Jailbreak iOS 8.1.2 and Analyze Related Exploits

2016.01.21
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

0x00 Introduction This post mainly introduces: 1 my understanding on jailbreak 2 the working process of an iOS 8.1.2 jailbreak tool 3 the exploits used in a jailbreak 4 the exploitation method for each exploit I wish that you could learn the process of a jailbreak, the exploits required for a jailbreak and some exploitation methods through this article. The specific content is as follows. 0x01 What is Jailbreak To illustrate what jailbreak is, let’s first check out the things that we are not able to do without jailbreak: Install ordinary apps with arbitrary signature and system apps Install SSH Add command line apps Add a Daemon Add or delete any files Obtain any Mach Task Forge Entitlements Enable memory page to be writeable and executable … This list concludes the things that can only be done after a jailbreak on an iDevice. If you just scratch from the surface, the list can be very long. Here, we’ll conclude from a technical aspect and see what protection mechanisms of the iOS need to be compromised to achieve the aforementioned things: fail the code signing mechanism fail the protection to memory page (W+X) fail the protection to disk partition (/dev/disk0s1s1) fail the protection to Rootless, which is used to ensure system integrity; Therefore, iOS jailbreak generally means to break the above three protection mechanisms. 0x02 Set a Target The process of a jailbreak is actually the process to attack an iOS. Before we launch an attack, we have to set a target. In general, it is the iOS system, but this target is too broad to guide an attack. So we need a more specific one. But how do we determine a specific target? All we need is to find the parts that are responsible for corresponding protection methods in the system. Here are the targets that I conclude: Kernel, amfid, libmiss.dylib: Kernel: the protection mechanism to memory page is implemented solely in kernel. Get root permission: it requires root permission to mount a disk partition. Before we attack the final target, we’ll meet more obstacles (The system has multiple stages of defense) and these obstacles can be considered as stage goals. You’ll confront different obstacles on choosing different attack paths. However, if you start your attack through USB, the first one to bypass is a sandbox. So the sandbox is also a very important target. The above is my interpretation on a jailbreak. Next I’ll illustrate the attacking flow, the exploits and exploitation used in the case of iOS 8.1.2. More: http://en.wooyun.io/2016/01/18/38.html

References:

http://en.wooyun.io/2016/01/18/38.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top