I0n1c Explains How His iOS 7.1.1 Jailbreak Works

I0n1c Explains How His iOS 7.1.1 Jailbreak Works

Posted by · 49100 views · Translate
Stefan Esser, a hacker known as i0n1c, has posted an explanation of how his jailbreak of iOS 7.1.1 works.

The jailbreak, which has not yet been released, is unique in that it uses a kernel bug which is hidden inside functionality that can be easily reached, even from within the iOS application sandbox.

This means that the exploit code can be used to break out of any application that you exploit. This is very different from nearly all of the kernel vulnerabilities used in iOS jailbreaks since iOS 4. There have been only 2 publicly disclosed vulnerabilities that had this power. The first has been used in comex's JailbreakMe3 and the other one is the posix_spawn() vulnerability disclosed by SektionEins during SyScan 2013 and later used by the jailbreak community in the p0sixpwn jailbreak.

Potential initial injection vectors for such an exploit are:
● exploit against an internal app like MobileSafari
● exploit against any vulnerable app from the AppStore
● exploit from within a developer/enterprise app

I0n1c says it is quite easy to deliver this exploit, especially because backed up applications do not go away and can be re-exploited in the future. He plans to show 'some instance' of this within the 'next weeks'.

The hacker also noted that with a jailbroken iOS 7.1.1 device it was possible to discover that the stack_guard stack canary vulnerability publicly disclosed in April 2013 is still unfixed in the latest iOS (and also Mac OSX) versions.

The bug in question allows a local attacker to call a target executable in a way that he controls the value of the stack_guard stack canary that is used to stop stack buffer overflow vulnerabilities from being exploitable. This vulnerability therefore renders the stack canary mitigation in iOS useless against local attackers. For iOS this means that local attacks (persistence/untethering) that rely on stack buffer overflows are suddenly exploitable again or easier to exploit, because the attacker can control the value of the stack_guard.

Check out the link below for more details or please follow iClarified on Twitter, Facebook, Google+, or RSS for any updates on the jailbreak's potential release.

Read More


I0n1c Explains How His iOS 7.1.1 Jailbreak Works
iObligated - May 21, 2014 at 12:21pm
Is there a link to the jailbreak? I've been itching to Jailbreak my iPod, instead of seeing all of these sites that use fake exploits.
cydia112 - May 21, 2014 at 11:45am
oh yeah, it is very nice cydia. Also openappmkt download for ios 7. Good na?
1
dhp_devendra - May 21, 2014 at 10:49am
Got my iPhone 4 jb on iOS 7.1.1 with Geeksn0w. But its semitethered amd for iPhone 4 only. However, its successful in jailbreaking iPhone 4 on iOS 7.1.1. Plz make ur jb solution available to public for their benefit.
aljo - May 20, 2014 at 5:25pm
where can i download the jailbreak?
Gymcap - May 20, 2014 at 1:01pm
I apreciate them saving this for ios 8 so that apple wont be able to patch it but at the same time im pissed because my ios 7.0.4 crashed when i deleted some iad file and now im forced to update to 7.1.1 >.< i wish there could be some type of private beta for the jailbreak on 7.1.1 ;) Wishful thinking i guess
27 More Comments
Recent