Toggle menu
Toggle preferences menu
Toggle personal menu
Not logged in
Log in or create an account to edit The Apple Wiki.
libTiff Exploit
Vulnerability in libTiff
SoftwareiPhone OS 1.0 - 1.1.1
Vulnerable in3.4 - 3.8.1
Fixed in3.8.2
Disclosed31 August 2006 (2006-08-31); 18 years ago
Discovered byTavis Ormandy
CVECVE-2006-3459

The libTiff Exploit was used to jailbreak iPhone OS 1.0 - 1.1.1. The memory corruption vulnerability was initially discovered by Tavis Ormandy around 1 August 2006 (2006-08-01), and publicly disclosed on 31 August 2006 (2006-08-31).

As described in CVE-2006-3459:

Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent attackers to execute arbitrary code or cause a denial of service via unspecified vectors, including a large tdir_count value in the TIFFFetchShortPair function in tif_dirread.c.[1]

The exploit was first used to execute homebrew on PlayStation Portable firmware versions 2.00 - 2.80. Credit for it was given to the Noobz team, consisting of psp250, Skylark, Joek2100, CSwindle, JimP, and Fanjita.[2] On 28 August 2006 (2006-08-28), a proof-of-concept was released as "hello_world.tif". Upon opening the file in the photo viewer, it would display a full-screen message to indicate successful code execution.[3]

Over a year later, on 10 October 2007 (2007-10-10), iPhone OS was found to be using a vulnerable version of libTiff. cmw and Dre adapted the exploit to jailbreak the iPod touch. cmw, also known as Niacin at the time, had been involved in development of a prior libTiff exploit against PSP firmware 1.00 - 2.00.[4]

On 12 October 2007 (2007-10-12), the ported exploit was released as touchFree, the first jailbreak for iPod touch.

On 15 October 2007 (2007-10-15), exploit implementations were added to Metasploit as safari_libtiff and mobilemail_libtiff.

On 21 October 2007 (2007-10-21), the exploit source was released on cmw's blog.

On 28 October 2007 (2007-10-28), AppSnapp was released, making use of the exploit from a web page. The exploit had the benefit of working on iPhones that had not been activated with a supported carrier, through a bug in the "emergency call" function of the activation screen. The device was able to launch Safari, where the user could execute the jailbreak. It is considered the first user-friendly jailbreak.

Credit for the complete iPhone OS exploit implementation was given to Tavis Ormandy, cmw, Dre, Metasploit, rezn, dinopio, drudge, kroo, pumpkin, davidc, dunham, planetbeing, and NerveGas.

External Links

References