White hat hacker Ian Beer of Google Project Zero has revealed an Apple jailbreak exploit. The expert publicly disclosed the kernel memory corruption vulnerability after Apple addressed it with a fix.
Last week highlighted Beer announced an iOS 11.1.2 exploit called “tfp0,” which he believes could be the basis for a future iOS 11.1.2 jailbreak.
Today, Beer released the exploit and explained it should work on all iOS devices running iOS 11.1.2 or below, though he only tested it on iPhone 7, iPhone 6s, and a sixth-generation iPod touch.
Watch out, Beer doesn’t release a full iOS 11 jailbreak, but what could potentially be used to develop a working jailbreak.
The attack vector is the tfp0 (“task for pid 0”), the kernel task port.
iOS 11.1.2, now with more kernel debugging: https://t.co/PIKbD3Gwx9
— Ian Beer (@i41nbeer) December 11, 2017
Beer started from his work with Apple’s Mach kernel implementation, and the Mach interface generator (MIG) made in September 2016.
“Userspace MIG services often use mach_msg_server or mach_msg_server_once to implent an RPC server. These two functions are also responsible for managing the resources associated with each message similar to the ipc_kobject_server routine in the kernel.” wrote Beer.
“Exploitability hinges on being able to get the memory reallocated in between the two vm_deallocate calls, probably in another thread.”
Beer published a proof-of-concept code to exploit a second bug that provided the vector to attack MIG.
The expert exploited “a recent addition to the kernel, presumably as a debugging tool to help enumerate places where the kernel is accidentally disclosing pointers to userspace. The implementation currently enumerates kqueues and dumps a bunch of values from them.”
“IOSurfaceRootUserClient external method 17 (s_set_surface_notify) will drop a reference on the wake_port (via IOUserClient::releaseAsyncReference64) then return an error code if the client has previously registered a port with the same callback function.” reads the security advisory published by Beer.
“The external method’s error return value propagates via the return value of is_io_connect_async_method back to the MIG generated code which will drop a futher reference on the wake_port when only one was taken. This bug is reachable from the iOS app sandbox as demonstrated by this PoC.”
Beer included a step-by-step explanation in the readme file included in the PoC code:
Beer explained that “the bsdinfo->pid trick” allowed him to build an arbitary read to find the kernel task’s vm_map and the kernel’s ipc_space, allowing him to reallocate the kalloc.4096 buffer with a fake kernel task port.
Jailbreaking iOS devices is no more so popular, especially after two major Cydia repositories shut down. Both ModMy and ZodTTD/MacCiti, which provided apps, themes, tweaks, and more for jailbroken iOS devices, shut down in November.
(Security Affairs – Apple jailbreak exploit, hacking)