Vulnerability in libTiff | |
---|---|
Software | iPhone OS 1.0 - 1.1.1 |
Vulnerable in | 3.4 - 3.8.1 |
Fixed in | 3.8.2 |
Disclosed | 31 August 2006 |
Discovered by | Tavis Ormandy |
CVE | CVE-2006-3459 |
The libTiff Exploit was used to jailbreak iPhone OS 1.0 - 1.1.1. The memory corruption vulnerability was initially discovered by Tavis Ormandy around 1 August 2006 , and publicly disclosed on 31 August 2006 .
As described in CVE-2006-3459:
Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent attackers to execute arbitrary code or cause a denial of service via unspecified vectors, including a large tdir_count value in the TIFFFetchShortPair function in tif_dirread.c.[1]
The exploit was first used to execute homebrew on PlayStation Portable firmware versions 2.00 - 2.80. Credit for it was given to the Noobz team, consisting of psp250, Skylark, Joek2100, CSwindle, JimP, and Fanjita.[2] On 28 August 2006 , a proof-of-concept was released as "hello_world.tif". Upon opening the file in the photo viewer, it would display a full-screen message to indicate successful code execution.[3]
Over a year later, on 10 October 2007cmw and Dre adapted the exploit to jailbreak the iPod touch. cmw, also known as Niacin at the time, had been involved in development of a prior libTiff exploit against PSP firmware 1.00 - 2.00.[4]
, iPhone OS was found to be using a vulnerable version of libTiff.On 12 October 2007touchFree, the first jailbreak for iPod touch.
, the ported exploit was released asOn 15 October 2007Metasploit as safari_libtiff and mobilemail_libtiff.
, exploit implementations were added toOn 21 October 2007released on cmw's blog.
, the exploit source wasOn 28 October 2007AppSnapp was released, making use of the exploit from a web page. The exploit had the benefit of working on iPhones that had not been activated with a supported carrier, through a bug in the "emergency call" function of the activation screen. The device was able to launch Safari, where the user could execute the jailbreak. It is considered the first user-friendly jailbreak.
,Credit for the complete iPhone OS exploit implementation was given to Tavis Ormandy, cmw, Dre, Metasploit, rezn, dinopio, drudge, kroo, pumpkin, davidc, dunham, planetbeing, and NerveGas.
External Links
- itiff_exploit.cpp
- iOS 1.1.1 Jailbreak by Cipher: Overview of compiling the exploit