|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Timezone Vulnerability"
m (Http moved page Malformed PairRequest to Timezone Vulnerability without leaving a redirect: there seems to be no malformed PairRequest) |
(Total rewrite based on new information from HITB talk) |
||
| Line 1: | Line 1: | ||
| + | There is a flaw in [[lockdownd]]: |
||
| − | According the the Accuvant Labs analysis, sending [[lockdownd]] a malformed [[PairRequest]] command causes [[lockdownd]] to change the permissions like <code>chmod 777 file</code> making it accessible to mobile (and all users). It isn't clear whether this vulnerability is in [[lockdownd]] or in an underlying library or framework, so more analysis of this vulnerability is necessary. |
||
| + | MOVW R0, #(aPrivateVarDbTi-0x4DB8A) ; "/private/var/db/timezone" |
||
| + | MOVW R1, #0x1FF ; mode_t -> 0777 |
||
| + | MOVT.W R0, #4 |
||
| + | ADD R0, PC ; char * |
||
| + | BLX _chmod |
||
| + | This means <code>chmod("/private/var/db/timezone",0777)</code> without any further checks and is executed on every launch. By setting a symbolic link on <code>/var/db/timezone</code> though [[MobileBackup]] and pointing the symlink to any other file and crashing [[lockdownd]] by sending it a malformed property list to make it relaunch (another probably non-exploitable vulnerability) causes it to perform the actual permission change on any file. |
||
| − | This vulnerability (or together with [[Symbolic Link Vulnerability]]?) is CVE-2013-0979. |
||
| − | + | This vulnerability is '''CVE-2013-0979''' and Apple describes it in the iOS 6.1.3 security fixes like this: |
|
<cite> |
<cite> |
||
| Line 10: | Line 15: | ||
Description: When restoring from backup, [[lockdownd]] changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path. |
Description: When restoring from backup, [[lockdownd]] changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path. |
||
</cite> |
</cite> |
||
| + | __NOTOC__ |
||
| − | |||
== Usage == |
== Usage == |
||
* [[evasi0n|evasi0n jailbreak]] |
* [[evasi0n|evasi0n jailbreak]] |
||
| Line 21: | Line 26: | ||
== References == |
== References == |
||
| + | * [http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Pod2g,%20Planetbeing,%20Musclenerd%20and%20Pimskeks%20aka%20Evad3rs%20-%20Swiping%20Through%20Modern%20Security%20Features.pdf Slides from HITB presentation in Amsterdam 2013] |
||
* [http://blog.accuvantlabs.com/blog/bthomas/evasi0n-jailbreaks-userland-component Accuvant Labs analysis of evasi0n] |
* [http://blog.accuvantlabs.com/blog/bthomas/evasi0n-jailbreaks-userland-component Accuvant Labs analysis of evasi0n] |
||
* [http://support.apple.com/kb/HT5704 Apple's iOS 6.1.3 security fixes] |
* [http://support.apple.com/kb/HT5704 Apple's iOS 6.1.3 security fixes] |
||
Revision as of 09:22, 15 April 2013
There is a flaw in lockdownd:
MOVW R0, #(aPrivateVarDbTi-0x4DB8A) ; "/private/var/db/timezone" MOVW R1, #0x1FF ; mode_t -> 0777 MOVT.W R0, #4 ADD R0, PC ; char * BLX _chmod
This means chmod("/private/var/db/timezone",0777) without any further checks and is executed on every launch. By setting a symbolic link on /var/db/timezone though MobileBackup and pointing the symlink to any other file and crashing lockdownd by sending it a malformed property list to make it relaunch (another probably non-exploitable vulnerability) causes it to perform the actual permission change on any file.
This vulnerability is CVE-2013-0979 and Apple describes it in the iOS 6.1.3 security fixes like this:
Lockdown
Impact: A local user may be able to change permissions on arbitrary files
Description: When restoring from backup, lockdownd changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path.
