OS and Software > All Things Macintosh > [JB] How they did it - AWSOME

[JB] How they did it - AWSOME

--
Nothin' left to do but smile smile smile

This Unix internals person cringed at
"it uses a Unix trick called a “shebang” that can summon up code from another, signed application. "

»en.wikipedia.org/wiki/Shebang_%28Unix%29

This isn't a "Unix trick". This is how shell files indicate what shell they need to interpret themselves. If THAT is the security hole in iOS, it's time to fire the security review team. Wow.

"Wang won’t say exactly how that AMFID-defeating part of the jailbreak works. “Apple can figure that one out for themselves,” he says." and then he goes on to explain how they defeated ASLR (which has been defeated many times) so, clearly, they're patching stuff in memory to defeat AMFID - not unlike the Surface RT hack that lets you run unsigned code on RT.

Nice hack. I'm convinced at this point Apple makes these things just hard enough to jailbreak to seem like it's an accomplishment, but not so hard as to be impossible. The exploits used here are actually fairly critical security holes in iOS, they have to have been left purposefully. If not, then as I said some people should be looking for new work.
--
My place : »www.schettino.us

reply to dellsweig
Nice, but why post the freakin recipe? Just makes it easier for Apple to close the loopholes...
--
F**K THE NHL. Go Blue Jays 2013!!!

reply to JohnInSJ

reply to HiVolt

reply to dellsweig
I liked this 'how they did it' explanation:
»blog.accuvantlabs.com/blog/bthom···omponent

reply to JohnInSJ
Those security holes shouldn't be there. Doesn't matter, as long as we can jailbreak.

reply to dellsweig
Looks like a bunch of people will be stuck on 6.1 because I have a feeling these holes should be patched up for the next build. Why people decided to post almost every detail of the jailbreak instead of letting Apple guess is beyond me.

Did it myself; watched the Linux version Jailbreak two devices with strace -ff -s4096 ./evasi0n.x86_64 2>&1|tee /tmp/jailbreak.log

That's just client-side with push-pull, didn't watch iOS. When a "white-hat" exploit driven OS compromise dubbed "Jailbreak" is released it's trivial to see how they did it. The real art itself is the vulnerability discovery and packaging. I'll tip my hat to evad3rs, well done, and a very well packaged "idiot" ready solution across Windows, OS X, and Linux. I would encourage supporting these folks through PayPal.

I would be more concerned with post-Jailbreak if the security issues are address in the form of deb/Cydia patches. Through their awesomeness they've defeated ASLR, code-signing, a read-only filesystem (mount -o remount,ro / == yummy), and the illusion of walled garden security. I'd love to see a DMCA-friendly errata backport method for patching the same vulnerabilities that allowed us to free our devices.

-AS

reply to dellsweig
»www.tuaw.com/2013/02/08/evasi0n-···-a-week/
--
Nothin' left to do but smile smile smile

reply to RiseAbove