Timezone Vulnerability

From The iPhone Wiki
Revision as of 09:27, 15 April 2013 by Http (talk | contribs) (mention the crashing with separate page)
Jump to: navigation, search

There is a flaw in lockdownd:

MOVW   R0, #(aPrivateVarDbTi-0x4DB8A) ; "/private/var/db/timezone"
MOVW   R1, #0x1FF                     ; mode_t -> 0777
MOVT.W R0, #4
ADD    R0, PC                         ; char *
BLX    _chmod

This means chmod("/private/var/db/timezone",0777) without any further checks and is executed on every launch. By setting a symbolic link on /var/db/timezone though MobileBackup and pointing the symlink to any other file and crashing lockdownd by sending it a malformed property list (see Malformed PairRequest) to make it relaunch causes it to perform the actual permission change on any file.

This vulnerability is CVE-2013-0979 and Apple describes it in the iOS 6.1.3 security fixes like this:

Lockdown
Impact: A local user may be able to change permissions on arbitrary files
Description: When restoring from backup, lockdownd changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path.

Usage

Credits

See Also

References