ndrv_setspec() Integer Overflow

The ndrv_setspec() Integer Overflow is a vulnerability found in the kernel. i0n1c used this to make the first (publicly released) "untethering" exploit that bypassed Apple's ASLR implementation.

Vulnerability

This exploit was talked about by i0n1c at Blackhat US 2011 in his Exploiting The iOS Kernel presentation starting at slide 41.

Slide #42
Slide #43
Slide #44
Slide #45
Slide #46

v t e Exploits
Exploits	0x24000 Segment Overflow ARM Exception Vector Info Leak ARM7 Go AT+FNS AT+XAPP Vulnerability AT+XEMN Heap Overflow AT+XLOG Vulnerability AT+stkprof amfid Lazy Binding Exploit amfid Text Relocation Exploit BPF_STX Kernel Write Exploit CVE-2013-0964 CVE-2021-30773 CVE-2021-30807 CVE-2021-30883 CoreTrust Root Certificate Validation Vulnerability De Rebus Antiquis diags (iBoot command) Dual Boot Exploit Dynamic memmove() locating Fakeblank HFS Heap Overflow HFS Legacy Volume Name Stack Buffer Overflow iBoot Environment Variable Overflow IOPlatformArgs leak IOSurface Kernel Exploit IOUSBDeviceFamily Vulnerability IPSF Incomplete Codesign Exploit iran JerrySIM Kernel memory write via ROP gadget launchd.conf Untether MacDirtyCow Malformed CFF Vulnerability Malformed PairRequest Minus 0x20000 with Back Extend Erase Minus 0x400 MobileBackup Copy Exploit ndrv_setspec() Integer Overflow Overlapping Segment Attack Packet Filter Kernel Exploit posix_spawn kernel information leak Psychic Paper Pwnage Pwnage 2.0 Racoon String Format Overflow Exploit Ramdisk Hack SHA-1 Image Segment Overflow Shebang Trick ... further results
Patches	/private/etc/fstab AMFI Binary Trust Cache Patch ASR Crazeles hgsp4 patch Hunnypot Kernel Patches PE_i_can_has_debugger Patch Sandbox Patch Signature Check Patch tfp0 patch vm_map_enter Patch vm_map_protect Patch