Ian Beer Makes iOS 11.3 Exploit POC Public, Could Lead To A Jailbreak

Googler Ian Beer is at it again, and not too long after he was responsible for a exploit in iOS 11.0-11.1.2 which gave us first public jailbreak on iOS 11.

As we reported earlier, after the Google security researcher informed Apple and the company fixed the exploit with the release of iOS 11.3.1, he has now released the POC info on the exploit to the public.

So while iOS 11.3.1 includes a fix for it, anyone running a version of the iPhone and iPad software that is older than this release will still potentially be vulnerable. Beer originally discovered the flaw back in February and according to the man himself, the new flaw is “MacOS/iOS ReportCrash mach port replacement due to failure to respect MIG ownership rules” which may not mean anything to most people. The description of what this proof of concept is not easier to understand for those of you who are not quite in Ian Beer’s league, but for those interested here’s what he had to say about it.

ReportCrash is the daemon responsible for making crash dumps of crashing userspace processes.
Most processes can talk to ReportCrash via their exception ports (either task or host level.)


You would normally never send a message yourself to ReportCrash but the kernel would do it on your behalf when you crash. However using the task_get_exception_ports or host_get_exception_ports
MIG kernel methods you can get a send right to ReportCrash.

and more:

ReportCrash implements a mach_exc subsystem (2405) server and expects to receive
mach_exception_raise_state_identity messages. The handler for these messages is at +0x2b11 in 10.13.3.

There is plenty more technical coverage over on the Chromium bugs webpage, and Beer does say that the issue does represent a “plausible exploitation scenario.”

With the bug now fixed in iOS 11.3.1 and POC details on it made public, we expect to see some developer from jailbreak community picking on it and making some use of it for those on iOS 11.3 and below. Although it’s still too early to say whether this could be turned into something like Electra which as mentioned earlier is also based on Beer’s previous work on 11.0-11.1.2.

Whatever the case maybe, given that iOS 11.3 is vulnerable to it and given that Apple is still signing that firmware, you probably want to downgrade to it while it’s still possible to do so: How To Downgrade iOS 11.3.1 On iPhone Or iPad [Tutorial].

(Source: Chromium)

You may also like to check out:

You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple and the Web.