Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
iOS Exploits
iOS Exploits Data
Name | Type | Access Granted | Born Date & iOS Version | Modification Date | Death Date | Found by | Description |
---|---|---|---|---|---|---|---|
Archon | Remote Architecture Detection | ||||||
Dyonedo | Codesign Defeat | ||||||
Earth | Remote Exploit | ||||||
Eve | Remote Exploit | ||||||
Elderpiggy | Sandbox Escape | ||||||
Ironic | Kernel ASLRAddress Space Layout Randomization Defeat | ||||||
Nandao | Kernel Exploit | ||||||
Persistence | Reboot Persistence | ||||||
Redux | Close Access | ||||||
Rhino | Kernel ASLRAddress Space Layout Randomization Defeat | April 2013, iOS 7 | June 2014, iOS 8 Beta 1 | GCHQ | |||
Sal | Abnormal code path in the kernel |
Codesign Defeat | DATE???, iOS 7 | 2/15, bugfix | FBI, ROU | Copies non-paged sized chunks so that the vm_map_copy_overwrite_unaligned() path is taken in the kernel. This abnormal code path results in pages of memory not being paged in, so the cs_tainted flag is never set on the pages in memory, causing no signature checks. |
|
Saline | Buffer Overflow caused by deserialization parsing error in Foundation library |
ROP execution | DATE???, iOS 8 | 2/15, Productized at TRICLOPS workshop | Sending a crafted NSArchiver object to any process that calls NSArchive unarchive method will result in a buffer overflow, allowing for ROP. |
||
Wintersky | Size Mismatch between user and kernel structures |
Kernel ASLRAddress Space Layout Randomization Defeat | DATE???, iOS 8 | NOCTURNALFEARS??? | WinterSky leaks the kernel address of the ipc_port struct of a user provided mach port. |
||
Xiphos | Validation Issue | Kernel Exploit | March 2014, iOS 7 | 11/14, iOS 8.1.1 | User #77365 |
Available for: iPhone 4S and later, iPod Touch 5th gen and later, iPad 2 and Later. |
Exploits
iOS 4 (4.0 - 4.3.3) | iOS 5 (5.0 - 5.1.1) | iOS 6 (6.x - 6.1.2) | iOS 6.1.3 - 6.1.4 | iOS 7 | iOS 8 | |||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Remote | Local | Remote | Local | Remote | Local | Remote | Local | Remote | Local | Remote | Local | |
Kernel Info Leak | <NR> | <NR> | <NR> | <NR> | rhino | rhino | rhino | rhino | <NR> | <NR> | ||
Sandbox Escape (browser) | ?? | <NR> | ?? | <NR> | sandshrew | <NR> | sandshrew | <NR> | piggy | <NR> | <XX> | |
Kernel Exploit | <NR> | <NR> | <NR>, CORONA(5.0.1) | <NR> | cutlass |
cutlass |
scimitar | scimitar | xiphos | xiphos | nandao | nandao |
code sign defeat | EARLYKATANA | EARLYKATANA | EARLYKATANA | EARLYKATANA | katana (libamfi) | katana (libamfi) | dyonedo | dyonedo | dyonedo | dyonedo | <XX> | <XX> |
Access | SAFFRONSKIES (4.3 only?) | SLIDE | SUNSETSKIES | SLIDE | wby | redux | wby | redux | eve | redux | eve | redux (beta dmg) |
persistence (reboot) | overrides.plist | overrides.plist | overrides.plist | overrides.plist | overrides.plist / launchd.conf |
overrides.plist / launchd.conf |
dirhelper | dirhelper | dirhelper | dirhelper | <XX> | <XX> |
persistence (update) | NO (OTA <NR>) | NO (OTA <NR>) | YES(sys not touched) | YES(sys not touched) | block | block | block | block | block | block | ||
XX = required, but not available. <NR> = not required ?? - Unknown / some else fill this in
|