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (CVE-2014-4422)
  • mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
  • IOSharedDataQueue notification port overwrite (CVE-2014-4461)
  • "syslogd chown" vulnerability
  • enterprise certificate (no real exploit, used for initial "unsigned" code execution)
  • "foo_extracted" symlink vulnerability (used to write to /var) (CVE-2014-4386)
  • /tmp/bigfile (a big file for improvement of the reliability of a race condition)
  • VoIP backgrounding trick (used to auto restart the app)
  • hidden segment attack

Programs used to jailbreak 8.x

Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)

  • an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
  • enterprise certificate (inside the IPA)
  • a kind of dylib injection into a system process (see IPA)
  • a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
  • a sandboxing problem in debugserver (CVE-2014-4457)
  • mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
  • the same kernel exploit as used in the first Pangu (CVE-2014-4461) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
  • enable-dylibs-to-override-cache
  • a new ovelapping segment attack (CVE-2014-4455)

TaiG and PPJailbreak (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2)

(See also details at newosxbook.com)

  • A new AFC symlink attack (CVE-2014-4480) - to get onto the device filesystem
  • DeveloperDiskImage race condition (by comex, also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
  • A new overlapping segment attack [in a modified version], dyld, (CVE-2014-4455) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
  • libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
  • enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
  • MobileStorageMounter exploit (CVE-2015-1062)
  • Backup exploit used to access restricted parts of the filesystem (CVE-2015-1087)

Kernel:

  • Mach-O OSBundleHeaders info leak (CVE-2014-4491) - leaks slid addresses
  • mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
  • IOHIDFamily Kernel exploit (CVE-2014-4487) - to overwrite memory

TaiG (8.1.3 / 8.2 / 8.3 / 8.4) and PPJailbreak

(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)

Programs used to jailbreak 9.x

Pangu9 (9.0 / 9.0.1 / 9.0.2)

  • Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. (CVE-2015-7037)
  • MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. (CVE-2015-7051)
  • IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. (CVE-2015-6974)
  • dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency (CVE-2015-7079)
  • Racing KPP for some of the patches.
  • AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. (CVE-2015-7055)

Pangu9 (9.1)

  • unknown

Pangu9 (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3)

  • IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. (CVE-2016-4654)