Watch Video of Jailbreak Dream Team’s Presentation on Absinthe Jailbreak at HITBSecConf 2012

greenpois0n absinthe

Last month, the Jailbreak dream team released the Absinthe 2.0 jailbreak for iOS 5.1.1 at the Hack in the Box Security Conference (HITBSecConf) in Amsterdam.

Before releasing the jailbreak, they had given a presentation at the security conference explaining the details of the Absinthe Jailbreak.

Organizers of the HITBSecConf have now uploaded the video of the presentation on YouTube along with a backstory on how the jailbreak dream team managed to jailbreak iOS 5.1.1 compatible iOS devices.

Shortly after the release of Corona, @xvolks came to @pod2g with an interesting observation. He noticed it was possible to inject format strings into racoon through the vpn configuration in the iPhone settings app.

Unfortunately, the injection was limited to only 254 characters, and besides that racoon was also heavily sandboxed. @p0sixninja came up with the solution of injecting an ‘include’ command into the configuration to load commands from an outside controllable source that also conforms to racoon’s sandbox restrictions. Only one file was located that is allowed by racoon’s sandbox profile and is also writable from outside, in this case using the mobile backup protocol.

Now that we found a way to inject a payload of any size, our next two biggest challenges were to bypass ASLR and the sandbox. ASLR bypass was trivial, since dynamic linker cache slide is only updated once every reboot, using an otherwise useless NULL pointer dereference bug and the ability to read crashreports off the device allowed easy calculation for input to @pod2g ROP generation code.

Sandbox bypass was a little less trivial and involved new exploits deep in the bowels of the XNU kernel. The idea presented by @p0sixninja was to use the debugging system calls to attach to an outside process not contained by sandbox and get it to do our bidding. Some mach ninja from @planetbeing allowed us to inject data reliable onto another process’s stack and using debugging apis we were able to jump into crafted ROP payload within that process which then proceeded to use launchctl to re-execute racoon (without ASLR and without racoon’s sandbox container) to perform the mounting of our rogue HFS image and perform the final kernel exploit hassle free. After the kernel was exploited and patched, it was just a matter of moving the Corona untethered exploit files into place to be executed on each boot. 

When we use jailbreaking tools like AbsintheRedsn0wSn0wbreeze to jailbreak our iOS device, we’re oblivious about what goes on behind the scene, but if you’re intrigued and want to know more, watch the video of their presentation below: