Tuesday, January 3, 2012

Pod2G Shows How Corona 5.0.1 Untether Jailbreak Works

As we all know from some time iPhone Dev Team released a new jailbreak tweak called Corona 5.0.1 Untether which untethered jailbreak for iOS 5.0.1 and many of us used it or Redsn0w 0.9.10b1, today Pod2G updated his blog showing how Corona jailbreak works for those users who don't know how to use it:


As we all know Apple always tried to block any exploit discovered by the hackers and Apple also has fixed all previous known ways of executing unsigned binaries in iOS 5.0. Corona does it another way...
Thus, for Corona, I searched for a way to start unsigned code at boot without using the Mach-O loader. That's why I looked for vulnerabilities in existing Apple binaries that I could call using standard launchd plist mechanisms.
Using a fuzzer, I found after some hours of work that there's a format string vulnerability in theracoon configuration parsing code! racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.
Now you got it, Corona is an anagram of racoon :-) .
Pod2G also worked in a hard way on a new Kernal Exploit patches the kernel security features, as usual. Nothing interesting there, for more details about how Corona works please go to Pod2G official blog, link above... And for those of you interested in the low-level workings of the latest untethered jailbreak to hit iOS 5 devices.

"

 

(Via Ultrasn0w.)

0 komentar:

Post a Comment

 
Design by AsciK Drumming (Muhammad Saref Ascik)