Malformed PairRequest

By sending lockdownd a malformed property list for the PairRequest command causes lockdownd to crash and restart. This is probably non-exploitable, but it is used in the Timezone Vulnerability to restart lockdownd to change file permissions.

Normally, lockdownd expects data (NSData) to be sent as the PairRequest. However, evasi0n sends a boolean (NSNumber) which causes lockdownd to crash with an Objective-C unrecognized selector error.

Usage

evasi0n jailbreak

Credits

evad3rs

References

Slides from HITB presentation in Amsterdam 2013
Accuvant Labs analysis of evasi0n Archived 2013-12-27 at the Wayback Machine

v t e Exploits
Exploits	0x24000 Segment Overflow ARM Exception Vector Info Leak ARM7 Go alloc8 Exploit amfid Lazy Binding Exploit amfid Text Relocation Exploit BPF_STX Kernel Write Exploit blackbird Exploit CVE-2013-0964 CVE-2021-30773 CVE-2021-30807 CVE-2021-30883 checkm8 Exploit CoreTrust Root Certificate Validation Vulnerability De Rebus Antiquis diags (iBoot command) Dual Boot Exploit Dynamic memmove() locating HFS Heap Overflow HFS Legacy Volume Name Stack Buffer Overflow iOS 5 HFS Heap Buffer Overflow IOSurface Kernel Exploit IOUSBDeviceFamily Vulnerability Incomplete Codesign Exploit Kernel memory write via ROP gadget libTiff Exploit limera1n Exploit Malformed CFF Vulnerability Malformed PairRequest MobileBackup Copy Exploit Overlapping Segment Attack posix_spawn kernel information leak Psychic Paper Pwnage Pwnage 2.0 Racoon String Format Overflow Exploit Ramdisk Hack SHA-1 Image Segment Overflow Shebang Trick Symbolic Link Vulnerability T1 Font Integer Overflow Timezone Vulnerability usb_control_msg(0x21, 2) Exploit usb_control_msg(0xA1, 1) Exploit v0rtex vm_map_copy_t corruption for arbitrary memory disclosure
Patches	/private/etc/fstab AMFI Binary Trust Cache Patch ASR Crazeles hgsp4 patch Hunnypot Kernel Patches PE_i_can_has_debugger Patch Sandbox Patch Signature Check Patch vm_map_enter Patch vm_map_protect Patch

Usage

Credits

See Also

References