KASLR bypass achieved on iOS 11.2.6

After hacking iOS 11.1.2 successfully, hackers have turned their sights towards iOS 11.2. Here’s a new tool that successfully bypasses KASLR on iOS 11.2.6 firmware.

KASLR is no longer a hurdle in iOS 11.2.6

extra_recipe_extra_bug tool successfully bypasses KASLR, Apple’s most feared protective measure. It is developed by Norwegian security researcher John Åkerblom.

Apple was supposed to add a value twice to a function.

However, Apple engineers added an unverified value to the function, which results in a heap overflow. This is where this bug works its magic.

As its name suggests, extra_recipe_extra_bug is an extension of the original extra_recipe jailbreak by Xerub.

This bug is not to be confused with the original tool, which was actually a jailbreak.

For the uninitiated, extra_recipe was developed for iOS 10-10.1.1 firmware and was touted as a better alternative for mach_portal.

Surprisingly, the original code is still useful even on a modern version like iOS 11.2.6.

You can download the Xcode project below and take it for a test drive (only if you know what you are doing).

Download extra_recipe_extra_bug

• Xcode project file

Can this lead to a jailbreak?

While this alone can’t lead to a jailbreak, it is one of the components of a full-blown jailbreak tool.

With that said, a functional KASLR bypass lays the groundwork for future exploitation of iOS 11.2.6 and older versions.

Once a kernel exploit gets released publicly, developing a jailbreak will definitely become easier.

If you are currently using iOS 11.2.6 (or below), sit tight as a jailbreak or nonce setter tool might not be as far away as it seems.

For more iOS security updates, follow us on Twitter and Facebook.