iOS 11.2.6 Jailbreak: Abraham Masri Releases iOS 11.3 0day Vulnerability, Might Leak To Jailbreak
Abraham Masri, who is the developer behind the Houdini and Saigon projects, left the jailbreak community before some time but he keeps providing goodies. He has recently released the “0-day” vulnerability for the Apple’s latest iOS 11.3, which is in beta as of writing this article.
It looks that jailbreak community members at current period are in good mood of giving excitement with one hand and then snatching it away with another. With that being said, there is also a probability that latest iOS 11.3 vulnerability could potentially lead to ‘something’ in the future.
Whenever the word “0day” comes, community thinks about the potential of a jailbreak for the affected firmware versions. However, for this instance, the finder of this vulnerability has himself predetermined that “due to the nature of this flaw, you cannot do much” with it.
The vulnerability found by Masri is there in the securityd of Apple’s iOS platform and has been exposed in iOS 11.3 that is right now in the beta. This could also mean that it will live in previous versions of iOS that are presently in public use, such as iOS 11.2.6 and below.
Dubbed as racer#2, the latest proof-of-concept waves the “securityd” daemon of iOS 11.3. It gives the hacker complete control over certain registers. However, you should note that controlling registers is ineffective once the PoC hits memcpy(). If the attacker can terminate it before hitting memcpy() then he can get unsigned code execution ability. Abraham also mentioned that exploiting the latest racer#2 vulnerability requires a “certain technique” that he obviously didn’t disclose.
Before releasing his proof-of-concept, Masri reported this issue to Apple that means the flaw might probably be patched in iOS 11.3 with its final public release, which could happen anytime in the coming weeks and months. However, after reporting this vulnerability to Apple it does still leave previous versions like iOS 11.2.6 potentially vulnerable and able to be jailbreaked.
Other well-known members of the jailbreak community have also jumped into the discussion. Famous developer Siguza has expressed his belief saying that this could potentially offer a route to sandbox escape and potential root access. However, he had later provided an update suggesting that more investigation is needed as “securityd runs as its own user.” Abraham Masri has also put together a fairly in-depth write-up on the vulnerability, outlining exactly what it is.
We will actually have to wait to see how this vulnerability develops but if you want to investigate the proof-of-concept, you can head to the published GitHub page. For more updates on jailbreak stay tuned with us.