Sign in with
Sign up | Sign in

What Does Jailbreakme Do?

Hacking The iPhone, iPod, And iPad With A Web Page
By

TH: So if jailbreakme.com didn’t provide a progress bar, could this have been done without the user’s awareness?

Charlie: Certainly. The jailbreakme Web site does not try to hide its actions. It is performing a service for the user. A malicious site would run this code in the background and you wouldn't know it.

TH: And if the payload was smaller, say sending passwords or personal information, it could have happened almost instantaneously?

Charlie: Yes. Making permanent changes to the phone, like jailbreaking, is time consuming. But stealing information like contacts, SMS messages, and emails would happen in less than a second.

TH: Let me put a black hat on for a second. How do we know that this vulnerability, which exists in previous versions of iOS, hasn’t been exploited in a targeted fashion somewhere? In June, we had the leak of over 100,000 iPad owners' email addresses, including CEOs and government officials. Could someone have sent one of them a link to a malicious site, which then installed spyware or other malicious code?

Charlie: There is no way to know whether this vulnerability has been exploited in the past.  

TH: Scary stuff. How can we be sure that no existing application available through the App Store does not somehow install a rootkit? We’ve seen SOCKS proxies sneak through the official App store in the past, and there’s the whole story of the Android Wallpaper App stealing private info?

Charlie: So…an App Store app could theoretically use the same privilege escalation exploit to break out of the sandbox and install malware. As a professional reverse engineer and code auditor, I can say that it would be impossible for Apple to audit all the applications that pass through the App Store. They can only do their best and try to restrict the API’s used by the applications, but this can be bypassed. Recently, someone included an application in the Android Marketplace that included a local privilege escalation exploit and rooted the phone.

TH: So it’s possible that an app could do this?

Charlie: It is possible that an app could do this, although as far as I know, no app in the App Store has ever done it.

TH: Why doesn’t the ARM XN-bit, also known as NX-bit or XD-bit, prevent overflows like this?

Charlie: Before Data Execution Prevention (DEP), buffer overflows would redirect execution of the process into user-injected code or shellcode. However, DEP forbids this, as the processor knows that the injected code is data, which is not supposed to be executed. As a way around this, exploits use what is known as return oriented programming (ROP). Here, instead of jumping to user-injected code, the exploit jumps to code from the actual process. In this case, code within MobileSafari and the libraries it needs. By reusing little bits of code from the process, the exploit is able to perform the actions necessary to do general purpose actions.  

TH: So, to understand this correctly, iOS does have some form of DEP, and this prevents arbitrary injection of user code. But the way around it is to use bits and pieces of legitimate code--the equivalent of a ransom note made out of cut up newspaper letters?

Charlie: Yes, the iOS implementation of DEP is very good. The ransom note analogy is a perfect analogy, originally attributed to rapper @drraid’s girlfriend. You take pieces of existing code and glue them together in a way that suits you, but wasn’t intended by the designer.

TH: What about technologies like ASLR and stack randomization? Would that have been a solution?

Charlie: Yes, in general, ASLR defeats return oriented programming by randomizing the location of the resident code, which the exploit would like to reuse. If the exploit cannot find the code to reuse, it cannot use ROP. iPhone does not have any ASLR; all addresses are completely known by an attacker if you know the firmware version of the device.

Display all 24 comments.
This thread is closed for comments
Top Comments
  • 11 Hide
    apache_lives , August 17, 2010 7:52 AM
    Im more interested in Android being installed on the iPhone - looking quite interesting
  • 10 Hide
    orionite , August 17, 2010 12:33 PM
    Very interesting article. I take content like this over "Man uses iPhone to cure cancer"-nonsense, any day.
Other Comments
  • 11 Hide
    apache_lives , August 17, 2010 7:52 AM
    Im more interested in Android being installed on the iPhone - looking quite interesting
  • 2 Hide
    Anonymous , August 17, 2010 9:04 AM
    who said apple is unbreakable? charlie miller is the man who can kick jobs ball just as easy everytime we visit his website. since I got the iphone4 I found that I had being holding my phone wrong the past 7 years. I have to learn the new way from apple the right way holding my phone but it drops often and hunts my hand too. 2 weeks ago I heard people telling me that my ipad got heatup problem in japan. I believe steve jobs trying to tell everyone in japan that they are holding their mp3 player wrong too after all.
  • 10 Hide
    orionite , August 17, 2010 12:33 PM
    Very interesting article. I take content like this over "Man uses iPhone to cure cancer"-nonsense, any day.
  • 6 Hide
    victorintelr , August 17, 2010 12:34 PM
    Charlie Miller never held it wrong.
  • 1 Hide
    rd350 , August 17, 2010 3:03 PM
    now if only this worked for a mac :p 
  • 6 Hide
    kelemvor4 , August 17, 2010 4:40 PM
    randomizerSee, real men use Macs.

    Real men often do what is trendy rather than what makes sense.
  • 0 Hide
    jakthebomb , August 17, 2010 6:12 PM
    George Hotz was the first to hack the iPhone.
  • 2 Hide
    jecastej , August 17, 2010 8:48 PM
    Great interview,

    I think Apple should use its big capital to hire and pay for more engineers to solve all kind of situations. It is not about problems surfacing everywhere or anytime as there are no warranties in real life. And I don't say this just to complain. Now that Apple has the "resources" it should use it on its "own" benefit and, of course, for the benefit of all its users.
  • 1 Hide
    intelx , August 17, 2010 9:02 PM
    i was the first to hack the iphone using windows 3.1
  • -3 Hide
    randomizer , August 18, 2010 12:15 AM
    Ragnar-KonOh you are going to get marked down... beware of the windoz trolls.

    I knew I was going to get marked down, but couldn't resist. The commenters on this site are so protective of their favourite company.
  • 3 Hide
    r0x0r , August 18, 2010 6:21 AM
    randomizerSee, real men use Macs.


    Real men use Vista on 256MB RAM because the pain of doing so lets them know they're still alive.
  • 0 Hide
    Mottamort , August 18, 2010 7:00 AM
    If Microsoft had to pay $3000 for every bug found on their software they'd lose ALOT of money...just think about all those service packs they release and security updates that come out on a daily basis.
  • 2 Hide
    chickenhoagie , August 18, 2010 11:23 AM
    MottamortIf Microsoft had to pay $3000 for every bug found on their software they'd lose ALOT of money...just think about all those service packs they release and security updates that come out on a daily basis.

    i guess thats what happens when millions of people use windows, and thousands more write malicious code for it.
  • 2 Hide
    mrmotion , August 18, 2010 12:14 PM
    Great article. Would like to see more like this!!
  • 0 Hide
    WarraWarra , August 18, 2010 3:10 PM
    Yup great article. Finally something intelligent and interesting to read.
  • 0 Hide
    WarraWarra , August 18, 2010 3:19 PM
    jecastejGreat interview,I think Apple should use its big capital to hire and pay for more engineers to solve all kind of situations. It is not about problems surfacing everywhere or anytime as there are no warranties in real life. And I don't say this just to complain. Now that Apple has the "resources" it should use it on its "own" benefit and, of course, for the benefit of all its users.


    Yup amazing they claim they have to Guantanamo Bay the iPhone / Apple's to prevent this but in that statement they have already failed to prevent this "attacks" security breaches.

    Why not just have it unlocked like in the western world and let anyone put what they want on there.

    Surely Apple gets the fact that no one is leasing their hardware so everyone that pays for it owns it and can constitutionally use it as a vibrator or car mirror hanging attachment or what ever they like to do with it.

    What gets me is the gold yes the metal gold that jewelery is made of iPhones there is no issues with as "modified / appearance hacked" items but something small like adding a useful app or installing your own operating systems freaks them out.

    Next thing Apple will tell us they don't mind taking a mill. USD and burning it for fun but freak out about us$0.20 rubber band aid for the signal problem not being the Approved Guantanamo Bay Apple colors.

    Apple seriously needs some legal CA weeds to smoke.
  • 0 Hide
    thebigt42 , August 18, 2010 3:34 PM
    randomizerSee, real men use Macs.

    Real men downloaded files at 300 baud when that was the fastest available and were excited about doing it!
  • 0 Hide
    Lorsus , August 18, 2010 7:20 PM
    Interesting how this article comes out after iOS 4.0.2 patches the font hack.
Display more comments