In today's video, we're discussing a great kernel vulnerability for iOS 11.2 up to iOS 11.2.6 that has been released just a few hours ago by a security researcher. The kernel vulnerability is an info leak vulnerability and it pretty much works by leaking a kernel pointer into the x18 general purpose register. It is visible in crash logs and by reading the contents of the x18 register while debugging your app live with Xcode.
This piece of vulnerability is very impressive because it puts the kASLR (Kernel Address Space Layout Randomization) to its knees. Using the info leak provided by the vulnerability, we are able to compute the kernel slide and therefore defeat kASLR, one of the important security measures of modern iOS.
This kernel vulnerability has been patched in iOS 11.3 and it is probably one of the kernel vulnerabilities in the list on the iOS 11.3 Security Contents page.
Since the vulnerability was made public with an entire write-up, it has set in motion a lengthy process for developers to start messing with it and building on top of it. While this single vulnerability is NOT enough to build a jailbreak, being able to defeat kASLR is a damn good beginning point. Considering that yet another kernel vulnerability will receive a write-up in a few months from another researcher, the dust starts to settle down for iOS 11.2.x
In other news, iOS 11.2.6 has (coincidently?) been unsigned today by Apple and is no longer possible to restore it or to upgrade with SHSH2 blobs because iOS 11.3's SEP and Baseband aren't compatible with 11.1.2.
▽ Resources ▽
▶ Learn how to make iOS Apps!
▶ Security contents of iOS 11.3
▶ The write-up of this kernel vulnerability
▶ Min (Spark) Zheng's iOS 11.3 0day details
▶ How to downgrade 32-Bit devices to iOS 8.4.1
▶ Electra 1.0.4 UPDATE Released