Pierluigi Paganini December 12, 2017

Today, Beer released the exploit and explained it should work on all iOS devices running iOS 11.1.2 or below, though he only tested it on iPhone 7, iPhone 6s, and a sixth-generation iPod touch.

Watch out, Beer doesn’t release a full iOS 11 jailbreak, but what could potentially be used to develop a working jailbreak.

The attack vector is the tfp0 (“task for pid 0”), the kernel task port.

iOS 11.1.2, now with more kernel debugging: https://t.co/PIKbD3Gwx9

— Ian Beer (@i41nbeer) December 11, 2017

Beer started from his work with Apple’s Mach kernel implementation, and the Mach interface generator (MIG) made in September 2016.

“Userspace MIG services often use mach_msg_server or mach_msg_server_once to implent an RPC server. These two functions are also responsible for managing the resources associated with each message similar to the ipc_kobject_server routine in the kernel.” wrote Beer.

“Exploitability hinges on being able to get the memory reallocated in between the two vm_deallocate calls, probably in another thread.”

Beer published a proof-of-concept code to exploit a second bug that provided the vector to attack MIG.

The expert exploited “a recent addition to the kernel, presumably as a debugging tool to help enumerate places where the kernel is accidentally disclosing pointers to userspace. The implementation currently enumerates kqueues and dumps a bunch of values from them.”

“IOSurfaceRootUserClient external method 17 (s_set_surface_notify) will drop a reference on the wake_port (via IOUserClient::releaseAsyncReference64) then return an error code if the client has previously registered a port with the same callback function.” reads the security advisory published by Beer.

“The external method’s error return value propagates via the return value of is_io_connect_async_method back to the MIG generated code which will drop a futher reference on the wake_port when only one was taken. This bug is reachable from the iOS app sandbox as demonstrated by this PoC.”

Beer included a step-by-step explanation  in the readme file included in the PoC code:

• First, he used a proc_pidlistuptrs bug to disclose the address of arbitrary ipc_ports;
• Second, he triggered an out-of-bounds read for “various kallocsizes” to identify “the most commonly-leaked kernel pointer”;
  Next, he sent Mach messages to gather “a pretty large number of kalloc allocations;
• With enough Mach port allocations, Beer gathered a page “containing only my ports”. The port address disclosure provided “a port which fits within particular bounds on a page. Once I’ve found it, I use the IOSurface bug to give myself a dangling pointer to that port”;
• ”I free the kalloc allocations made earlier and all the other ports then start making kalloc.4096 allocations (again via crafted mach messages);”
  Careful reallocation (1 MB at a time) made garbage collection trigger and “collect the page that the dangling pointer points to”.

Beer explained  that “the bsdinfo->pid trick” allowed him to build an arbitary read to find the kernel task’s vm_map and the kernel’s ipc_space, allowing him to reallocate the kalloc.4096 buffer with a fake kernel task port.

Jailbreaking iOS devices is no more so popular, especially after two major Cydia repositories shut down. Both ModMy and ZodTTD/MacCiti, which provided apps, themes, tweaks, and more for jailbroken iOS devices, shut down in November.

Pierluigi Paganini

(Security Affairs – Apple jailbreak exploit, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]