The IOSurface Bug (CVE-2017-13861) and its impact on JBs

Important news

The IOSurface Bug (CVE-2017-13861) and its impact on JBs

Postby morpheus » Fri Dec 08, 2017 6:19 pm

(In an effort to provide one clear explanation, so people understand)


- Ian Beer has officially burned a valuable 0-day. This bug, henceforth known in the annals of history as CVE-2017-13861, was a Use-after-Free (UaF) in IOSurface. IOSurface is the kernel driver family which handles graphics, so it is accessible even from the normally tightly restricted sandboxed context of an application. This bug was described (albeit in Chinese) by Pangu's Tielei Wang ( ... 7551641600), and based on that description the super talented S1guza has already demonstrated an open source exploit in early stages of development ( S1guza has so far obtained root, but Ian will demonstrate a SEND right to the kernel_task - in layman's terms, unfettered access to kernel memory.

Q: I didn't read all that. Will you be releasing a JB?


Q: Is Ian Beer releasing a JB?


Q: Is anyone releasing a JB?

A: NO, but Ian's work will be allowing anyone with enough dedication (and desire to slave off for a long time just to get ingrates following him and nagging him on Twitter) to develop one. Or - as he intends - to do private research. Or - (and I'm sure he doesn't intend that) to create great malicious apps which can be nasty APTs below iOS 11.2.

Q: So what does it mean?

A: It means, that it is now possible to achieve control over the kernel in all versions of iOS before 11.2, and the corresponding versions of TvOS (<= 11.1), WatchOS (<= 4.1), because the bug is very likely exploitable in all of 'em.

Q: So should I update?

A: That's your call. iOS 10 will eventually be arbitrarily obsoleted by AAPL, who will decree whimsically some apps can only work as of iOS 11+. That said, by that time (iOS 12?13?) there may or may not be other exploitable bugs. iOS 11.1, 11.1.1 and 11.1.2 are identical kernel wise, so it doesn't matter. At any rate, THE BUG IS EXPLOITABLE ON ALL VERSIONS, EVEN 32-BIT, ON ALL DEVICES - It's just a matter of offsets for each device/version. And, incidentally, now that AAPL gave up on 32-bit, 10.3.3 will be forever exploitable (good news for iPhone 5 owners - @tihmstar, @s1guza - time to reincarnate Phœnix :-) )

Can the JB be untethered?

A: THERE IS NO JAILBREAK. And even had there been a jailbreak, there can be no untethering without blowing a major 0-day in code signing. This also likely requires mounting the root filesystem r/w , which requires patching.

Will this work on The iPhone 7? 8? X?

A: So long as it patches data only, or uses kernel based ROP, yes. On earlier devices, there's no reason why Luca Todesco's ingenious KPP bypass wouldn't work, with some changes.

Will this enable [past/present/future]Restore?

A: Not necessarily. Don't count it, since that's iBoot's responsibility, not the kernel's. The kernel could possibly help fix boot nonces, so save your blobs. And the /System/Library/Caches/apticket.der while you're at it.

So what's recommended?

A: Update to iOS 11.1.2 or TvOS 11.1.2. If you're on TvOS 11.something already (but not 11.2, obviously) you can stay. iOS 11.1-11.1.2 have the same kernel.

Are you releasing an exploit?

NO, NO and NO. Just wait and sometime next week Ian will drop the code. S1guza already has a PoC. Myself, I never have, do, or will release or disclose 0-days (I need them to write the MOXiI books..), and I only discuss bugs after they're blown by the great work of people like Ian in CVEs.

And what's the jailbreak toolkit? (i.e. ... 4896675840)

A: I'm hoping to provide a CLOSED-SOURCE but FREE library for third party developers who want to quickly expand from the kernel_task to more capabilities (e.g. running unsigned code, abusing launchd, getting root, etc). This library will be CLOSED SOURCE (It's a heap of work, and is based on a commercial product my company, Technologeeks, is announcing) so THERE IS NO REASON WHY THIS SHOULD BE OPEN SOURCE. But I still will make it free, and this allows for a very quick and simple inclusion of the dylib in any project, and a few API calls to achieve all the common functions which are straightforward (if you know what you're doing) but still with very little room for error. That serves to build on, and extend Ian's work, and be forward or backward portable (with some maintenance for offsets) to any version of iOS FOR WHICH THERE IS ALREADY PRE-EXISTING EXPLOIT CODE WHICH GETS THE KERNEL TASK PORT.

So..... someone could use this for a jailbreak?

Sure. If s/he wanted to, and gave the right credit where due.

Why isn't it a full jailbreak now?

Because doing a full JB with Cydia and third party tweaks requires bypassing Apple's formidable (but still imperfect) code signing. One of the trivial ways of doing so is patching kernel code (specifically AMFI hooks and/or that despicable amfid) , and that's no longer trivially possible on iPhone 7 and later due to hardware protections (a.k.a AMCC or KTRR).

So WHAT is this toolkit good for?

If you're asking this, the toolkit is not useful for you.

Will I be able to use the jailbreak toolkit?

If you ever uttered, wrote , or even thought the words "wen eta jb", the answer is no.
If you're into iOS research and can handle C code, yep, and will it be to you what SuperSU (Greet: Chainfire - you rock, man!) is to Android. Incidentally, it's basically just applying stuff that I explain in Volume III of MOXiI.. ;)

What about LiberTV?

Might be updated, might not. I specifically asked people to A) NOT MIRROR the download links B) Not Beg C) Not complain D) Maybe contribute to charity. They did all of A-C and virtually none of D. I've lost hope and grew tired of catering to ingrates.

Have a nice day. And someone please refer to this from reddit so people stop speculating about stuff they haven't the foggiest notion about.
Site Admin
Posts: 737
Joined: Thu Apr 11, 2013 6:24 pm

Return to Fresh off the press

Who is online

Users browsing this forum: No registered users and 4 guests