Vault7: CIA Hacking Tools Revealed
Navigation: » Directory » iOS » iOS
iOS Exploits
iOS Exploits Data
Name | Type | Access Granted | Born Date & iOS Version | Modification Date | Death Date | Found by | Description |
---|---|---|---|---|---|---|---|
Archon | technique | Remote Architecture Detection | (came with purchase) | ||||
Dyonedo | macho-parsing | Codesign Defeat | JDW - GCHQ | ||||
Earth/Eve | Remote Exploit |
Purchased by NSA Shared with CIA Ported by GCHQ |
|||||
Elderpiggy | Sandbox Escape |
Peppermint (NSANational Security Agency VR Contract) Implemented by GCHQ at JDW |
|||||
Ironic | Kernel ASLRAddress Space Layout Randomization Defeat | iOS 8 | Public vulnerability researcher: Steffan Esser (i0nic) |
||||
Nandao | Heap overflow corruption? | Kernel Exploit | GCHQ | ||||
Juggernaut | Purchase- Baitshop | ||||||
Persistence | Execution via symbolic links | Reboot Persistence | June 2013, JDWDevelopment Facility of GCHQ XXXX | June 2014, JDWDevelopment Facility of GCHQ XXXX | CIA | By selecting specific executables on the system partition that are run with root privileges, a symbolic link can be created (on iOS 7.x) or an existing file can be overwritten(iOS 8.x) that will run our bootstrapper, giving use initial execution on every boot. |
|
Redux | Sandbox misconfiguration | Close Access | June 2012, iOS 6 | 7/15, workaround for missing vpnagent in iOS 8 dev dmgs |
11/17/14, iOS 8.1.1 | GCHQ |
Sandbox Profiles: Available for: iPhone 4S and later, iPod touch (5th generation) and later, iPad 2 and later |
Rhino | API misuse | Kernel ASLRAddress Space Layout Randomization Defeat | April 2013, iOS 7 | June 2014, iOS 8 Beta 1 | GCHQ | Reads KEXT info that reveals the KASLR values by calling the OSKextCopyLoadedKextInfo function. | |
Sal | Abnormal code path in the kernel |
Codesign Defeat | DATE???, iOS 7 | 2/15, bugfix | FBI, ROU | Copies non-paged sized chunks so that the vm_map_copy_overwrite_unaligned() path is taken in the kernel. This abnormal code path results in pages of memory not being paged in, so the cs_tainted flag is never set on the pages in memory, causing no signature checks. |
|
Saline | Buffer Overflow caused by deserialization parsing error in Foundation library |
ROP execution | DATE???, iOS 8 | 2/15, Productized at TRICLOPS workshop | Purchase - Baitshop | Sending a crafted NSArchiver object to any process that calls NSArchive unarchive method will result in a buffer overflow, allowing for ROP. |
|
Wintersky | Size Mismatch between user and kernel structures |
Kernel ASLRAddress Space Layout Randomization Defeat | DATE???, iOS 8 | NOCTURNALFEARS | WinterSky leaks the kernel address of the ipc_port struct of a user provided mach port. |
||
Xiphos | Validation Issue | Kernel Exploit | March 2014, iOS 7 | 11/14, iOS 8.1.1 | CIA |
Available for: iPhone 4S and later, iPod Touch 5th gen and later, iPad 2 and Later. |
Exploits
Release Date(s) |
Access |
Kernel InfoLeak |
Kernel Exploit |
Sandbox Escape(browser) |
Code Sign Defeat |
Persistence(reboot) |
Persistence(update) |
Kernel Exploit Framework |
||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
iOS 4 (4.0 - 4.3.3) |
Remote |
6/21/2010 - 3/11/2011
|
SafferonSkies |
<NR> |
<NR> | ?? | EarlyKatana | overrides.plist |
No (OTA <NR>) |
|||||||||||||||
Local | SLIDE | <NR> | ||||||||||||||||||||||
iOS 5 (5.0 - 5.1.1) |
Remote | 10/12/2011 - 5/7/2012 | SunsetSkies | <NR> | Corona (5.0.1) | ?? | EarlyKatana | overrides.plist |
Yes (sys not touched) |
|||||||||||||||
Local | SLIDE | <NR> | <NR> | |||||||||||||||||||||
iOS 6 (6.x - 6.1.2) |
Remote | 9/19/2012 - 2/16/2013 | Wby | Rhino | Cutlass | SandShrew |
Katana (libamfi) |
overrides.plist launchd.conf |
block | |||||||||||||||
Local | Redux | <NR> | ||||||||||||||||||||||
iOS 6 (6.1.3 - 6.1.4) |
Remote | 3/19/2013 - 5/2/2013 | Wby | Rhino | Scimitar | SandShrew | Dyonedo | dirhelper | block | |||||||||||||||
Local | Redux | <NR> | ||||||||||||||||||||||
iOS 7 (7.0 - 7.1.2) |
Remote | 9/18/2013 - 6/20/2014 | Eve | <NR> | Xiphos |
Piggy | Dyonedo | dirhelper | block | |||||||||||||||
Local | Redux | <NR> | ||||||||||||||||||||||
iOS 8 (8.0 & 8.0.2) |
Remote | 9/17/2014 - 9/25/2014 |
Earth | Ironic | Nandao | <NR> | Dyonedo | dirhelper | block | Early | ||||||||||||||
Local | Saline | |||||||||||||||||||||||
iOS 8 (8.1 - 8.1.2) |
Remote | 10/10/2014 - 12/19/2014 | Earth | Ironic | Nandao | <NR> | Dyonedo | dirhelper | block | Early | ||||||||||||||
Local | Saline | |||||||||||||||||||||||
iOS 8 (8.1.3 - 8.2) |
Remote | 1/27/2015 - 3/9/2015 | Earth | WinterSky | Nandao | <NR> | Dyonedo | mount NFS | block | Early | ||||||||||||||
Local | Saline | |||||||||||||||||||||||
IOS 8.3 |
Remote | 4/8/2015 | Earth | WinterSky | Nandao | <NR> | Juggernaut | mount NFS | block | Early | ||||||||||||||
Local | Saline | |||||||||||||||||||||||
iOS 8.4 |
Remote | 6/30/2015 | Earth | WinterSky | Nandao | <NR> | Juggernaut | mount NFS | block | Early | ||||||||||||||
Local | Saline | |||||||||||||||||||||||
iOS 9 (9.0 - 9.1) |
Local | 9/16/2015 | Moon | WinterSky | Nandao | <NR> | Juggernaut | mount NFS | block | Early | ||||||||||||||
Remote | Saline | |||||||||||||||||||||||
iOS 9.2 |
Local | 12/8/2015 | Moon | WinterSky | Nandao | <NR> | Juggernaut | mount NFS | block | Early | ||||||||||||||
Remote | Saline | MiniMe | ||||||||||||||||||||||
|
Attachments:
Previous versions:
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 [NSA] [FBI] [GCHQ] [MI5] | 24 [NSA] [FBI] [GCHQ] [MI5] | 25 [NSA] [FBI] [GCHQ] [MI5] | 26 [NSA] [FBI] [GCHQ] [MI5] | 27 [NSA] [FBI] [GCHQ] [MI5] | 28 [NSA] [FBI] [GCHQ] [MI5] | 29 [NSA] [FBI] [GCHQ] [MI5] | 30 [NSA] [FBI] [GCHQ] [MI5] | 31 [NSA] [FBI] [GCHQ] [MI5] | 32 [NSA] [FBI] [GCHQ] [MI5] | 33 [NSA] [FBI] [GCHQ] [MI5] | 34 [NSA] [FBI] [GCHQ] [MI5] | 35 [NSA] [FBI] [GCHQ] [MI5] | 36 [NSA] [FBI] [GCHQ] [MI5] | 37 [NSA] [FBI] [GCHQ] [MI5] | 38 [NSA] [FBI] [GCHQ] [MI5] | 39 [NSA] [FBI] [GCHQ] [MI5] | 40 [NSA] [FBI] [GCHQ] [MI5] | 41 [NSA] [FBI] [GCHQ] [MI5] | 42 [NSA] [FBI] [GCHQ] [MI5] | 43 [NSA] [FBI] [GCHQ] [MI5] | 44 [NSA] [FBI] [GCHQ] [MI5] | 45 [NSA] [FBI] [GCHQ] [MI5] | 46 [NSA] [FBI] [GCHQ] [MI5] | 47 [NSA] [FBI] [GCHQ] [MI5] |