Sandbox Escape vulnerability PoC released for iOS 11.2.2 and below

After an excruciating dry spell of months of getting no exploits, we finally have something to look forward to. Zimperum zLabs has just released a new exploit for iOS 11.2.2 and older firmware versions.

Zimperium zLabs Team releases Sandbox Escape PoC

Israeli Security researcher Rani Idan has just published a detailed write-up of his iOS 11.2 vulnerability.

This proof of concept exploits a vulnerability in the bluetoothd daemon of iOS 11.2.2 firmware. Although this proof of concept pertains to the bluetoothd daemon, it can be applied to several other daemons as well.

Here’s a simplistic explanation of how this proof of concept works –

Sandbox escape exploit

  • A client communicates with the bluetoothd daemon starts a session.
  • Hacker targets the daemon through a malicious application and brute-forces the session token.
  • The malicious application then adds callbacks to the client process.
  • This allows the hacker to gains the necessary permissions to escape the sandbox.

Which versions are compatible with this vulnerability?

Since Zimperium is a legitimate security company, it always sends the vulnerabilities to the respective device manufacturers.

In this case, they already sent the vulnerability to Apple so they could promptly patch it. Surprisingly, Zimperium zLabs discovered this vulnerability back in November 2017.

iOS hacker

Apple fixed vulnerabilities CVE-2018-4087 and CVE-2018-4095 in iOS 11.2.5, tvOS 11.2.5, and watchOS 4.2.2 in January 2018, two months after its discovery.

Therefore, you can only utilize it on iOS 11.2.2 and below versions.

According to Idan, Apple’s patch isn’t up to par, which leaves room for further exploitation.

Can this lead to an iOS 11.2.2 jailbreak?

Considering this is a proof of concept and not a proper exploit, I believe not much will come of it.

However, we can still get an iOS 11.2.x port for semi-jailbreak applications such as Houdini and Torngat.

A new version of Electra jailbreak is pretty much out of the question at this point in time.

Electra jailbreak toolkit

With that said, any progress is good progress and this will allow other hackers and jailbreak developers to continue their research on iOS 11.2.x firmware.

Are you sitting tight on iOS 11.2 and above versions? If yes, leave your comments below.

For more security community news and updates, follow us on Twitter and Facebook.

14 Comments

  1. Pravin Kamble March 6, 2018
    • iOS Expert March 7, 2018
      • Pravin Kamble March 8, 2018
        • iOS Expert March 9, 2018
  2. yash March 6, 2018
    • iOS Expert March 6, 2018
  3. yash March 6, 2018
  4. American Psycho March 1, 2018
    • iOS Expert March 1, 2018
    • jbdx84 March 2, 2018
  5. Isue February 28, 2018
    • iOS Expert February 28, 2018
  6. Rayaan February 27, 2018
    • iOS Expert February 28, 2018

Leave a Reply

Share16
Tweet