Scribd
Upload
148 views

iOS Exploits - iOS - EDG Confluence PDF

The document lists various exploits that have been developed for iOS, including their names, the type of exploit, what system access they provide, when they were discovered and patched, and who discovered them. Many exploits provide remote code execution, bypass sandbox restrictions or defeat security protections like ASLR. The exploits span different iOS versions and were discovered by intelligence agencies, security researchers and jailbreak teams.

Uploaded by

Thomas Felder
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
148 views

iOS Exploits - iOS - EDG Confluence PDF

The document lists various exploits that have been developed for iOS, including their names, the type of exploit, what system access they provide, when they were discovered and patched, and who discovered them. Many exploits provide remote code execution, bypass sandbox restrictions or defeat security protections like ASLR. The exploits span different iOS versions and were discovered by intelligence agencies, security researchers and jailbreak teams.

Uploaded by

Thomas Felder
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

8/12/2015 iOS Exploits - iOS - EDG Confluence

Pages / iOS

iOSExploits
CreatedbyHP(193pt),lastmodifiedbyBenM.ATTLERyesterdayat4:10PM

iOSExploitsData
Name Type Access BornDate ModificationDate Death Foundby Description
Granted &iOS Date
Version

Archon technique Remote (camewith


Architecture purchase)
Detection

Dyonedo machoparsing Codesign JDWGCHQ


Defeat

Earth/Eve Remote PurchasedbyNSA


Exploit
SharedwithCIA
PortedbyGCHQ

Elderpiggy Sandbox Peppermint(NSAVR


Escape Contract)
Implementedby
GCHQatJDW

Ironic KernelASLR iOS8 Publicvulnerability


Defeat researcher:Steffan
Esser(i0nic)

Nandao Heapoverflow KernelExploit GCHQ


corruption?

Juggernaut PurchaseBaitshop

Persistence Executionvia Reboot June2013, June2014,JDW CIA Byselectingspecificexecutablesonthesystem


symboliclinks Persistence JDWXXXX XXXX partitionthatarerunwithrootprivileges,
asymboliclinkcanbecreated(oniOS7.x)oran
existingfilecanbeoverwritten(iOS8.x)
thatwillrunourbootstrapper,givinguseinitial
executiononeveryboot.

Redux Sandbox CloseAccess June2012, 7/15,workaroundfor 11/17/14, GCHQ SandboxProfiles:


misconfiguration iOS6 missing iOS8.1.1
vpnagentiniOS8 Availablefor:iPhone4Sandlater,iPodtouch(5th
devdmgs generation)andlater,iPad2andlater
Impact:Amaliciousapplicationmaybeableto
launcharbitrarybinariesonatrusteddevice
Description:Apermissionsissueexistedwiththe
debuggingfunctionalityforiOSthatallowedthe
spawningofapplicationsontrusteddevicesthatwere
notbeingdebugged.Thiswasaddressedby
changestodebugserver'ssandbox.
PubliclydiscoveredbytheChineseJailbreak
team,Pangu
CVE:20144457

Rhino APImisuse KernelASLR April2013, June2014, GCHQ ReadsKEXTinfothatrevealstheKASLRvaluesby


Defeat iOS7 iOS8Beta callingtheOSKextCopyLoadedKextInfofunction.
1

Sal Abnormalcode Codesign DATE???, 2/15,bugfix FBI,ROU Copiesnonpagedsizedchunkssothatthe


path Defeat iOS7 vm_map_copy_overwrite_unaligned()pathistakenin
inthekernel thekernel.
Thisabnormalcodepathresultsinpagesofmemory
notbeingpagedin,sothecs_taintedflagisnever
seton
thepagesinmemory,causingnosignaturechecks.

Saline BufferOverflow ROP DATE???, 2/15,Productizedat PurchaseBaitshop SendingacraftedNSArchiverobjecttoanyprocess


causedby execution iOS8 TRICLOPS thatcallsNSArchiveunarchivemethodwillresultin
deserialization workshop abufferoverflow,allowingforROP.
parsingerror
inFoundation
library

Wintersky SizeMismatch KernelASLR DATE???, NOCTURNALFEARS WinterSkyleaksthekerneladdressoftheipc_port


betweenuser Defeat iOS8 structofauserprovidedmachport.
andkernel
structures

Xiphos ValidationIssue KernelExploit March2014, 11/14,iOS CIA Availablefor:iPhone4Sandlater,iPodTouch5th


iOS7 8.1.1 genandlater,iPad2andLater.
Impact:Amaliciousapplicationmaybeableto
executearbitrarycodewithsystemprivileges.
Description:Avalidationissueexistedinthe
handlingofcertainmetadatafieldsof
IOSharedDataQueueobjects.
PubliclydiscoveredbytheChineseJailbreak
team,Pangu.

https://confluence.devlan.net/display/NS/iOS+Exploits 1/3
8/12/2015 iOS Exploits - iOS - EDG Confluence

Exploits

Release Access Kernel Kernel Sandbox CodeSign Persistence Persistence


Date(s) Info Exploit Escape Defeat
(reboot) (update)
Leak (browser)

iOS4(4.0 Remote 6/21/2010 SafferonSkies <NR> <NR> ?? EarlyKatana overrides.plist No


3/11/2011
4.3.3) (OTA<NR>)
Local SLIDE <NR>

iOS5(5.0 Remote 10/12/2011 SunsetSkies <NR> Corona(5.0.1) ?? EarlyKatana overrides.plist Yes


5/7/2012
5.1.1) (sysnot
Local SLIDE <NR> <NR> touched)

iOS6(6.x Remote 9/19/2012 Wby Rhino Cutlass SandShrew Katana overrides.plist block
2/16/2013
6.1.2) Local Redux <NR> (libamfi) launchd.conf

iOS6(6.1.3 Remote 3/19/2013 Wby Rhino Scimitar SandShrew Dyonedo dirhelper block
5/2/2013
6.1.4) Local Redux <NR>

iOS7(7.0 Remote 9/18/2013 Eve <NR> Xiphos Piggy Dyonedo dirhelper block
6/20/2014
7.1.2) Local Redux <NR>

iOS8(8.0& Remote 9/17/2014 Earth Ironic Nandao <NR> Dyonedo dirhelper block
9/25/2014
8.0.2) Local Saline

iOS8(8.1 Remote 10/10/2014 Earth Ironic Nandao <NR> Dyonedo dirhelper block
12/19/2014
8.1.2) Local Saline

iOS8(8.1.3 Remote 1/27/2015 Earth WinterSky Nandao <NR> Dyonedo mountNFS block
3/9/2015
8.2) Local Saline

IOS8.3 Remote 4/8/2015 Earth WinterSky Nandao <NR> Juggernaut mountNFS block

Local Saline

iOS8.4 Remote 6/30/2015 Earth WinterSky Nandao <NR> Juggernaut mountNFS block

Local Saline

Key

NewExploit

MajorUpdate

MinorUpdate

MinimalChanges

<NR> NotRequired

?? Unknown

OldTables(Toberemoved)
iOS4(4.04.3.3) iOS5(5.05.1.1) iOS6(6.x6.1.2) iOS6.1.36.1.4 iOS7 iOS8

Remote Local Remote Local Remote Local Remote Local Remote Local

KernelInfo <NR> <NR> <NR> <NR> rhino rhino rhino rhino <NR> <NR>
Leak

Sandbox ?? <NR> ?? <NR> sandshrew <NR> sandshrew <NR> piggy <NR>


Escape
(browser)

Kernel <NR> <NR> <NR>, <NR> cutlass cutlass scimitar scimitar xiphos xiphos

https://confluence.devlan.net/display/NS/iOS+Exploits 2/3
8/12/2015 iOS Exploits - iOS - EDG Confluence
Exploit CORONA(5.0.1)

CodeSign EARLYKATANA EARLYKATANA EARLYKATANA EARLYKATANA katana katana dyonedo dyonedo dyonedo dyonedo
Defeat (libamfi) (libamfi)

Access SAFFRONSKIES SLIDE SUNSETSKIES SLIDE wby redux wby redux eve redux
(4.3only?)

Persistence overrides.plist overrides.plist overrides.plist overrides.plist overrides.plist overrides.plist dirhelper dirhelper dirhelper dirhelper
(reboot) / /
launchd.conf launchd.conf

Persistence NO(OTA<NR>) NO(OTA<NR>) YES(sysnot YES(sysnot block block block block block block
(update) touched) touched)

iOS8(8.0&8.0.2) iOS8.18.1.2 iOS8.1.38.2 IOS8.3 iOS8.4

Release 9/17/20149/25/2014 10/10/201412/19/2014 1/27/20153/9/2015 4/8/2015 6/30/2015


Date(s)

Remote Local Remote Local Remote Local Remote Local Remote Local

KernelInfo Ironic Ironic Ironic Ironic WinterSky WinterSky WinterSky WinterSky WinterSky WinterSky
Leak

Sandbox <NR> <NR> <NR> <NR> <NR> <NR> <NR> <NR> <NR> <NR>
Escape
(browser)

Kernel Nandao Nandao Nandao Nandao Nandao Nandao Nandao Nandao Nandao Nandao
Exploit

CodeSign dyonedo dyonedo dyonedo dyonedo dyonedo dyonedo Juggernaut Juggernaut Juggernaut Juggernaut
Defeat

Access Earth Saline Earth Saline Earth Saline Earth Saline Earth Saline

Persistence dirhelper dirhelper dirhelper dirhelper dirhelper dirhelper Mount Mount Mount Mount
(reboot) NFS NFS NFS NFS

Persistence block block block block block block block block block block
(update)


XX=required,butnotavailable.
<NR>=notrequired
??Unknown/someelsefillthisin

Like Bethefirsttolikethis Nolabels

https://confluence.devlan.net/display/NS/iOS+Exploits 3/3

You might also like