[<prev] [next>] [day] [month] [year] [list]
Message-ID: <df8ba96d0801230253u66a241c7pecbf875e0768af48@mail.gmail.com>
Date: Wed, 23 Jan 2008 10:53:58 +0000
From: c0ntex <c0ntexb@...il.com>
To: "Full Disclosure" <full-disclosure@...ts.grok.org.uk>
Subject: iPhone remote DoS :(
Hi, my friend g0tcha and myself came across a remote DoS (I know it sucks) in
iPhone (tested on 1.1.2) while looking for a jailbreak for 1.1.3. By
browsing to
http://open-security.org/ifuk.html
you can trigger the following:
# /Applications/MobileSafari.app/MobileSafari
2008-01-22 13:27:04.668 MobileSafari[230:d03] Safari got memory level
warning, killing all documents except active.
2008-01-22 13:27:06.081 MobileSafari[230:d03] Safari got memory level
warning, killing all documents except active.
which creates a Kernel panic:
# cat 2008-01-22-133039.panic.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "
http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>bug_type</key>
<string>110</string>
<key>description</key>
<string>Incident Identifier: CA1C11E9-7607-4A85-93DE-8EB91D58B3C3
CrashReporter Key: f0feeb183ddcb5c5b291efdc094414a39ce0f837
Date/Time: 2008-01-22 13:30:41.464 +0000
OS Version: OS X 1.1.2 (3B48b)
Debugger message: WDT timeout
OS version: 3B48b
Kernel version: Darwin Kernel Version 9.0.0d1: Wed Oct 10 00:07:50 PDT 2007;
root:xnu-933.0.0.204.obj~7/RELEASE_ARM_S5L8900XRB
iBoot version: iBoot-204.2.9
secure boot?: YES
Paniclog version: 1
Task 0xc0817dc8: 66 threads: pid 0: kernel_task
thread 0xc093c000
kernel backtrace: e37e3b08
lr: 0xc0061fb3 fp: 0xe37e3b2c
lr: 0xc006219b fp: 0xe37e3b44
lr: 0xc0493070 fp: 0xe37e3f6c
lr: 0xc0141d79 fp: 0xe37e3f80
lr: 0xc0028175 fp: 0xe37e3fa8
lr: 0xc00609f8 fp: 0x00000000
Task 0xc0817c40: 3 threads: pid 1: launchd
Task 0xc0817930: 2 threads: pid 13: SMST
Task 0xc0817498: 13 threads: pid 16: BTServer
Task 0xc0817310: 10 threads: pid 17: CommCenter
Task 0xc1025dc8: 5 threads: pid 20: configd
Task 0xc1025c40: 1 threads: pid 21: crashreporterd
Task 0xc1025ab8: 1 threads: pid 22: cron
Task 0xc1025930: 5 threads: pid 23: iapd
Task 0xc10257a8: 2 threads: pid 24: mDNSResponder
Task 0xc1025620: 4 threads: pid 25: lockdownd
Task 0xc1025498: 3 threads: pid 26: syslogd
Task 0xc1025310: 1 threads: pid 27: update
Task 0xc1025188: 2 threads: pid 28: ptpd
Task 0xc12f1dc8: 2 threads: pid 30: notifyd
Task 0xc0817620: 2 threads: pid 187: dock
Task 0xc0817ab8: 2 threads: pid 188: ants
Task 0xc0817000: 10 threads: pid 189: SpringBoard
Task 0xc12f1930: 2 threads: pid 190: MobilePhone
Task 0xc12f1ab8: 1 threads: pid 212: afcd
Task 0xc12f1c40: 2 threads: pid 214: notification_pro
Task 0xc12f1620: 1 threads: pid 228: sshd
Task 0xc12f17a8: 1 threads: pid 229: sh
Task 0xc12f1498: 6 threads: pid 230: MobileSafari
Task 0xc08177a8: 14 threads: pid 231: mediaserverd
</string>
<key>system_ID</key>
<string></string>
</dict>
</plist>
The code I have used is ripped from MOBB - thanks HDM!! - anyway, we can't
seem to exploit this bug, but still working on it AND some other little
things - Anyway, happy iPhoning (or browsing and wondering what to do with
your brick if you updated to 1.1.3) :ppp.
--
regards
c0ntex
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists