Exploiting the iOS Kernel presented at XFocus 2013

by David Wang,

Summary : In the iOS jailbreak evasi0n, the evad3rs team used a large arsenal of techniques in order to side-step mitigations Apple had added to iOS 6 and iOS 6.1. Before the evad3rs had settled on the set of vulnerabilities and techniques used in the final product, other potential avenues had been explored with difficult to exploit vulnerabilities that had already been previously disclosed, in case Apple was not prompt in closing non-remotely exploitable vulnerabilities. This is an examination of an exploit created with copyin/copyout bug disclosed by Mark Dowd of Azimuth Security, later assigned CVE-2013-0964. The vulnerability allows the reading and writing of arbitrary data into an early page of kernel memory. By triggering allocations of I/O buffers by the HFS filesystem driver and overwriting those buffers, it is possible to take control of the kernel from within an App Store sandbox.