Ian Beer Finally Released iOS 11.3.1 Exploit; Electra iOS 11.3.1 Jailbreak Tool Is Around The Corner
Good news for the jailbreak community. Ian Beer of Project Zero has released an iOS 11.3.1 exploit in the public domain.
The Exploit Released By Project Zero
Last May 29th, Beer announced via Twitter regarding the jailbreak for iOS 11.3.1. He mentioned on his post that in case anyone is interested in bootstrapping iOS kernel security research, users must keep a research-only device on iOS 11.3.1 for more tfp0, and added that it will probably be released next week. He also noted that the 11.1.2 KDP-compatible kernel debugger is coming soon.
Fast forward today, Beer delivered his promise and tweeted a number of posts on Twitter. Here are his current posts (be warned that more posts could come in the future):
In his first post, he mentions that the iOS 11.4 patched kernel corruption bugs are reported in two distinct areas: mptcp and vfs. For his mptcp bug, it can be found on this link and warned users to read the “README” because an “Apple developer cert” is required.
On his second post, he mentions about “the same bug as already publicly documented from the patch by @elvanderb and exploited by @jaakerblom”. He then gave a link for users to see John’s repo.
On his third post, he mentions that the vfs bug doesn’t require an “Apple developer cert” but can be harder to exploit as you will write 8 NULL bytes off the end of a kalloc.16 buffer. However, though it can be hard to exploit, it is still worth trying to show that such issues are reliably exploitable.
On his fourth post, he tells people to view 2014 Poisoned Nul Byte. He notes that the mptcp exploit is mostly recycled bits of earlier exploits and that the getvolattrlist bug needs some new techniques.
On his fifth post, he sent a link for the trigger. He notes that this is for anyone who is into iOS exploits dev. He then promised to publish what he has within this week.
On his sixth post, he warns people to always keep their personal iOS devices up to date. He also mentions to only use the tools that he has given to devices which don’t have any personal information and are only used for research purposes.
Finally, in his last post, he mentions that in regards to the vfs bug, one can control a handful of bits in the 8 overflow bytes. In fact, the overflow value is two 4 bye flag fields.
Got all the pieces collected; now the work begins — time to create a developer 11.3.1 jailbreak for those who have Apple Developer accounts 🙂
— CoolStar (@coolstarorg) June 6, 2018
After the release of Ian Beer’s exploit CoolStar has started using this exploit into the Electra codebase in order to offer iOS 11.3.1 jailbreak tool. The developer has already confirmed that Electra iOS 11.3.1. jailbreak tool will be supporting the iOS 11-compatible iPhone models up to iPhone X.
So did you guys try the exploit released by Beer? Were there any problems or did things just flow smoothly and we will see the iOS 11.3.1 jailbreak really soon? Do share your thoughts and opinions in the comment section below.