Googler Ian Beer is at it again, and not too long after he was responsible for a exploit in iOS 11.0-11.1.2 which gave us first public jailbreak on iOS 11. As we reported earlier, after the Google security researcher informed Apple and the company fixed the exploit with the release of iOS 11.3.1, he has now released the POC info on the exploit to the public.
So while iOS 11.3.1 includes a fix for it, anyone running a version of the iPhone and iPad software that is older than this release will still potentially be vulnerable. Beer originally discovered the flaw back in February and according to the man himself, the new flaw is “MacOS/iOS ReportCrash mach port replacement due to failure to respect MIG ownership rules” which may not mean anything to most people. The description of what this proof of concept is not easier to understand for those of you who are not quite in Ian Beer’s league, but for those interested here’s what he had to say about it.
ReportCrash is the daemon responsible for making crash dumps of crashing userspace processes.
Most processes can talk to ReportCrash via their exception ports (either task or host level.)
Additionally:
You would normally never send a message yourself to ReportCrash but the kernel would do it on your behalf when you crash. However using the task_get_exception_ports or host_get_exception_ports
MIG kernel methods you can get a send right to ReportCrash.
and more:
ReportCrash implements a mach_exc subsystem (2405) server and expects to receive
mach_exception_raise_state_identity messages. The handler for these messages is at +0x2b11 in 10.13.3.
There is plenty more technical coverage over on the Chromium bugs webpage, and Beer does say that the issue does represent a “plausible exploitation scenario.”
With the bug now fixed in iOS 11.3.1 and POC details on it made public, we expect to see some developer from jailbreak community picking on it and making some use of it for those on iOS 11.3 and below. Although it’s still too early to say whether this could be turned into something like Electra which as mentioned earlier is also based on Beer’s previous work on 11.0-11.1.2.
Source: Chromium