Ο,τι λέμε τόσο καιρό.
* Δεν έχει να κάνει με το Exploit του Ian Beer μέχρι και την 11.1.2.
Δημοσίευση 07/12/2017 - 22:30
Ο Siguza κάνει πράξη λοιπόν την υπόσχεση του, δίνοντας το v0rtex.
On December 5th, windknown posted about an IOSurface mach port UaF on the Pangu blog, which had been fixed in iOS 11.2 and apparent reported by Ian Beer. Now I neither speak Chinese nor really trust Google Translate with details, but the PoC on the Pangu blog was enough to illustrate the vulnerability and get me going.
There are a lot of things referenced in this write-up that I have not or only partially explored. I’ll likely come back to expand or correct these once I learn more, but I wanted to get this write-up out as a sort of documentation for other devs who might wanna chip in.
Also, I didn’t really proof-read this, I just wanna get the info out at the moment.
Όμορφα πράγματα έρχονται..
Δημοσίευση 08/12/2017 - 17:28
Δημοσίευση 08/12/2017 - 19:17
μηπως δουμε φως μετα απο πολυ καιρο.. εγω στο 7 και στο 7+ παραμενω στην 11.1 σταθερα γιατι εχω μεινει απολυτα ευχαριστημενος..
Δημοσίευση 08/12/2017 - 23:51
Τελευταία επεξεργασία από: pakos30, 08/12/2017 - 23:54.
Δημοσίευση 08/12/2017 - 23:56
Μήπως σας έρχεται
https://twitter.com/...164304896675840
Τελευταία επεξεργασία από: billytilaver, 08/12/2017 - 23:56.
Δημοσίευση 09/12/2017 - 01:06
Δλδ σε ένα 6αρι και 6s να κατέβω σε 11.1.2 ή 11.1.1 ποια προτεινεις;θα δώσει jb γι αυτές τις συσκευές;
Αν είσαι 11.2 πας στην 11.1.2.
Yep.
Δημοσίευση 09/12/2017 - 12:07
Ο morpheus δίνει τις βασικές πληροφορίες ξεκαθαρίζοντας τα αυτονόητα.
- Ian Beer has officially burned a valuable 0-day. This bug, henceforth known in the annals of history as CVE-2017-13861, was a Use-after-Free (UaF) in IOSurface. IOSurface is the kernel driver family which handles graphics, so it is accessible even from the normally tightly restricted sandboxed context of an application. This bug was described (albeit in Chinese) by Pangu's Tielei Wang (https://twitter.com/... ... 7551641600), and based on that description the super talented S1guza has already demonstrated an open source exploit in early stages of development (https://twitter.com/...534923761221632). S1guza has so far obtained root, but Ian will demonstrate a SEND right to the kernel_task - in layman's terms, unfettered access to kernel memory.
Q: I didn't read all that. Will you be releasing a JB?
A: NO
Q: Is Ian Beer releasing a JB?
A: NO
Q: Is anyone releasing a JB?
A: NO, but Ian's work will be allowing anyone with enough dedication (and desire to slave off for a long time just to get ingrates following him and nagging him on Twitter) to develop one. Or - as he intends - to do private research. Or - (and I'm sure he doesn't intend that) to create great malicious apps which can be nasty APTs below iOS 11.2.
Q: So what does it mean?
A: It means, that it is now possible to achieve control over the kernel in all versions of iOS before 11.2, and the corresponding versions of TvOS (<= 11.1), WatchOS (<= 4.1), because the bug is very likely exploitable in all of 'em.
Q: So should I update?
A: That's your call. iOS 10 will eventually be arbitrarily obsoleted by AAPL, who will decree whimsically some apps can only work as of iOS 11+. That said, by that time (iOS 12?13?) there may or may not be other exploitable bugs. iOS 11.1, 11.1.1 and 11.1.2 are identical kernel wise, so it doesn't matter. At any rate, THE BUG IS EXPLOITABLE ON ALL VERSIONS, EVEN 32-BIT, ON ALL DEVICES - It's just a matter of offsets for each device/version. And, incidentally, now that AAPL gave up on 32-bit, 10.3.3 will be forever exploitable (good news for iPhone 5 owners - @timhstar, @s1guza - time to reincarnate Phœnix )
Can the JB be untethered?
A: THERE IS NO JAILBREAK. And even had there been a jailbreak, there can be no untethering without blowing a major 0-day in code signing. This also likely requires mounting the root filesystem r/w , which requires patching.
Will this work on The iPhone 7? 8? X?
A: So long as it patches data only, or uses kernel based ROP, yes. On earlier devices, there's no reason why Luca Todesco's ingenious KPP bypass wouldn't work, with some changes.
Will this enable [past/present/future]Restore?
A: Not necessarily. Don't count it, since that's iBoot's responsibility, not the kernel's. The kernel could possibly help fix boot nonces, so save your blobs. And the /System/Library/Caches/apticket.der while you're at it.
So what's recommended?
A: Update to iOS 11.1.2 or TvOS 11.1.2. If you're on TvOS 11.something already (but not 11.2, obviously) you can stay. iOS 11.1-11.1.2 have the same kernel.
Are you releasing an exploit?
NO, NO and NO. Just wait and sometime next week Ian will drop the code. S1guza already has a PoC. Myself, I never have, do, or will release or disclose 0-days (I need them to write the MOXiI books..), and I only discuss bugs after they're blown by the great work of people like Ian in CVEs.
And what's the jailbreak toolkit? (i.e. https://twitter.com/... ... 4896675840)
A: I'm hoping to provide a CLOSED-SOURCE but FREE library for third party developers who want to quickly expand from the kernel_task to more capabilities (e.g. running unsigned code, abusing launchd, getting root, etc). This library will be CLOSED SOURCE (It's a heap of work, and is based on a commercial product my company, Technologeeks, is announcing) so THERE IS NO REASON WHY THIS SHOULD BE OPEN SOURCE. But I still will make it free, and this allows for a very quick and simple inclusion of the dylib in any project, and a few API calls to achieve all the common functions which are straightforward (if you know what you're doing) but still with very little room for error. That serves to build on, and extend Ian's work, and be forward or backward portable (with some maintenance for offsets) to any version of iOS FOR WHICH THERE IS ALREADY PRE-EXISTING EXPLOIT CODE WHICH GETS THE KERNEL TASK PORT.
So..... someone could use this for a jailbreak?
Sure. If s/he wanted to, and gave the right credit where due.
Why isn't it a full jailbreak now?
Because doing a full JB with Cydia and third party tweaks requires bypassing Apple's formidable (but still imperfect) code signing. One of the trivial ways of doing so is patching kernel code (specifically AMFI hooks and/or that despicable amfid) , and that's no longer trivially possible on iPhone 7 and later due to hardware protections (a.k.a AMCC or KTRR).
So WHAT is this toolkit good for?
If you're asking this, the toolkit is not useful for you.
Will I be able to use the jailbreak toolkit?
If you ever uttered, wrote , or even thought the words "wen eta jb", the answer is no.
If you're into iOS research and can handle C code, yep, and will it be to you what SuperSU (Greet: Chainfire - you rock, man!) is to Android. Incidentally, it's basically just applying stuff that I explain in Volume III of MOXiI..
What about LiberTV?
Might be updated, might not. I specifically asked people to A) NOT MIRROR the download links Not Beg C) Not complain D) Maybe contribute to charity. They did all of A-C and virtually none of D. I've lost hope and grew tired of catering to ingrates.
Δημοσίευση 09/12/2017 - 14:31
Δημοσίευση 09/12/2017 - 15:04
Δημοσίευση 09/12/2017 - 15:08
Τελευταία επεξεργασία από: pakos30, 09/12/2017 - 15:09.
Δημοσίευση 09/12/2017 - 16:59
εγω που ειμαι 10,3,3 εχω καμια ελπιδα η να κανω update ?
Δημοσίευση 09/12/2017 - 17:03
Δλδ θα είναι με κάποιο προφίλ που θα περάσουμε φαντάζομαι όχι semi?
Νίκο να σε ρωτήσω και κάτι άλλο όταν με το καλό βγει το jb για όλους εμάς που χρησιμοποιούμε το κινητό για τις συναλλαγές μας με το jb θα έχουμε θέματα ασφαλείας με τους λογαριασμούς μας η δεν υπάρχει πρόβλημα;
Θα είναι Semi Untethered όπως γίνεται τα 2 τελευταία χρόνια.
Για θέματα ασφαλείας πάλι, ισχύει οτι ίσχυε ανέκαθεν..
Εφόσον ξέρεις τι περνάς και δε κάνεις πειραματισμούς, έχωντας επιπλέον αλλάξει και το κωδικό του SSH, δε θα έχεις κανένα θέμα.
εγω που ειμαι 10,3,3 εχω καμια ελπιδα η να κανω update ?
Προφανώς και συμπεριλαμβάνονται οι 10.2+.
Το αν θες να πας σε 11.1.2 είναι μια άλλη ιστορία.
0 μέλη, 18 επισκέπτες, 0 ανώνυμοι χρήστες