iOS Exploits (original) (raw)
Navigation: » Latest version
iOS Exploits Data
| Name | Type | Access Granted | Born Date & iOS Version | Modification Date | Death Date | Found by | Description |
|---|---|---|---|---|---|---|---|
| Archon | Remote Architecture Detection | ||||||
| Dyonedo | Codesign Defeat | ||||||
| Earth | Remote Exploit | ||||||
| Eve | Remote Exploit | ||||||
| Elderpiggy | Sandbox Escape | ||||||
| Ironic | Kernel ASLRAddress Space Layout Randomization Defeat | ||||||
| Nandao | Kernel Exploit | ||||||
| Persistence | Reboot Persistence | ||||||
| Redux | Close Access | ||||||
| Rhino | API misuse | Kernel ASLRAddress Space Layout Randomization Defeat | April 2013, iOS 7 | June 2014, iOS 8 Beta 1 | GCHQ | Reads KEXT info that reveals the KASLR values by calling the OSKextCopyLoadedKextInfo function. | |
| Sal | Abnormal code pathin the kernel | Codesign Defeat | DATE???, iOS 7 | 2/15, bugfix | FBI, ROU | Copies non-paged sized chunks so that the vm_map_copy_overwrite_unaligned() path is taken in the kernel.This abnormal code path results in pages of memory not being paged in, so the cs_tainted flag is never set onthe pages in memory, causing no signature checks. | |
| Saline | Buffer Overflow caused bydeserialization parsing errorin Foundation library | ROP execution | DATE???, iOS 8 | 2/15, Productized at TRICLOPS workshop | Sending a crafted NSArchiver object to any process that calls NSArchive unarchive method will result ina buffer overflow, allowing for ROP. | ||
| Wintersky | Size Mismatch between userand kernel structures | Kernel ASLRAddress Space Layout Randomization Defeat | DATE???, iOS 8 | NOCTURNALFEARS??? | WinterSky leaks the kernel address of the ipc_port struct of a user provided mach port. | ||
| Xiphos | Validation Issue | Kernel Exploit | March 2014, iOS 7 | 11/14, iOS 8.1.1 | User #78176 | Available for: iPhone 4S and later, iPod Touch 5th gen and later, iPad 2 and Later.Impact: A malicious application may be able to execute arbitrary code with system privileges.Description: A validation issue existed in the handling of certain metadata fields of IOSharedDataQueue objects. Publicly discovered by the Chinese Jailbreak team, Pangu. |
Exploits
| | iOS 4 (4.0 - 4.3.3) | iOS 5 (5.0 - 5.1.1) | iOS 6 (6.x - 6.1.2) | iOS 6.1.3 - 6.1.4 | iOS 7 | iOS 8 | | | | | | | | | ------------------------------------------------------------------------------------------- | ------------------------ | ------------------- | -------------------- | -------------------- | ------------------------------ | ------------------------------ | --------- | ---------- | --------- | ---------- | --------- | ---------------- | | | Remote | Local | Remote | Local | Remote | Local | Remote | Local | Remote | Local | Remote | Local | | | Kernel Info Leak | | | | | rhino | rhino | rhino | rhino | | | | | | Sandbox Escape (browser) | ?? | | ?? | | sandshrew | | sandshrew | | piggy | | | | | Kernel Exploit | | | , CORONA(5.0.1) | | cutlass | cutlass | scimitar | scimitar | xiphos | xiphos | nandao | nandao | | code sign defeat | EARLYKATANA | EARLYKATANA | EARLYKATANA | EARLYKATANA | katana (libamfi) | katana (libamfi) | dyonedo | dyonedo | dyonedo | dyonedo | | | | Access | SAFFRONSKIES (4.3 only?) | SLIDE | SUNSETSKIES | SLIDE | wby | redux | wby | redux | eve | redux | eve | redux (beta dmg) | | persistence (reboot) | overrides.plist | overrides.plist | overrides.plist | overrides.plist | overrides.plist / launchd.conf | overrides.plist / launchd.conf | dirhelper | dirhelper | dirhelper | dirhelper | | | | persistence (update) | NO (OTA ) | NO (OTA ) | YES(sys not touched) | YES(sys not touched) | block | block | block | block | block | block | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | XX = required, but not available. = not required ?? - Unknown / some else fill this in | | | | | | | | | | | | |