The technique that the Jailbreakme.com Web site is using to bypass the iPhone’s security mechanisms and enable users to run unapproved apps on their phones involves exploiting two separate vulnerabilities.
One of the vulnerabilities is a memory-corruption flaw that affects the way that Apple’s mobile devices, including the iPad and iPod Touch, display PDFs, according to an advisory from VUPEN Security, a French research organization. The second weakness is a problem in the Apple iOS kernel that gives an attacker higher privileges once his code is on a targeted device, enabling him to break out of the iOS sandbox.
The combination of the two vulnerabilities–both of which are unpatched at the moment–gives an attacker the ability to run remote code on the device and evade the security protections on the iPhone, iPad or iPod Touch. The technique became public earlier this week when the Jailbreakme.com site began hosting a set of specially crafted PDF files designed to help users jailbreak their Apple devices and load apps other than the ones approved by Apple and offered in its official App Store.
“These flaws are currently being exploited by jailbreakme to remotely jailbreak Apple devices. The website redirects the browser to the appropriate PDF exploit file depending on the device model and version and then executes a first stage payload. Once done, a second stage payload is executed to gain root privileges on the device by exploiting the kernel vulnerability,” VUPEN said in its advisory.
Security researchers have said that the two vulnerabilities that the site is using to jailbreak devices could be adapted easily to the task of delivering malicious payloads via drive-by downloads on the mobile Safari browser on the iPhone, iPad or iPod Touch. Such an attack would give the attacker the ability to run code on the device and make any other modifications that root privileges allow.
Apple has not issued any guidance on workarounds or mitigations for the vulnerabilities or given any indications of when the flaws might be patched.