A security researcher with the Qihoo 360 Vulcan Team, Qixun Zhao (@S0rryMybad), has revealed the second stage of an exploit chain in which he was able to remotely jailbreak the latest iOS system on iPhone X.
In a January 23 blog post, Zhao released the proof of concept (PoC) of a kernel vulnerability that can be reached in the sandbox, which he dubbed Chaos. For the benefit of beginners, he provides what he calls elaborate details on the tfp0 exploit, though he does not reveal the exploit code.
Instead, he stated, “if you want to jailbreak, you will need to complete the exploit code yourself or wait for the jailbreak community’s release. At the same time, I will not mention the exploit details of the post exploit, as this is handled by the jailbreak community.”
Zhao does demonstrate the jailbreak in a video posted to Twitter..
Following his intuition, Zhao said he believed there would be a path that would cause a leak, which he found could be exploited before iOS 12 even started in the sandbox.
Noting that the bug has been fixed in the most recent version, Zhao wrote, “As soon as I saw the code I felt that this part of the code is definitely lacking review and the quality is not high enough. After all, the code that can be directly reached in the sandbox, that means the kernel developer may not be familiar with the rules for generating MIG code. This information is more important than finding the bug in the above.”