Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Some interesting strings from the binary. Hopefully there will be a write-up explaining the exploit in detail soon.

  /var/mobile/DemoApp.app
  Media/Recordings/.haxx/DemoApp.app/Info.plist
  Media/Recordings/.haxx/Library/Caches/com.apple.mobile.installation.plist
  Media/Recordings/.haxx/timezone
  Media/Recordings/.haxx/var/evasi0n/evasi0n
Edit: I also spotted a few references to Racoon, the VPN client which I think was abused in an earlier jailbreak as well?


Here is a more detailed analysis: http://blog.accuvantlabs.com/blog/bthomas/evasi0n-jailbreaks...

The lazy binding is really interesting. There is lots of interesting stuff in the kernel, dyld, and libSystem. I would encourage you to have a look! You can do interesting things like run code before libSystem_init[1]

[0]:

https://github.com/Apple-FOSS-Mirror/dyld/tree/master/src

https://github.com/Apple-FOSS-Mirror/Libsystem/blob/master/i...

https://github.com/Apple-FOSS-Mirror/xnu/blob/master/bsd/ker...

[1]: https://gist.github.com/jevinskie/4615901


Nice analysis. According to twitter, there's something more to it, though, there still seems to be some sort of kernel memory corruption exploit:

https://twitter.com/kernelpool/status/298714209187921921


/var/mobile/Media/Recordings is a folder that you can upload files to from a PC. I would bet that some stage of the jailbreak copies those files to their proper place in the filesystem (places that the PC uploading interface doesn't have permissions to write).


There's a few more hints here: http://www.reddit.com/r/jailbreak/comments/17vp13/evasi0n_ma...




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: