iOS Exploits (original) (raw)
Navigation: » Directory » iOS » iOS
iOS Exploits Data
Name | Type | Access Granted | Born Date & iOS Version | Modification Date | Death Date | Found by | Description |
---|---|---|---|---|---|---|---|
Archon | technique | Remote Architecture Detection | (came with purchase) | ||||
Dyonedo | macho-parsing | Codesign Defeat | JDW - GCHQ | ||||
Earth/Eve | Remote Exploit | Purchased by NSA Shared with CIA Ported by GCHQ | |||||
Elderpiggy | Sandbox Escape | Peppermint (NSANational Security Agency VR Contract) Implemented by GCHQ at JDW | |||||
Ironic | Kernel ASLRAddress Space Layout Randomization Defeat | iOS 8 | Public vulnerabilityresearcher: Steffan Esser (i0nic) | ||||
Nandao | Heap overflow corruption? | Kernel Exploit | GCHQ | ||||
Juggernaut | Purchase- Baitshop | ||||||
Persistence | Execution via symbolic links | Reboot Persistence | June 2013, JDWDevelopment Facility of GCHQ XXXX | June 2014, JDWDevelopment Facility of GCHQ XXXX | CIA | By selecting specific executables on the system partition that are run with root privileges,a symbolic link can be created (on iOS 7.x) or an existing file can be overwritten(iOS 8.x)that will run our bootstrapper, giving use initial execution on every boot. | |
Redux | Sandbox misconfiguration | Close Access | June 2012, iOS 6 | 7/15, workaround for missingvpnagent in iOS 8 dev dmgs | 11/17/14, iOS 8.1.1 | GCHQ | Sandbox Profiles: Available for: iPhone 4S and later, iPod touch (5th generation) and later, iPad 2 and laterImpact: A malicious application may be able to launch arbitrary binaries on a trusted deviceDescription: A permissions issue existed with the debugging functionality for iOS that allowed thespawning of applications on trusted devices that were not being debugged. This was addressed bychanges to debugserver's sandbox.Publicly discovered by the Chinese Jailbreak team, Pangu CVE: 2014-4457 |
Rhino | API misuse | Kernel ASLRAddress Space Layout Randomization Defeat | April 2013, iOS 7 | June 2014, iOS 8 Beta 1 | GCHQ | Reads KEXT info that reveals the KASLR values by calling the OSKextCopyLoadedKextInfo function. | |
Sal | Abnormal code pathin the kernel | Codesign Defeat | DATE???, iOS 7 | 2/15, bugfix | FBI, ROU | Copies non-paged sized chunks so that the vm_map_copy_overwrite_unaligned() path is taken in the kernel.This abnormal code path results in pages of memory not being paged in, so the cs_tainted flag is never set onthe pages in memory, causing no signature checks. | |
Saline | Buffer Overflow caused bydeserialization parsing errorin Foundation library | ROP execution | DATE???, iOS 8 | 2/15, Productized at TRICLOPS workshop | Purchase - Baitshop | Sending a crafted NSArchiver object to any process that calls NSArchive unarchive method will result ina buffer overflow, allowing for ROP. | |
Wintersky | Size Mismatch between userand kernel structures | Kernel ASLRAddress Space Layout Randomization Defeat | DATE???, iOS 8 | NOCTURNALFEARS | WinterSky leaks the kernel address of the ipc_port struct of a user provided mach port. | ||
Xiphos | Validation Issue | Kernel Exploit | March 2014, iOS 7 | 11/14, iOS 8.1.1 | CIA | Available for: iPhone 4S and later, iPod Touch 5th gen and later, iPad 2 and Later.Impact: A malicious application may be able to execute arbitrary code with system privileges.Description: A validation issue existed in the handling of certain metadata fields of IOSharedDataQueue objects. Publicly discovered by the Chinese Jailbreak team, Pangu. |
Exploits
| | | Release Date(s) | Access | Kernel Info Leak | Kernel Exploit | Sandbox Escape (browser) | Code Sign Defeat | Persistence (reboot) | Persistence (update) | Kernel Exploit Framework | | | -------------------------------------------------------------------------------------- | --------------- | ----------------------- | ------------------------ | ------------------ | -------------------------------- | -------------------- | ---------------------------- | ---------------------------- | ------------------------ | ----- | | iOS 4 (4.0 - 4.3.3) | Remote | 6/21/2010 - 3/11/2011 | SafferonSkies | | | ?? | EarlyKatana | overrides.plist | No (OTA ) | | | Local | SLIDE | | | | | | | | | | | iOS 5 (5.0 - 5.1.1) | Remote | 10/12/2011 - 5/7/2012 | SunsetSkies | | Corona (5.0.1) | ?? | EarlyKatana | overrides.plist | Yes (sys not touched) | | | Local | SLIDE | | | | | | | | | | | iOS 6 (6.x - 6.1.2) | Remote | 9/19/2012 - 2/16/2013 | Wby | Rhino | Cutlass | SandShrew | Katana (libamfi) | overrides.plist launchd.conf | block | | | Local | Redux | | | | | | | | | | | iOS 6 (6.1.3 - 6.1.4) | Remote | 3/19/2013 - 5/2/2013 | Wby | Rhino | Scimitar | SandShrew | Dyonedo | dirhelper | block | | | Local | Redux | | | | | | | | | | | iOS 7 (7.0 - 7.1.2) | Remote | 9/18/2013 - 6/20/2014 | Eve | | Xiphos | Piggy | Dyonedo | dirhelper | block | | | Local | Redux | | | | | | | | | | | iOS 8 (8.0 & 8.0.2) | Remote | 9/17/2014 - 9/25/2014 | Earth | Ironic | Nandao | | Dyonedo | dirhelper | block | Early | | Local | Saline | | | | | | | | | | | iOS 8 (8.1 - 8.1.2) | Remote | 10/10/2014 - 12/19/2014 | Earth | Ironic | Nandao | | Dyonedo | dirhelper | block | Early | | Local | Saline | | | | | | | | | | | iOS 8 (8.1.3 - 8.2) | Remote | 1/27/2015 - 3/9/2015 | Earth | WinterSky | Nandao | | Dyonedo | mount NFS | block | Early | | Local | Saline | | | | | | | | | | | IOS 8.3 | Remote | 4/8/2015 | Earth | WinterSky | Nandao | | Juggernaut | mount NFS | block | Early | | Local | Saline | | | | | | | | | | | iOS 8.4 | Remote | 6/30/2015 | Earth | WinterSky | Nandao | | Juggernaut | mount NFS | block | Early | | Local | Saline | | | | | | | | | | | iOS 9 (9.0 - 9.1) | Local | 9/16/2015 | Moon | WinterSky | Nandao | | Juggernaut | mount NFS | block | Early | | Remote | Saline | | | | | | | | | | | iOS 9.2 | Local | 12/8/2015 | Moon | WinterSky | Nandao | | Juggernaut | mount NFS | block | Early | | **Remote | Saline | MiniMe | | | | | | | | | | Key New Exploit Major Update Minor Update Minimal Changes Not Required ?? Unknown | | | | | | | | | | |
Attachments:
Previous versions:
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 [NSA] [FBI] [GCHQ] [MI5]| 24 [NSA] [FBI] [GCHQ] [MI5]| 25 [NSA] [FBI] [GCHQ] [MI5]| 26 [NSA] [FBI] [GCHQ] [MI5]| 27 [NSA] [FBI] [GCHQ] [MI5]| 28 [NSA] [FBI] [GCHQ] [MI5]| 29 [NSA] [FBI] [GCHQ] [MI5]| 30 [NSA] [FBI] [GCHQ] [MI5]| 31 [NSA] [FBI] [GCHQ] [MI5]| 32 [NSA] [FBI] [GCHQ] [MI5]| 33 [NSA] [FBI] [GCHQ] [MI5]| 34 [NSA] [FBI] [GCHQ] [MI5]| 35 [NSA] [FBI] [GCHQ] [MI5]| 36 [NSA] [FBI] [GCHQ] [MI5]| 37 [NSA] [FBI] [GCHQ] [MI5]| 38 [NSA] [FBI] [GCHQ] [MI5]| 39 [NSA] [FBI] [GCHQ] [MI5]| 40 [NSA] [FBI] [GCHQ] [MI5]| 41 [NSA] [FBI] [GCHQ] [MI5]| 42 [NSA] [FBI] [GCHQ] [MI5]| 43 [NSA] [FBI] [GCHQ] [MI5]| 44 [NSA] [FBI] [GCHQ] [MI5]| 45 [NSA] [FBI] [GCHQ] [MI5]| 46 [NSA] [FBI] [GCHQ] [MI5]| 47 [NSA] [FBI] [GCHQ] [MI5]|