The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Timezone Vulnerability

From The iPhone Wiki
Revision as of 09:22, 15 April 2013 by Http (talk | contribs) (Total rewrite based on new information from HITB talk)
Jump to: navigation, search

There is a flaw in lockdownd: 

MOVW   R0, #(aPrivateVarDbTi-0x4DB8A) ; "/private/var/db/timezone"
MOVW   R1, #0x1FF                     ; mode_t -> 0777
MOVT.W R0, #4
ADD    R0, PC                         ; char *
BLX    _chmod

This means chmod("/private/var/db/timezone",0777) without any further checks and is executed on every launch. By setting a symbolic link on /var/db/timezone though MobileBackup and pointing the symlink to any other file and crashing lockdownd by sending it a malformed property list to make it relaunch (another probably non-exploitable vulnerability) causes it to perform the actual permission change on any file.

This vulnerability is CVE-2013-0979 and Apple describes it in the iOS 6.1.3 security fixes like this:

Lockdown
Impact: A local user may be able to change permissions on arbitrary files
Description: When restoring from backup, lockdownd changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path.

Usage

Credits

See Also

References

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=Timezone_Vulnerability&oldid=31809"