Google security researcher Ian Beer has published proof-of-concept code for a rooting exploit that works both iOS and macOS devices.
Beer teased the publication of the code last week via a tweet on his newly created Twitter account.
If you're interested in bootstrapping iOS 11 kernel security research keep a research-only device on iOS 11.1.2 or below. Part I (tfp0) release soon.— Ian Beer (@i41nbeer) December 5, 2017
Yesterday, he published a link to a Google Project Zero discussion about a vulnerability in the iOS and macOS kernels.
tfp0 should work for all devices, the PoC local kernel debugger only for those I have to test on (iPhone 7, 6s and iPod Touch 6G) but adding more support should be easy— Ian Beer (@i41nbeer) December 11, 2017
In the discussion, the researcher explains that a memory corruption issue allows an attacker to execute malicious code with system-level privileges.
Apple patched the bug at the heart of this exploit two weeks ago. For iOS, the Apple tracks the bug as CVE-2017-13861, and fixed the bug with the release of iOS 11.2, on December 2. It is unclear what CVE number the bug has received on macOS, since Apple does not include detailed descriptions for each fixed issue.
Jailbreaking projects have said they plan on integrating Beer's code into their tools. Beer's PoC will allow users to root devices running iOS versions up to v11.1.2.
"This bug is reachable from the iOS app sandbox as demonstrated by this PoC," Beer says, also adding that an attacker will be able to get tfp0 (task for process 0 —a.k.a kernel-level access) and a kernel debugger.
The researcher says he tested the second, more intrusive PoC on 64-bit devices such as iPhone 7, iPhone 6s, and iPod Touch 6G, but, in theory, it should work on all other devices as well.
"You just need to find the [code debugging] symbols," Beer wrote in a README file included with the second PoC.
CVE-2017-13861 is not the only bug Beer reported to Apple. Just this month, the OS maker fixed five bugs in iOS 11.2 and six bugs in macOS High Sierra 10.13.2, all reported by Beer.
The researcher is part of Project Zero, an elite team of security researcher working for Google. This group searches for security flaws in common tools and applications used by Google and the general public.
After finding bugs, they report all the issues they discover to manufacturers for free. In most cases, vendors ship fixes right away. In the past, Project Zero researchers have focused their efforts on the antivirus industry, Microsoft, and Apple products.