Although Abraham has left the jailbreak community, he keeps the goodies coming. Here’s a new 0-day vulnerability that the young hacker released today.
Table of Contents
How racer#2 PoC overflow vulnerability works
Dubbed racer#2, the latest proof-of-concept vulnerability by hacker Abraham Masri overflows the “securityd” daemon of iOS 11.3.
It gives the attacker complete control over certain registers. However, controlling registers is useless once the PoC hits memcpy().
If the attacker can abort it before hitting memcpy(), the attacker can get unsigned code execution ability.
Exploiting the racer#2 vulnerability requires a “certain technique”, which Abraham obviously didn’t disclose.
Things will become more clear when Abraham publishes an in-depth write-up for this proof-of-concept in the near future.
How can hackers use racer#2
According to security researcher Siguza, racer#2 could potentially lead to a sandbox escape.
He erroneously presumed that this could also lead to root access and quickly redacted his statement.
The German hacker also pointed out that he will not work on this proof-of-concept anytime soon.
All in all, it’s a very primitive sandbox escape in its present form.
Where does this leave us?
Don’t get your hopes too high just yet because Apple already knows that this vulnerability exists.
Abraham reported it to Apple on March 4, purportedly as a part of the bug bounty program.
As iOS 11.3 is still in beta, Apple will definitely fix the “racer#2” vulnerability in the “Golden Master” build.
Moreover, jailbreak developers never focus exclusively on beta firmware versions.
Therefore, this renders this vulnerability absolutely useless for those of you who are using any beta build of iOS 11.3.
Here are some more vulnerabilities that were discovered for iOS 11.2 and above –
- Sandbox Escape vulnerability PoC released for iOS 11.2.2 and below
- Adam Donenfeld discovers a heap overflow vulnerability in iOS 11.2.2
For more iOS security news, follow us on Twitter and Facebook.