A web-based method for jailbreaking an iPhone has been made public, highlighting a critical vulnerability in Apple’s iOS. This vulnerability affects iOS versions 3.1.2 to 4.0.1, and all models of iPhone, iPod touch and iPad.
Visiting a web site set up to perform this jailbreak operation will lead to the download of a PDF file, which contains code that exploits this vulnerability. While this can be used to jailbreak a phone, it could also be used to compromise iOS devices. With a slight modification, this process could occur without any user notification or intervention.
The corrupted PDF file (there is one file per iOS version and hardware model; there are a total of 19 different files) is embedded into a web page in an IFRAME so Safari will display it automatically without any user interaction. The PDF file contains an embedded Type1c font that is corrupted and that contains exploit code necessary to download the jailbreak code. (This can also contain other malicious code.) This code is then executed in the kernel space through an IOSurface (IOKit) memory allocation bug, obtaining root privileges and bypassing code signing protection and sandboxing.
The executed shellcode downloads a 3.9 MB file from the jailbreak site and executes it with root privileges. The URL from where the file is downloaded is hard-coded in the corrupted font; this makes it trivial for any malicious person to change the URL so the same type of PDF could download and execute other types of payload.
Note that this PDF, with a slight modification, can also be sent by e-mail; the jailbreak process would begin when the user displays the PDF file. Malicious users could therefore create PDFs that are sent by e-mail, and that could cause damage to iOS devices when they are viewed.
Those who set up this jailbreak system are putting a large number of devices at risk. Previous jailbreak methods required the user to launch an application on their computer, while the device is connected. But this system, which requires little user intervention, opens up serious risks to iOS devices. The person who discovered this vulnerability should have kept it quiet and contacted Apple, rather than make it public enough that now others can exploit it.
Intego has updated VirusBarrier X6’s threat filters to detect files infected with this exploit under the name exploit:iPhone/Font as of August 3, 2010 to ensure that Mac users who may receive such infected PDFs don’t pass them on to others.