Full Disclosure mailing list archives
iPhone remote DoS :(
From: c0ntex <c0ntexb () gmail com>
Date: Wed, 23 Jan 2008 10:53:58 +0000
Hi, my friend g0tcha and myself came across a remote DoS (I know it sucks) in iPhone (tested on 1.1.2) while looking for a jailbreak for 1.1.3. By browsing to http://open-security.org/ifuk.html you can trigger the following: # /Applications/MobileSafari.app/MobileSafari 2008-01-22 13:27:04.668 MobileSafari[230:d03] Safari got memory level warning, killing all documents except active. 2008-01-22 13:27:06.081 MobileSafari[230:d03] Safari got memory level warning, killing all documents except active. which creates a Kernel panic: # cat 2008-01-22-133039.panic.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" " http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>bug_type</key> <string>110</string> <key>description</key> <string>Incident Identifier: CA1C11E9-7607-4A85-93DE-8EB91D58B3C3 CrashReporter Key: f0feeb183ddcb5c5b291efdc094414a39ce0f837 Date/Time: 2008-01-22 13:30:41.464 +0000 OS Version: OS X 1.1.2 (3B48b) Debugger message: WDT timeout OS version: 3B48b Kernel version: Darwin Kernel Version 9.0.0d1: Wed Oct 10 00:07:50 PDT 2007; root:xnu-933.0.0.204.obj~7/RELEASE_ARM_S5L8900XRB iBoot version: iBoot-204.2.9 secure boot?: YES Paniclog version: 1 Task 0xc0817dc8: 66 threads: pid 0: kernel_task thread 0xc093c000 kernel backtrace: e37e3b08 lr: 0xc0061fb3 fp: 0xe37e3b2c lr: 0xc006219b fp: 0xe37e3b44 lr: 0xc0493070 fp: 0xe37e3f6c lr: 0xc0141d79 fp: 0xe37e3f80 lr: 0xc0028175 fp: 0xe37e3fa8 lr: 0xc00609f8 fp: 0x00000000 Task 0xc0817c40: 3 threads: pid 1: launchd Task 0xc0817930: 2 threads: pid 13: SMST Task 0xc0817498: 13 threads: pid 16: BTServer Task 0xc0817310: 10 threads: pid 17: CommCenter Task 0xc1025dc8: 5 threads: pid 20: configd Task 0xc1025c40: 1 threads: pid 21: crashreporterd Task 0xc1025ab8: 1 threads: pid 22: cron Task 0xc1025930: 5 threads: pid 23: iapd Task 0xc10257a8: 2 threads: pid 24: mDNSResponder Task 0xc1025620: 4 threads: pid 25: lockdownd Task 0xc1025498: 3 threads: pid 26: syslogd Task 0xc1025310: 1 threads: pid 27: update Task 0xc1025188: 2 threads: pid 28: ptpd Task 0xc12f1dc8: 2 threads: pid 30: notifyd Task 0xc0817620: 2 threads: pid 187: dock Task 0xc0817ab8: 2 threads: pid 188: ants Task 0xc0817000: 10 threads: pid 189: SpringBoard Task 0xc12f1930: 2 threads: pid 190: MobilePhone Task 0xc12f1ab8: 1 threads: pid 212: afcd Task 0xc12f1c40: 2 threads: pid 214: notification_pro Task 0xc12f1620: 1 threads: pid 228: sshd Task 0xc12f17a8: 1 threads: pid 229: sh Task 0xc12f1498: 6 threads: pid 230: MobileSafari Task 0xc08177a8: 14 threads: pid 231: mediaserverd </string> <key>system_ID</key> <string></string> </dict> </plist> The code I have used is ripped from MOBB - thanks HDM!! - anyway, we can't seem to exploit this bug, but still working on it AND some other little things - Anyway, happy iPhoning (or browsing and wondering what to do with your brick if you updated to 1.1.3) :ppp. -- regards c0ntex
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- iPhone remote DoS :( c0ntex (Jan 24)