pod2G Reveals Details About Corona Untether For iOS 5.0.1

iOS hacker pod2G has provided some more details about the Corona untether that has been used by the iPhone Dev team and Chronic Dev team in Redsn0w and Corona Untether jailbreak app for iOS 5.0.1.

pod2G explains what he was up against and how he managed to discover the userland and the kernel exploit.

He writes:

Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0. Corona does it another way.

By the past, the trick security researchers used was to include the untethering payload as a data page (as opposed to a code page) in the Mach-O binary. The advantage of a data page was that the Macho-O loader didn’t check its authenticity. ROP is used so that code execution happens without writing executable code but rather by utilizing existing signed code in the dyld cache. To have the ROP started by the Mach-O loader, they relied on different technics found by @comex, either :

– the interposition exploit

– the initializer exploit

Here is a detailed explanation of incomplete code sign tricks used before 5.0 : http://theiphonewiki.com/wiki/index.php?title=Incomplete_Codesign_Exploit

In iOS 5.0, data pages need also to be signed by Apple for the loader to authenticate the binary. @i0n1c seems to be able to pass through these verifications though (https://twitter.com/#!/i0n1c/status/145132665325105152). We may see this in the 5.1 jailbreak.

Thus, for Corona, I searched for a way to start unsigned code at boot without using the Mach-O loader. That’s why I looked for vulnerabilities in existing Apple binaries that I could call using standard launchd plist mechanisms.

Using a fuzzer, I found after some hours of work that there’s a format string vulnerability in theracoon configuration parsing code! racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.

Now you got it, Corona is an anagram of racoon 🙂 .

By the way, the exploitation of the format string vulnerability is different than what was done in 2001, check it out if you’re interested !

For the jailbreak to be applied at boot, racoon is started by a launchd plist file, executing the command : racoon -f racoon-exploit.conf

racoon-exploit.conf is a large configuration file exploiting the format string bug to get the unsigned code started.

The format string bug is utilized to copy the ROP bootstrap payload to the memory and to execute it by overwriting a saved LR in the racoon stack by a stack pivot gadget.

The ROP bootstrap payload copies the ROP exploit payload from the payload file which is distributed with Corona then stack pivot to it. The idea is to escape from format strings as fast as possible, because they are CPU time consuming.

The ROP exploit payload triggers the kernel exploit.

He has also goes on to explain the kernel exploit, which you can read on his blog.

pod2G who is currently working on the untethered jailbreak for iPhone 4S and iPad 2 hasn’t provided any update on it. We’ll let you know if there are any further updates so stay tuned here at iPhone Hacks or join our Facebook Fan page or follow us on Twitter or  subscribe to our RSS feed.

In case you missed it, you can checkout our step by step guides to perform untethered jailbreak using Redsn0w and Corona iOS 5.0.1 Unterher:

Like this post? Share it!