Monday, July 18, 2011

Analysis of the JailBreakMe v3 Font Exploit

Two weeks ago, comex released the third version of jailbreakme. Two exploits are used to jailbreak Apple devices by opening a PDF file in the MobileSafari browser: initial code execution is obtained through a vulnerability in the Freetype Type 1 font parser, allowing subsequent exploitation of a kernel vulnerability to disable code signing enforcement, get root privileges and "install" the jailbreak. The same kernel vulnerability is also exploited at each reboot to provide an untethered jailbreak, using the Incomplete Codesign technique to bootstrap the kernel exploit. The two vulnerabilities (and another Freetype vulnerability not used by jailbreakme) were patched with the release of iOS 4.3.4.


The jailbreakers claim to be back in already. By all reports, the latest jailbreak doesn't work for iPad2 users, and it can't be done simply by visiting a website. You need to plug your device in to a computer, in what's called a "tethered" jailbreak, and you need to re-jailbreak it every time you reboot. Nevertheless, Apple's latest security fix has been circumvented already.

No comments:

Post a Comment