iOS 11.2.2 Jailbreak News: iOS 11.2.2 Vulnerabilities Finally Made Public By Zimperium zLab
Apple’s ‘bluetoothd” daemon has multiple vulnerabilities which can affect iOS 11.2.2 firmware and can possibly lead to jailbreak. This announcement by Rani Idan, a member of Zimperium zLabs Team, came shortly after Russ Cox had pushed back from his much-anticipated release of iOS 11.2.2 jailbreak saying what he had planned to release was an exploit.
Cox further said that the exploit may not be used for jailbreaking Apple devices. Idan, however, is relentless. The exploit mentioned by Cox could be turned into a jailbreak, Idan said.
The vulnerabilities found by Idan and his team, detailed in Zimperium blog, was fixed by Apple with its iOS 11.2.5 release last week. In fact, the company had acknowledged Idan’s efforts in pointing out the vulnerabilities.
It’s déjà vu all over again: like what happened to Ian Beer’s iOS 11.0-11.1.2 exploit which was transformed as jailbreak for the public. The same thing has happened to iOS 11.2-11.2.2.
Idan said it needs more work to be done and see where this exploit may end up. He is confident though that it is doable. The multiple vulnerabilities discovered by Idan and his team are now made public. It could be used in ways such as research and others.
“The first vulnerability is memory corruption in bluetoothd and the other is the execution of arbitrary code on different crucial daemons. The first vulnerability (CVE-2018-4095) is full relative (ASLR bypass) control on the stack in CoreBluetooth that leads to memory corruption over bluetoothd.”
“The second major vulnerability (CVE-2018-4087) leads to execution of arbitrary code on different crucial daemons in iOS by hijacking the session between each daemon and bluetooths. Some of the impacted daemons are: SpringBoard, mDNSResponder, aggregated, wifid, Preferences, CommCenter, iaptransportd, findmydeviced, routine, UserEventAgent, carkitd, mediaserverd, bluetoothd, coreduetd, and so on.”
With Zimperiun team looking into the right direction, all is possible. It is no longer surprising to see it happened with iOS 11.2.2 and below firmware.