iOS 12 – iOS 12.1 Safari-Centric Exploit Released

Developer and security researcher Linus Henze has made public an exploit that exists within Safari for iOS and macOS and which affects iOS 12.1 and below. The bug itself manifests itself in the way RegEx is matched and handled on affected platforms.

This latest work and publication has been put out into the public domain by Henze due to the fact that Apple has patched the discovery in the latest version of WebKit, which means that it is no longer available in iOS 12.1.1 and later.

However, from a jailbreak perspective, this could potentially give someone with the right knowledge and skillset the basis to put together another JailbreakMe-esque creation that would allow devices to be liberated directly from within Safari on an iOS device.

If successful, and if the other relevant parts could be put together to make this possible, it would mean that there would be no need to install any jailbreak IPA file via tools like Cydia Impactor and no need to continually go through that process when the device has been rebooted or turned off. All of the jailbreak code injection could be done through Safari on the device with no need for any other tools or software.

Some additional digging into the matter reveals that the exploit is intended for Safari on both the iOS and macOS platforms, but needs some additional tweaking to work properly on iOS. But according to the GitHub page’s to-do list, it seems that Henze might have plans to improve support for iOS in a future update.

This is an optimization error in the way RegEx matching is handled. By setting lastIndex on a RegEx object to a JavaScript object which has the function toString defined, you can run code although the JIT thinks that RegEx matching is side effect free.

He also references that the bug is very similar to a previous bug found by @5aelo. The release of this bug, will, of course, mean that the jailbreak community will once again be up in arms about the potential of a jailbreak coming for iOS 12.x.

Currently, it’s only possible to publicly liberate an iOS device running up to iOS 11.4 beta 3 running a tool like Electra or unc0ver. To date, we’ve been privy to multiple bugs and exploits within Apple’s iOS 12 platform but none of those have yielded in the release of any public jailbreak.

If this progresses, we will be sure to keep you in the loop.

Leave a Reply

Your email address will not be published. Required fields are marked *