|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Timezone Vulnerability"
(Total rewrite based on new information from HITB talk) |
(mention the crashing with separate page) |
||
| Line 6: | Line 6: | ||
BLX _chmod |
BLX _chmod |
||
| − | This means <code>chmod("/private/var/db/timezone",0777)</code> without any further checks and is executed on every launch. By setting a symbolic link on <code>/var/db/timezone</code> though [[MobileBackup]] and pointing the symlink to any other file and crashing [[lockdownd]] by sending it a malformed property list to make it relaunch |
+ | This means <code>chmod("/private/var/db/timezone",0777)</code> without any further checks and is executed on every launch. By setting a symbolic link on <code>/var/db/timezone</code> though [[MobileBackup]] and pointing the symlink to any other file and crashing [[lockdownd]] by sending it a malformed property list (see [[Malformed PairRequest]]) to make it relaunch causes it to perform the actual permission change on any file. |
This vulnerability is '''CVE-2013-0979''' and Apple describes it in the iOS 6.1.3 security fixes like this: |
This vulnerability is '''CVE-2013-0979''' and Apple describes it in the iOS 6.1.3 security fixes like this: |
||
| Line 24: | Line 24: | ||
== See Also == |
== See Also == |
||
* [[Symbolic Link Vulnerability]] |
* [[Symbolic Link Vulnerability]] |
||
| + | * [[Malformed PairRequest]] |
||
== References == |
== References == |
||
Revision as of 09:27, 15 April 2013
There is a flaw in lockdownd:
MOVW R0, #(aPrivateVarDbTi-0x4DB8A) ; "/private/var/db/timezone" MOVW R1, #0x1FF ; mode_t -> 0777 MOVT.W R0, #4 ADD R0, PC ; char * BLX _chmod
This means chmod("/private/var/db/timezone",0777) without any further checks and is executed on every launch. By setting a symbolic link on /var/db/timezone though MobileBackup and pointing the symlink to any other file and crashing lockdownd by sending it a malformed property list (see Malformed PairRequest) to make it relaunch causes it to perform the actual permission change on any file.
This vulnerability is CVE-2013-0979 and Apple describes it in the iOS 6.1.3 security fixes like this:
Lockdown
Impact: A local user may be able to change permissions on arbitrary files
Description: When restoring from backup, lockdownd changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path.
