First off, let me say that while many hackers use processes such as these to do harm, it is perfectly legal to jailbreak your own phone - the US Copyright Office declared that it does not violate any copyrights.
Jailbreaks typically work by exploiting a bug (otherwise called a "vulnerability") in a software subsystem and causing a buffer overrun or other error that gets you past the user interface down to the system level. Once this is done, the hacker can gain what is called "root access" (the process is also called "rooting", it means you have the command prompt and escalated access privileges). Once you get root access in an OS you can do just about whatever you like. When you root an iPhone you get the console prompt, which looks like this: iPhone:~ root#. You can load programs from this prompt and the sky is the limit.
JailbreakMe exploits a vulnerability in the interpreter for Type 1 fonts in the FreeType library used by Mobile Safari. Type 1 fonts are PostScript fonts which are stored as vector data and rendered by an interpreter into displayable bitmap characters. Type 1 fonts are very common in PDF (Acrobat) files. And since the interpreter is a program, its output can be controlled if you know what you are doing. See where this is going?
JailbreakMe works by using Mobile Safari to load a very carefully designed corrupt PDF file which takes over control of the font interpreter. The interpreter is then used to construct a highly sophisticated "ROP payload" (if you really want to know what this means, and see why hackers are some of the smartest people on the planet, see below, but suffice it to say it's the specific method Comex used to run his unauthorized code on the iPhone). This allows the new code to bypass the ASLR protection in iOS. ASLR (Address Space Layout Randomization) is one of the iPhone's most sophisticated software security systems. It randomly rearranges the positions of key data areas to prevent data snooping or monitoring - reading code from memory is a technique many hackers have used to break into a system, before things like ASLR were implemented.
And that's it, in case you missed it. That's the actual jailbreak. Root access. So simple and yet so incredibly complicated. Takes only seconds.
From there JailbreakMe installs and runs Cydia, an application that allows users to find and load apps onto a jailbroken phone - it's like an underground app store. From then on, you can install apps that have not been pre-approved by Apple. That can open up lots of new possibilities, but ironically, also opens you up to a whole new world of vulnerabilities. On the happy side though, Comex provides a free app via Cydia that patches the font interpreter vulnerability so it cannot be used again.
But you didn't think Apple would let this go on very long, did you? They take vulnerabilities very seriously, it's one reason Macs are so much more secure than PCs. This one has already been fixed with a specific update to iOS, breaking JailbreakMe in the process. But I'm sure Comex is toiling in his mother's basement, hard at work on the next one.
"ROP: Return-Oriented Programming is a computer security exploit technique in which the attacker leverages control of the call stack to indirectly execute cherry-picked machine instructions or groups of machine instructions immediately prior to the return instruction in subroutines within the existing program code, in a way similar to the execution of a threaded code interpreter.
Because all the instructions that are executed are from executable memory areas within the original program, this avoids the need for direct code injection, and circumvents most measures that try to prevent the execution of instructions from user-controlled memory."
No comments:
Post a Comment