A security researcher has released a tool that will untether iPhones and other devices running iOS 5.01, allowing them to run unsigned code. The tool relies on a pair of exploits, one in an iOS binary and another in the kernel, and the jailbreak will survive after a reboot.

The tool, called Corona, takes advantage of a format string bug in a binary called racoon that’s used when setting up IPSec connections. The untether jailbreak works on devices running iOS 5.01, and is the work of a researcher who goes by the handle pod2g. He has posted a video demo of the untether tool in action, and the tool has been added to the redsn0w packages that will jailbreak and untether devices.

The researcher has been working on the exploits and untether tool for some time and said that he also is working on an update that will work on devices that use the A5 chip, including the iPhone 4S.In his explanation of the way Corona works, pod2g said that because Apple has fixed all of the previously known tricks for jailbreaking iOS devices, he went looking for a different way to accomplish the same feat. He found it.

“In iOS 5.0, data pages need also to be signed by Apple for the loader to authenticate the binary. @i0n1c seems to be able to pass through these verifications though (https://twitter.com/#!/i0n1c/status/145132665325105152). We may see this in the 5.1 jailbreak,” he wrote in a blog post explaining the way the jailbreak works.

“Thus, for Corona, I searched for a way to start unsigned code at boot without using the Mach-O loader. That’s why I looked for vulnerabilities in existing Apple binaries that I could call using standard launchd plist mechanisms. Using a fuzzer, I found after some hours of work that there’s a format string vulnerability in the racoon configuration parsing code! racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.”
 
Once the tool exploits the format string vulnerability, it then copies a bootstrap payload to memory and triggers the kernel exploit. That exploit code goes after a heap overflow vulnerability that pod2g found previously. That exploit does something to the iOS kernel that isn’t entirely clear, even to pod2g, who wrote that he wasn’t sure what happens to the kernel code when the exploit fires.
 
“The kernel heap overflow exploit copies 0x200 bytes from the vnimage.payload file to the kernel sysent replacing a syscall to a write anywhere gadget. Some syscalls (first 0xA0 bytes and the last 0x6 bytes) are trashed in the operation because I needed to respect the HFS protocol. Thus, I restore them as fast as possible to get a stable exploit, then the write anywhere is used to copy the kernel exploit and jump to it,” he wrote.
 
Apple has a history of patching new jailbreak exploits in new releases of iOS, and with this one now public, it could well be patched in a forthcoming update.

Categories: Hacks, Mobile Security