Timezone Vulnerability

There is a flaw in lockdownd: MOVW  R0, #(aPrivateVarDbTi-0x4DB8A) ; "/private/var/db/timezone" MOVW  R1, #0x1FF                     ; mode_t -> 0777 MOVT.W R0, #4 ADD   R0, PC                         ; char * BLX   _chmod

This means  without any further checks and is executed on every launch. By setting a symbolic link on  though MobileBackup and pointing the symlink to any other file and crashing lockdownd by sending it a malformed property list (see Malformed PairRequest) to make it relaunch causes it to perform the actual permission change on any file.

This vulnerability is CVE-2013-0979 and Apple describes it in the iOS 6.1.3 security fixes like this:

Lockdown Impact: A local user may be able to change permissions on arbitrary files Description: When restoring from backup, lockdownd changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path.

Note: At WWJC 2013 pimskeks mentioned that the description in Apple's security fix is wrong. It says "when restoring from backup", although this is totally unrelated to the backup, as the only thing that needs to be done is to restart lockdownd. In evasi0n this was done with a restore (to set a symbolic link to the file), but this vulnerability here is not related to the backup/restore.

Usage

 * evasi0n jailbreak

Credits

 * evad3rs