Brandon Azad Releases iOS 11.4 Exploit Which Could Lead To Jailbreak
It seems that Project Zero’s Ian Beer is not the only security-focused engineer to continue dropping knowledge bombs into the jailbreak community. After initially reporting that Beer was planning on releasing his iOS 11.4.1 exploits into the public domain, Brandon Azad has now weighed in with an iOS 11.2.6-iOS 11.4 release on GitHub.
This type of release pattern is typically evident of how the jailbreak community has been operating in recent years. The scene largely lays stagnant for long periods of time with what seems like no action whatsoever, and then, out of the blue, one or more individuals catapult some information or work into the public domain that instantly lights a fire in the community.
The community-famous Ian Beer started that fire off yesterday by announcing that his iOS 11.4.1 exploits would be shared, and Azad has now followed that lead by publishing his “mach port replacement vulnerability”:
iOS full userspace compromise via malicious crashing: https://github.com/bazad/blanket. Versions up to 11.4 are vulnerable, but the exploit only targets 11.2.6. The writeup also discloses some new mitigation bypasses.
The tweet confirms that the underlying bug is exploitable from iOS 11.2.6 all the way through to Apple’s iOS 11.4 platform, with the issue actually being patched with the release of iOS 11.4.1. However, the shared exploit only actually targets iOS 11.2.6 so some additional work would be needed for anyone who wanted to prove this concept and get it up and running as jailbreak on iOS 11.4. As part of the release to GitHub, Azad describes the release as the following:
CVE-2018-4280: Mach port replacement vulnerability in launchd on iOS 11.2.6 leading to sandbox escape, privilege escalation, and codesigning bypass.
So, that’s confirmation that the exploit provides an escape out of the sandbox, is capable of providing privilege escalation, and can bypass Apple’s internal codesigning checks.
As we should all know by now, this isn’t enough to get a jailbreak fully functional on iOS, and would only really be super useful if someone could make it work for an iOS 11.4 final jailbreak as Electra currently supports jailbreaking iOS 11.4 beta 3. For that reason, and with iOS 12 out in the wild, it’s likely that this release will be treated as for informational and learning purposes only. It’s still great to see the community thriving.