By sending lockdownd a malformed property list for the PairRequest command causes lockdownd to crash and restart. This is probably non-exploitable, but it is used in the Timezone Vulnerability to restart lockdownd to change file permissions.
Normally, lockdownd expects data (NSData) to be sent as the PairRequest. However, evasi0n sends a boolean (NSNumber) which causes lockdownd to crash with an Objective-C unrecognized selector error.
Usage
Credits
See Also
References
- Slides from HITB presentation in Amsterdam 2013
- Accuvant Labs analysis of evasi0n [Archived 2013-12-27 at the Wayback Machine]
