La HITB 2012 cei de la Chronic Dev Team impreuna cu Pod2G au prezentat exploit-ul Corona in baza caruia a fost dezvoltata solutia de untethered jailbreak pentru iOS 5.0.1. Cu ajutorul ei am facut jailbreak iDevice-urilor noastre pe iOS 5.0.1 si desi solutia este veche, aceasta a fost prima ocazie a celor de la Chronic Dev Team de a o prezenta pentru ca in baza ei a fost dezvoltat si exploit-ul Absinthe. Intreaga prezentare are nu mai putin de 55 de minute si in cadrul ei ii veti vedea pe toti cei care au dezvoltat si lanseaza solutiile de untethered jailbreak pe care noi le utilizam acum, asa ca va urez vizionare placuta.
UPDATE: Iata si partea a doua a prezentarii.
GreenPois0n Absinthe was built upon @pod2g’s Corona untether jailbreak to create the first public jailbreak for the iPhone 4S and iPad 2 on for the 5.0.1 firmware. In this paper, we present a chain of multiple exploits to accomplish sandbox breakout, kernel unsigned code injection and execution that result in a fully-featured and untethered jailbreak.
Corona is an acronym for “racoon”, which is the primary victim for this attack. A format string vulnerability was located in racoon’s error handling routines, allowing the researchers to write arbitrary data to racoon’s stack, one byte at a time, if they can control racoon’s configuration file. Using this technique researchers were able to build a ROP payload on racoon’s stack to mount a rogue HFS volume that injects code at the kernel level and patch its code-signing routines.
The original Corona untether exploit made use of the LimeRa1n bootrom exploit as an injection vector, to allow developers to disable ASLR and sandboxing, and call racoon with a custom configuration script. This however left it unusable for newer A5 devices like the iPad2 and iPhone 4S, which weren’t exploitable to LimeRa1n, so another injection vector was needed.
ABOUT JOSHUA HILL (@p0sixninja)
Joshua Hill (@p0sixninja) is an independent Security Researcher for zImperium, as well as leader of the Chronic Dev Team and chief architect behind GreenPois0n, a cross-platform toolkit used by millions of people around the world to jailbreak their iOS mobile devices.
ABOUT CYRIL (@pod2g)
Cyril (@pod2g) is an iPhone hacker who has discovered and exploited several bootrom exploits on iDevices, including 24kpwn, steaks4uce, and SHAtter, as well as several userland and kernel exploits that have been used in various jailbreak tools. He’s a member of Chronic-Dev Team and the original author the of Corona untether jailbreak.
ABOUT NIKIAS BASSEN (@pimskeks)
Nikias Bassen (@pimskeks) is a Chronic-Dev Team member and main developer of libimobiledevice, usbmuxd, and other related projects that form an open source implementation of communication and service protocols for iDevices. He found several flaws in the iDevice service protocols that also helped creating Absinthe.
ABOUT DAVID WANG (@planetbeing)
David Wang (@planetbeing) is a member of the iPhone Dev Team and former developer of many iOS jailbreak tools including redsn0w, xpwn, and QuickPwn. He is also the first to have ported the Linux kernel and Android to iOS devices.
This post was last modified on iun. 23, 2012, 9:32 AM 09:32