A China-based security researcher associated with the Qihoo 360 Vulcan Team has published a proof-of-concept exploit for a kernel vulnerability, which he claims to be the second stage of an exploit chain that he was successfully able to jailbreak iPhone X remotely.
The researcher Qixun Zhao posted the PoC on Twitter from his Twitter handle @S0rryMybad. He also revealed that the exploit, dubbed as the tfp0 exploit, can help a remote attacker to jailbreak an iPhone X easily without even alerting the user. Hence, the attacker can access the targeted device’s data, processing power and everything else.
See: Zerodium is paying $2 million for Apple iOS remote jailbreak
In his blog post published on January 23, Zhao stated that the vulnerability can be accessed in the sandbox, which he refers to a Chaos. Although Zhao has released the PoC, he hasn’t revealed the exploit code, and instead, he wrote that to jailbreak the attacker would need to manually complete the exploit code or else “wait for the jailbreak community’s release.”
Zhao believes that very soon there will be a leak facilitated by his discovery, using which it will be possible to exploit iOS 12 in the sandbox.
The bug has already been patched in the latest version of iOS but Zhao claims that the problem hasn’t been completely fixed since the exploit code can reach directly in the sandbox.
“The code that can be directly reached in the sandbox, that means the kernel developer may not be familiar with the rules for generating MIG code. This information is more important than finding the bug in the above,” stated Zhao in his blog post.
Furthermore, Zhao claims that PAC mitigation couldn’t put an end to jailbreak or even UaF because the latter can be used in the PAC environment. Therefore, the entire process of accessing tfp0 doesn’t require the attacker to control the PC because a port property value in the ipc_voucher object is released.
“The exploitation of the UaF vulnerability depends greatly on the data structures of the released object, as well as how to use them, since, in the end, we have to convert to type obfuscation,” explained Zhao.
The Chaos exploit has been built around serious flaws identified in the Apple Safari web browser as well as the iOS. There are two critical security vulnerabilities identified in the iOS system; the first one is a memory corruption flaw found in Safari browser’s WebKit (CVE-2019-6227), while the second flaw is in the iOS kernel classified as a use-after-free memory corruption issue (CVE-2019-6225).
See: iPhone X, Xiaomi Mi 6 & Samsung Galaxy S9 hacked at Pwn2Own
The Safari browser vulnerability lets a malefactor create a malicious webpage that contains scripts having the ability to execute arbitrary code on the targeted device. The code, after execution, allows the attacker to use the second flaw to obtain elevated privileges and secretly install any malicious app even malware designed for espionage or eavesdropping purposes.
It is noteworthy that Apple patched the vulnerabilities in iOS 12.1.3 version a few days ago. This means devices running the previous version 12.1.2 of iOS will be vulnerable to Chaos.