Careful reallocation (1 MB at a time) made garbage collection trigger and “collect the page that the dangling pointer points to”.īeer continued that “the bsdinfo->pid trick” let him build an arbitary read to find the kernel task's vm_map and the kernel's ipc_space, allowing him to reallocate the kalloc.4096 buffer with a fake kernel task port.īeer said he had tested the exploit on iPhone 6s, iPhone 7, iPod Touch 6G, and Mac OS 10.13 on a MacBook Air 5.”I free the kalloc allocations made earlier and all the other ports then start making kalloc.4096 allocations (again via crafted mach messages) ”.Once I've found it, I use the IOSurface bug to give myself a dangling pointer to that port” The port address disclosure provided “a port which fits within particular bounds on a page. With enough Mach port allocations, Beer gathered a page “containing only my ports”.Next, he sent Mach messages to gather “a pretty large number of kalloc allocations.Second, he triggered an out-of-bounds read for “various kalloc sizes” to identify “the most commonly-leaked kernel pointer”.First, he used a proc_pidlistuptrs bug to disclose the address of arbitrary ipc_ports.Beer was already familiar with MIG's behaviour, having turned up CVE-2016-7612 and CVE-2016-7633 last year, and in September 2016 wrote: “Exploitability hinges on being able to get the memory reallocated in between the two vm_deallocate calls, probably in another thread.”īeer's step-by-step explanation is in the readme file of his PoC (linked in the Project Zero post):
The issue Beer found starts with Apple's Mach kernel implementation, and the Mach interface generator (MIG).
The release is designed to let others take their own toolkits to Apple devices, ultimately to improve their security: if you don't need to jailbreak a device, Apple had already patched the bugs last week. Tfp0 should work for all devices, the PoC local kernel debugger only for those I have to test on (iPhone 7, 6s and iPod Touch 6G) but adding more support should be easy IOS 11.1.2, now with more kernel debugging: Not available for iPhone 7 & iPhone 7 Plus. (For non-programmers: tfp0 stands for “task for pid 0” – the kernel task port, and therefore the vector for pwnage.) Jailbreak some 64-bit devices with doubleh3lix Jailbreak 64-bit devices with Yalu beta 7.
If you're interested in bootstrapping iOS 11 kernel security research keep a research-only device on iOS 11.1.2 or below. He even launched a Twitter account for the occasion:
Ian Beer of Google's Project Zero has followed up on a “coming soon” Twitter teaser with a jailbreakable iOS and Mac OS vulnerability.īeer went public after Apple worked out a fix for the kernel memory corruption bug. Jailbreak iOS 11.2.6 / 11.2.5 / 11.2.2 On iPhone And iPad Status Update Jailbreak iOS 11 / 11.1.2 On iPhone X, 8, 7, iPad Using Electra Or LiberiOS Updated You can follow on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Apple and the Web.