Corona Jailbreak HITB Video
Official Hack In The Box Confrerence twitter just posted a Corona jailbreak HITB video by iOS DreamTeam telling about history of first iOS 5.0.1 untethered jailbreak. In the video and paper (attached below in the article) the hackers will present the line of multiple exploits to accomplish breakout from sandbox, injection and execution of unsigned code to the kernel which bring the fully-working untethered jailbreak.
So why did the guys decide to describe the Corona jailbreak, he isn’t the latest one, right? The thing is, the latest Absinthe jailbreak, able to untether iOS 5.1.1 was built on @pod2g’s Corona untether. The word Corona is an acronym from racoon which is the main target for the attack. The vulnerability inside format string was located inside racoon’s routines. It allows researchers to write desired data to racoon’s stack in case they control the config file.
But here’s a small limitation – they can write only one byte at a time which makes the process pretty time consuming. Using this particular method allows hackers to create a ROP palyload within racoon’s stack and then mount cheater’s HFS volume which supposed to inject the code at a kernel level. After that process code-signing routines are patched.
The initial Corona exploit used limera1n bootrom exploit to make an injection which allowed ASLR and sandboxing disable and reference to racoon with a custom configuration script. However that method became obsolete in the new A5 devices (iPhone 4S, iPad 2). They aren’t exploitable to linera1n so DreamTeam had to search for another injection vector.
Corona Jailbreak HITB Video by DreamTeam:
A few words about iOS hackers DreamTeam:
Joshua Hill (@p0sixninja) is an independent security researcher at zImperium. He’s a leader of Chronic Dev Team an the main creator of GreenPois0n.
Cyril (@pod2g) – famous iPhone hacker that discovered and brought to life several bootrom exploits like 24kpwn, steaks4uce, and SHAtter. He also found several userland and kernel exploits which were used in different jailbreak tools.
Nikias Bassen (@pimskeks) - part of Chronic-Dev Team and author of libimobiledevice, usbmuxd as well as other projects allow to communicate with iDevices.
David Wang (@planetbeing) - iPhone Dev Team member. In the past – developer of such jailbreak tweaks as redsn0w, xpwn, and QuickPwn. He’s the first hacker to port Android and Linux kernel to iOS devices.