A researcher has released a new jailbreak
tool that would allow iPhone users to run code from sources other than
Apple's iTunes App Store.The new jailbreak, dubbed Corona, takes
advantage of two different bugs in iOS 5 to untether iPhones and other
devices running iOS 5.01, a researcher, Pod2g, wrote on his iOS Research
blog. One flaw exists in the iOS binary and the other was a heap
overflow in the kernel, according to the post.
Update expected Apple has
in the past moved quickly to patch security flaws as soon as a jailbreak
is publicised. With the code for Corona public, the company is expected
to close these holes in the next security update."Apple has fixed all
previous known ways of executing unsigned binaries in iOS 5.0," Pod2g
wrote, noting that Corona accomplishes its task "another way”.The
jailbreak tool relies on vulnerabilities in existing Apple binaries that
are loaded using standard functions, Pod2g said. Researchers used to
create data pages that could be loaded on to the device to launch the
jailbreak code prior to iOS 5. Apple modified data pages to require that
they also be digitally signed by Apple to verify its authenticity in
iOS 5, so Pod2g piggybacked the exploit code onto existing binaries.
The
"Racoon" binary is used for setting up IPSec connections from the iOS
devices and is started automatically whenever the user sets up a network
connection. The tool uses the vulnerability to copy a bootstrap payload
to the device's memory and runs the actual exploit code. The code also
uses a previously discovered heap overflow flaw in the iOS kernel but
Pod2g said he was not clear what was actually happening in the kernel."I
never figured it out exactly," he wrote, adding that he found the issue
using a "fuzzing" tool.The fact that Corona took advantage of a format
string bug raised a few eyebrows amongst security experts. Chris
Wysopal, CTO of Veracode, wondered on Twitter if Apple was not using
static analysis tools to hunt for security holes in its code. "These
bugs [format string bugs] are easy to find with it," Wysopal wrote on
Twitter.The Corona jailbreak has been added to the redsn0w packages that
can be used to untether devices. It can be downloaded from Websites
belonging to two Apple hacking groups, greenpois0n and the iPhone Dev
Team.
It appears that Pod2g is also working on a jailbreak update that
would work on iOS devices that use the A5 chip, such as the iPhone
4S."With some luck we could expect a release in a week," Pod2g
tweeted.Even though Apple claims jalbreaking – or cracking the iOS to be
able to run unofficial applications – was illegal, the US Copyright
Office said in 2009 it was legal for iPhones and other smartphones. As a
result, Apple and jailbreak hackers are in the game of cat-and-mouse as
the company tries to quickly patch every vulnerability they
discover.The Electronic Frontier Foundation has asked the Copyright
Office to extend the exemption to the Digital Millennium Copyright Act
to protect users who want to jailbreak tablets, e-readers and video game
consoles.
No comments:
Post a Comment