Abraham Masri Drops iOS 11.3 0day Vulnerability, Here’s What That Means For Future Jailbreak
We’re living amongst a jailbreak community which just keeps on giving. Abraham Masri, the developer behind the Houdini and Saigon projects, has announced and published what he is calling a “0day” vulnerability in Apple’s latest iOS 11.3 beta release.
Whenever you mentioned the term “0day” you can almost see and feel the collective arms of the jailbreak community being thrown in the air in excitement as they begin to ponder on the potential of a jailbreak for the affected firmware versions.
However, in this instance, it’s worth noting that the finder of the flaw, which in this case is Abraham Masri, has himself stipulated that “due to the nature of this flaw, you cannot do much” with it. It seems that members of the jailbreak community are in the business of giving excitement with one hand and then snatching it away with another. With that said, there is also an admission that this could potentially lead to something in the future.
The bug found by Masri lives in the securityd aspect of Apple’s iOS platform and has been discovered in iOS 11.3, which is currently in beta. This also means that it will exist in previous versions of iOS which are currently in public use, such as iOS 11.2.6 and below.
Before publishing his proof-of-concept, Masri did report the issue to Apple directly, which means that the flaw is likely to be patched in iOS 11.3 when it’s finally released to the public in the coming weeks and months, but that does still leave earlier versions such as iOS 11.2.6 potentially vulnerable and able to be exploited.
Other prominent members of the jailbreak community have also jumped in on the discussion. Siguza has expressed his belief that this could potentially offer a route to sandbox escape and potential root access but later provided an update to suggest that more investigation is needed as “securityd runs as its own user.” Masri has also put together a fairly in-depth write-up on the flaw, outlining exactly what it is, which is designed to be read alongside the published proof-of-concept.
We will wait to see how this develops but if you want to investigate the proof-of-concept, you can do so over at the published GitHub page. You can also check out the write-up on traversing paths within the info.plist here.