Google’s Project Zero iOS bug hunter Ian Beer has released details about an iOS 11 exploit that could offer up a jailbreak for iOS 11.1.2.
Beer last week teased that he had an exploit called ‘tfp0’, which is short for the kernel task port in iOS, and has today followed with an exploit using two recently patched flaws that may offer the rare prospect of a possible jailbreak on iOS.
It appears what he has released isn’t a full jailbreak but enough to allow security researchers to bypass software restrictions imposed by Apple and test a newish version of iOS. It may also help create a jailbreak for those interested in testing iOS 11.1.2 or below.
Beer published details of an ‘async_wake’ exploit and proof-of-concept local kernel debugging tool for iOS 11.1.2 on Monday. Apple released iOS 11.2 on December 2, so the tools won’t work on updated iPhones.
As detailed in Project Zero’s bug repository, the issue Beer found relates to a memory flaw in IOSurface, a kernel extension.
Jailbreaking researchers Team Pangu claim to have discovered the same flaw last year and have been using it for jailbreaking an iPhone during internal research.
Beer’s release of his exploit came after Team Pangu revealed a proof of concept exploit for one of the iOSurface vulnerabilities he’d reported to Apple.
Team Pangu researcher Wang Tielei described iOS 11.2 as a “big loss” as it blocked a kernel vulnerability that could be exploited from within an iOS app sandbox.
Beer’s exploit uses a combination of the IOSurface bug, another kernel bug patched in iOS 11.2, and specially crafted kernel messages to get the prized tfp0 on Apple devices.
Beer confirmed his technique does work on iPhone 7, iPhone 6s, and iPod Touch 6G if they’re running iOS 11.1.2. He notes that it should be simple to port to other models. He also tested it on a MacBookAir 5,2 running MacOS 10.13.