Security researcher Adam Donenfeld has announced the upcoming release of a kernel exploit for iOS 10.3.1. The vulnerabilities used have already been fixed in iOS 10.3.2 but the exploit could lead to a jailbreak for iOS 10.3.1 (10.2 as well).
Apple fixed 8 kernel privilege escalation bugs I sent them. A privilege escalation exploit is already written. It will be released during conferences’ season in the summer. You may want to save SHSH blobs :)
Responding to jailbreak speculation Donenfeld tweets, "I never said anything about jailbreak. I'm releasing an exploit (source code + instructions). If someone wants to take the hassle of wrapping it into a jailbreak I’d be happy to help."
Here's the description of Donenfeld's presentation for HITB GSEC:
---
Attackers have been lurking around iOS in the hope of achieving a full attack-chain to the device. Following Apple’s introduction of self-signed applications, the attack surface for containerized applications on iOS is pretty constant. Apple is doing a good job in improving its security, from narrowing down the attack surface to introducing new mitigations, both from a software and a hardware perspective. As a side effect of these efforts, most of the attack surface that is not accessible by a containerized application is often ignored.
With this in mind, we decided to examine code that is not accessible by default to the common containerized app, but to any other process - regardless of its security context. We were surprised to see that what is not accessible from the initial code execution context needs much more attention. During our research, we found multiple privilege escalation vulnerabilities affecting all iOS devices in the market.
In this presentation, we will review the privilege escalation vulnerabilities, as well as demonstrate and present a detailed exploitation that is crafted from chaining all these vulnerabilities together, eventually leading to the execution of arbitrary kernel code and to bypassing all of the security mitigations currently available on iOS devices.
---
Please follow iClarified on Twitter, Facebook, or RSS for news of further developments.
Read More
Apple fixed 8 kernel privilege escalation bugs I sent them. A privilege escalation exploit is already written. It will be released during conferences’ season in the summer. You may want to save SHSH blobs :)
Responding to jailbreak speculation Donenfeld tweets, "I never said anything about jailbreak. I'm releasing an exploit (source code + instructions). If someone wants to take the hassle of wrapping it into a jailbreak I’d be happy to help."
Here's the description of Donenfeld's presentation for HITB GSEC:
---
Attackers have been lurking around iOS in the hope of achieving a full attack-chain to the device. Following Apple’s introduction of self-signed applications, the attack surface for containerized applications on iOS is pretty constant. Apple is doing a good job in improving its security, from narrowing down the attack surface to introducing new mitigations, both from a software and a hardware perspective. As a side effect of these efforts, most of the attack surface that is not accessible by a containerized application is often ignored.
With this in mind, we decided to examine code that is not accessible by default to the common containerized app, but to any other process - regardless of its security context. We were surprised to see that what is not accessible from the initial code execution context needs much more attention. During our research, we found multiple privilege escalation vulnerabilities affecting all iOS devices in the market.
In this presentation, we will review the privilege escalation vulnerabilities, as well as demonstrate and present a detailed exploitation that is crafted from chaining all these vulnerabilities together, eventually leading to the execution of arbitrary kernel code and to bypassing all of the security mitigations currently available on iOS devices.
---
Please follow iClarified on Twitter, Facebook, or RSS for news of further developments.
Read More