Since November last year, we have seen Chinese security researchers show off an iOS 12 exploit but they never got around to detailing it or releasing it to the public. Today though, Qixun Zhao of the Qihoo 360 Vulcan team has provided a detailed write-up of his Chaos PoC paving the way for a possible iOS 12 jailbreak on pre-A12 devices
In his write up, Zhao has detailed a “kernel vulnerability that can be reached directly in the sandbox. (I name it Chaos), so after getting the RCE of Safari, we can trigger this vulnerability directly from the Safari sandbox, and finally reach the remote jailbreak.” The kernel exploit will only work on pre-A12 devices i.e. it will not work on the iPhone XS, iPhone XS Max, or the iPhone XR. However, older iPhones like the iPhone X, iPhone 8 Plus, and iPhone 8 are vulnerable.
Here’s another interesting tidbit from the Chaos exploit writeup:
However, if you are a sophisticated vulnerability digger, you should have a keen sense of touch. The first time I think that this part of the code is definitely lacking review and the quality is not good. After all, here is the code that can be directly in the sandbox. This means that the kernel writer may not be familiar with the rules for generating MIG code. This information is more important than finding the bug in the above, so I started looking for these MIG-related kernel functions, of course, sandboxed. This also inspired me. Some methods of exploiting vulnerabilities later.
Disappointingly, Zhao is not releasing the exploit code which means someone else from the jailbreak community will have to write it and then create a jailbreak tool for iOS 12 and A12 devices.
The exploit will work on iOS 12 versions lower than iOS 12.1.2 so if you have already upgraded to iOS 12.1.2/iOS 12.1.3, you should downgrade back to iOS 12.1.1 as soon as possible while Apple is still signing it. And if you are still running iOS 11 on your old iPhone, stick to it and do not upgrade to iOS 12.
There’s no word or ETA of when someone from the jailbreak community will use the exploit to turn it into a possible iOS 12 jailbreak so it is better to be safe than sorry.
[Via 360 Core Security]