Racoon String Format Overflow Exploit

Using a fuzzer, a format string vulnerability in the racoon configuration parsing code was found. racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.

The exploitation of the format string vulnerability is different than what was done in 2001.

For the jailbreak to be applied at boot, racoon is started by a launchd plist file, executing the command:

racoon-exploit.conf is a large (682KB) configuration file exploiting the format string bug to get the unsigned code started and looks like this: sainfo address ::1 icmp6 address ::1 icmp6 { my_identifier user_fqdn "%224u%402$hhn"; my_identifier user_fqdn "%207u%619$hhn"; my_identifier user_fqdn "%225u%402$hhn"; my_identifier user_fqdn "%227u%619$hhn"; my_identifier user_fqdn "%226u%402$hhn"; my_identifier user_fqdn "%39u%619$hhn"; ...    my_identifier user_fqdn "%55u%625$hhn"; my_identifier user_fqdn "%214u%619$hhn"; my_identifier user_fqdn "%204u%625$hhn"; }

The format string bug is utilized to copy the ROP bootstrap payload to the memory and to execute it by overwriting a saved LR in the racoon stack by a stack pivot gadget.

The ROP bootstrap payload copies the ROP exploit payload from the payload file which is distributed with Corona then stack pivot to it. The idea is to escape from format strings as fast as possible, because they are CPU time consuming.

The ROP exploit payload triggers the kernel exploit (see HFS Heap Overflow).

The exploit was supposedly patched in iOS 5.1 and 6.0 but wasn't completely patched until 13.3.1.

Credit

 * pod2g for finding this vulnerability and writing a working exploit