Stefan Esser, a hacker known as i0n1c, has posted an explanation of how his jailbreak of iOS 7.1.1 works.
The jailbreak, which has not yet been released, is unique in that it uses a kernel bug which is hidden inside functionality that can be easily reached, even from within the iOS application sandbox.
This means that the exploit code can be used to break out of any application that you exploit. This is very different from nearly all of the kernel vulnerabilities used in iOS jailbreaks since iOS 4. There have been only 2 publicly disclosed vulnerabilities that had this power. The first has been used in comex’s JailbreakMe3 and the other one is the posix_spawn() vulnerability disclosed by SektionEins during SyScan 2013 and later used by the jailbreak community in the p0sixpwn jailbreak.
Potential initial injection vectors for such an exploit are:
● exploit against an internal app like MobileSafari
● exploit against any vulnerable app from the AppStore
● exploit from within a developer/enterprise app
I0n1c says it is quite easy to deliver this exploit, especially because backed up applications do not go away and can be re-exploited in the future. He plans to show ‘some instance’ of this within the ‘next weeks’.
The hacker also noted that with a jailbroken iOS 7.1.1 device it was possible to discover that the stack_guard stack canary vulnerability publicly disclosed in April 2013 is still unfixed in the latest iOS (and also Mac OSX) versions.
The bug in question allows a local attacker to call a target executable in a way that he controls the value of the stack_guard stack canary that is used to stop stack buffer overflow vulnerabilities from being exploitable. This vulnerability therefore renders the stack canary mitigation in iOS useless against local attackers. For iOS this means that local attacks (persistence/untethering) that rely on stack buffer overflows are suddenly exploitable again or easier to exploit, because the attacker can control the value of the stack_guard.
Leave a Reply