iOS 10.3.2 Jailbreak exploit explained
We are yet to have confirmation that someone with the relevant skillset is actually working on adapting Ian Beer’s exploit into a workable consumer jailbreak for iOS 10.3.2, but we are seeing more information about the underlying vulnerabilities being pushed out into the public domain. Now a new YouTube video published by Billy Ellis is not only referencing the vulnerabilities and triple_fetch toolkit released by Ian, but is also giving additional details on how exactly it works.
The first thing highlighted in the video is the fact that this particular bug, or set of bugs, has already been patched with the release of iOS 10.3.3, which Apple issued relatively recently. The published bugs by Ian are userland-based and are only compatible with iOS 10.0 through iOS 10.3.2, which means that anyone currently running iOS 10.3.3 needs to downgrade immediately if they plan on waiting for these vulnerabilities to materialize into a jailbreak in the future. As Apple is still signing iOS 10.3.2, it is actually possible to go through that downgrade process.
Apple security knowledge base has already referenced the aforementioned CVE-2017-7063 bug and attributes it to Ian of the Google Project Zero team. This reference is in relation to iOS 10.3.3 where Apple is essentially saying it has been patched, stating that the bug “maybe be able to execute arbitrary code with system privileges.”
Music to the ears of anyone involved in the world of jailbreaking, Ellis also shows off the Xcode project which comes as part of the triple_fetch toolkit, explaining that in its current form it’s essentially useless to any average device owner and that it is more aimed at security researchers who want to interrogate iOS and potentially look for additional bugs.
In addition to the things mentioned above, the video by Ellis embedded below also gives fairly decent overview of running the project on an iOS device and interacting with the debugger to be able to attach to system-level processes and interrogate what’s going on in the userland. All of the information on how to do that is also included in the accompanying readme file which downloads with the project.
It must be stressed again that in its current form this really doesn’t offer any advantages to an average Joe, and should really only be used by security researchers at this stage. Having said that, we have it on good authority that these vulnerabilities can be used to produce a working developer jailbreak, so let’s hope that happens sooner rather than later.