| A new AFC symlink attack (CVE-2014-4480) - to get onto the device filesystem
DeveloperDiskImage race condition (by comex, also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
A new overlapping segment attack [in a modified version], dyld, (CVE-2014-4455) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
MobileStorageMounter exploit (CVE-2015-1062)
Backup exploit used to access restricted parts of the filesystem (CVE-2015-1087)
Kernel:
Mach-O OSBundleHeaders info leak (CVE-2014-4491) - leaks slid addresses
mach_port_kobject exploit CVE-2014-4496 - used to recover the permutation value and addresses of kernel objects
IOHIDFamily Kernel exploit (CVE-2014-4487) - to overwrite memory
DeveloperDiskImage race condition (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis) |