Ian Beer Makes iOS 11.3 Exploit POC Public, Could Lead To A Jailbreak

Google’s Ian Beer is back again, who was responsible for an exploit in iOS 11.0-11.1.2 that gave us first public jailbreak on iOS 11.

The Googler who informed Apple and the company fixed the exploit with the release of iOS 11.3.1, has now released the POC info on the exploit to the public.

While iOS 11.3.1 includes a fix for it, anyone running a version on iPhone and iPad software that is older than this release will still potentially be vulnerable. The flaw was originally discovered back in February and according to Beer, the new flaw is “MacOS/iOS ReportCrash mach port replacement due to failure to respect MIG ownership rules” which may not mean anything to most people. The description of what this proof of concept is not easier to understand for those of you who are not quite in Ian Beer’s league, but for those interested here’s what he had to say about it.

ReportCrash is the daemon responsible for making crash dumps of crashing userspace processes.
Most processes can talk to ReportCrash via their exception ports (either task or host level.)

Additionally:

You would normally never send a message yourself to ReportCrash but the kernel would do it on your behalf when you crash. However using the task_get_exception_ports or host_get_exception_ports
MIG kernel methods you can get a send right to ReportCrash.

and more:

ReportCrash implements a mach_exc subsystem (2405) server and expects to receive
mach_exception_raise_state_identity messages. The handler for these messages is at +0x2b11 in 10.13.3.

Of course, there is lot more technical coverage over on the Chromium bugs webpage, and Beer does say that the issue does represent a “plausible exploitation scenario.”

With the bug now been fixed in iOS 11.3.1 and POC details on it made public, we expect to see some developer from jailbreak community making some use of it for those on iOS 11.3 and below. Although it’s still too early to say anything authenticate this could be turned into something like Electra which as mentioned earlier is also based on Beer’s previous work on 11.0-11.1.2.

Whatever it goes beyond, given that iOS 11.3 is vulnerable to it and Apple has stopped signing that firmware, you probably want to downgrade to it is now impossible to do so.

(Source: Chromium)

Up next to check out:

(Visited 38 times, 1 visits today)