Team Pangu is finally back after quite a long hiatus from iOS and jailbreak development. Here’s what a Team Pangu member shared on Twitter.
Table of Contents
iOS 11.2 patches IOSurface Kernel extension
iOS kernel is about to get a whole lot more secure as Apple patches a buggy kernel extension in 11.2.
Wang Teilei, a member of Team Pangu has just disclosed that Apple has fully patched IOSurface Kernel extension. Moreover, Apple has also fixed a few other modules that were vulnerable to attacks.
Here’s a tweet from Wang’s official Twitter handle that confirms this.
IOSurface is one of my favorite kernel extensions. We had a talk at @SyScan360 that introduced the long bug history in IOSurface. This time Apple also fixed a few similar issues in other modules. A big loss.
— Tielei (@WangTielei) December 5, 2017
Team Pangu discovered this vulnerability sometime in 2016. They then used it extensively to develop exploits for iOS in a research environment.
According to Wang, this is a “big loss” for iOS hackers, in general, and jailbreak developers, in particular.
For those who don’t know, a bug in IOSurface kernel extension allows hackers to develop an exploit from within the Sandbox.
The real vulnerability lies in the calling function of the IOSurfaceRootUserClient class, which can cause the port’s UAF to leak critical information.
How IOSurface UAF Port vulnerability works
It is difficult to explain the mechanism of this vulnerability to a layman but here’s brief explanation of how it works –
- The hacker creates an arbitrary fake port and then releases it. The user-mode port still points to the port address that has just been released.
- The hacker then performs a cross-zone attack to fill the fake port.
- Port address is now readable leading to a heap address leak.
- The hacker now accesses base address of the kernel.
- By filling the fake task port, the hacker achieves kernel read-write permissions.
Affected iOS versions
This vulnerability is present in pretty much all iOS firmware versions older than iOS 11.2. Here’s a list of affected firmware versions –
iOS 10.3.x versions are vulnerable to a similar exploit. Although iOS 10.3 increases the security of the kernel task port, this vulnerability is still present in these versions.
This vulnerability is also present in all iOS 11 versions up till iOS 11.1.2. Apple implemented several measures to prevent a cross-zone attack.
However, Team Pangu still found a way to trigger it through another method. This means the vulnerability still exists in versions below iOS 11.2.
Will this make jailbreak development hard?
Yes, it certainly will. Hackers rely on IOSurface to discover vulnerabilities and subsequently build exploits.
Unfortunately, this loophole has now been fully closed by Apple and it will be hard to find new vulnerabilities in iOS. Jailbreak development was already too hard a nut to crack, even for veteran iOS security researchers.
Things are definitely not looking good at the moment and when Pangu complains about iOS patches being a “big loss”, you know something’s not quite right.
For more iOS hacking updates, follow us on Facebook and Twitter.