Two iOS5 Security Flaws Exploited By Apple Jailbreak Tool

The latest jailbreak tool for Apple’s mobile devices takes advantage of flaws in the current iOS5 binary and kernel

A researcher has released a new jailbreak tool that would allow iPhone users to run code from sources other than Apple’s iTunes App Store.

The new jailbreak, dubbed Corona, takes advantage of two different bugs in iOS 5 to untether iPhones and other devices running iOS 5.01, a researcher, Pod2g, wrote on his iOS Research blog. One flaw exists in the iOS binary and the other was a heap overflow in the kernel, according to the post.

Update expected

Apple has in the past moved quickly to patch security flaws as soon as a jailbreak is publicised. With the code for Corona public, the company is expected to close these holes in the next security update.

“Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0,” Pod2g wrote, noting that Corona accomplishes its task “another way”.

The jailbreak tool relies on vulnerabilities in existing Apple binaries that are loaded using standard functions, Pod2g said. Researchers used to create data pages that could be loaded on to the device to launch the jailbreak code prior to iOS 5. Apple modified data pages to require that they also be digitally signed by Apple to verify its authenticity in iOS 5, so Pod2g piggybacked the exploit code onto existing binaries.

The “Racoon” binary is used for setting up IPSec connections from the iOS devices and is started automatically whenever the user sets up a network connection. The tool uses the vulnerability to copy a bootstrap payload to the device’s memory and runs the actual exploit code. The code also uses a previously discovered heap overflow flaw in the iOS kernel but Pod2g said he was not clear what was actually happening in the kernel.

“I never figured it out exactly,” he wrote, adding that he found the issue using a “fuzzing” tool.

The fact that Corona took advantage of a format string bug raised a few eyebrows amongst security experts. Chris Wysopal, CTO of Veracode, wondered on Twitter if Apple was not using static analysis tools to hunt for security holes in its code. “These bugs [format string bugs] are easy to find with it,” Wysopal wrote on Twitter.

The Corona jailbreak has been added to the redsn0w packages that can be used to untether devices. It can be downloaded from Websites belonging to two Apple hacking groups, greenpois0n and the iPhone Dev Team. It appears that Pod2g is also working on a jailbreak update that would work on iOS devices that use the A5 chip, such as the iPhone 4S.

“With some luck we could expect a release in a week,” Pod2g tweeted.

Even though Apple claims jalbreaking – or cracking the iOS to be able to run unofficial applications – was illegal, the US Copyright Office said in 2009 it was legal for iPhones and other smartphones. As a result, Apple and jailbreak hackers are in the game of cat-and-mouse as the company tries to quickly patch every vulnerability they discover.

The Electronic Frontier Foundation has asked the Copyright Office to extend the exemption to the Digital Millennium Copyright Act to protect users who want to jailbreak tablets, e-readers and video game consoles.