iPhone 4.0.2/iPad 3.2.2 Update Patches JailbreakMe Vulnerabilities
Apple has today released iOS 4.0.2 (and iOS 3.2.2 for iPad) which patches the two vulnerabilities used by JailbreakMe. The first, as I mentioned in my original post on the topic, was in FreeType, a font engine library. Apple describes the issue as:
A stack buffer overflow exists in FreeType’s handling of CFF opcodes. Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution. This issue is addressed through improved bounds checking.
The second vuln was in IOSurface, and allowed the exploit to escalate privileges to root, thus breaking out of Mobile Safari’s sandbox. IOSurface is a framework that contains low-level interfaces for sharing graphics surfaces between applications. The vulnerability is described as:
An integer overflow exists in the handling of IOSurface properties, which may allow malicious code running as the user to gain system privileges. This issue is addressed through improved bounds checking.
Apple’s original description of this update can be found here. Note that neither of these vulnerabilities were attributed to anyone (possibly because they weren’t actually disclosed through the proper channels).
These remotely-exploitable vulnerabilities are quite severe, and I definitely recommend all iPhone (and iPad) users to apply this update (including those of you who like to jailbreak).
Let’s see what the next Jailbreak will bring.
[Update 12/8/10] The source code for both of the exploits used by JailbreakMe is now available here.
Apple Preparing Patch for iPhone PDF Exploit
In a rather rapid turnaround time, indicative of the level of risk posed by the JailbreakMe PDF vulnerability, Apple on Wednesday announced that they have prepared a patch to be released in the next round of iPhone updates – hopefully to be released sooner rather than later.
The security update will likely patch at least two vulnerabilities used by JailbreakMe.com, as well as other flaws that may have been recently disclosed to Apple. This will break the jailbreaking process (and carrier unlocks) for anyone updating to the latest version, depending on whether the guys have any other remote privilege escalation exploits up their sleeves.
[Update 11/8/10] iOS 4.0.2/3.2.2 released.
ultrasn0w Carrier Unlock for iPhone 4
Riding the wave of JailbreakMe in the past couple days, the ultrasn0w project has been updated to enable a full carrier unlock for iPhone 4 running baseband version 01.59. This release also supports unlocking iPhone 3G and iPhone 3GS running basebands 04.26.08, 05.11.07 and 05.13.04.
The unlocking process requires a jailbroken iPhone, a process recently simplified by the browser-based process of jailbreakme.com which used a PDF font engine exploit to jailbreak the device. The ultrasn0w tool can be found within the Cydia application repository that is installed as part of the jailbreak. The unlock will now allow iPhone 4 devices to be used on any carrier.
David Wong (aka. planetbeing) from the iPhone Dev Team posted about the news on their blog. The video below by TechTechManTV shows an iPhone 4 being jailbroken and unlocked using jailbreakme.com and ultrasn0w:
JailbreakMe and the PDF Exploit
[Update] JailbreakMe 3.0 for iOS 4.3.3 is out!
JailbreakMe.com by comex (et al.) now provides an easy way of remotely jailbreaking the iPhone, iPad and iPod – including those running iOS up to 4.0.1.
The technique works thanks to a specially-crafted PDF document which exploits a vulnerability in the font engine library (possibly libfreetype) used by Mobile Safari. Another local privilege escalation exploit (possibly in IOKit) is then used to gain root access on the device, allowing for the jailbreak to take place.
Depending on the device used to visit jailbreakme.com, the site will deliver one of its existing payloads, to perform the initial exploit. During the jailbreak it will download an additional 3.7MB bin file.
Although this may seem like a great ‘feature’ to potential jailbreakers, users should be aware that a severe underlying flaw exists which allows this remote jailbreaking to take place. Until Apple patches this, iPhone users should beware of visiting untrusted sites, as this same exploit could potentially be modified to carry out attacks on legitimate non-jailbroken iPhones.
Here’s a pic of Charlie Miller jailbreaking Apple Stores for fun and… well, just fun really. Here’s a video of someone doing the same.
[Update 4/8/10] ultrasn0w update brings iPhone 4 carrier unlock.
[Update 11/8/10] iOS 4.0.2/3.2.2 update patches these two vulnerabilities.
[Update 12/8/10] comex has released the source code for the jailbreak exploit.
Loading ...
