Timezone Vulnerability

There is a flaw in lockdownd: MOVW  R0, #(aPrivateVarDbTi-0x4DB8A) ; "/private/var/db/timezone" MOVW  R1, #0x1FF                     ; mode_t -> 0777 MOVT.W R0, #4 ADD   R0, PC                         ; char * BLX   _chmod

This means  without any further checks and is executed on every launch. By setting a symbolic link on  though MobileBackup and pointing the symlink to any other file and crashing lockdownd by sending it a malformed property list (see Malformed PairRequest) to make it relaunch causes it to perform the actual permission change on any file.

This vulnerability is CVE-2013-0979 and Apple describes it in the iOS 6.1.3 security fixes like this:

Lockdown Impact: A local user may be able to change permissions on arbitrary files Description: When restoring from backup, lockdownd changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path.

Usage

 * evasi0n jailbreak

Credits

 * evad3rs