A recently patched vulnerability in iOS has been unpatched accidentally in the newly available update that leads to a jailbreak. After fixing a vulnerability in iOS 12.3 update, Apple, without realizing it, unpatched it in the iOS 12.4 update, the latest iOS update from the tech giant.
Because the vulnerability once again exists in the iOS, hackers, who discovered it over the weekend, were quick to design an iOS jailbreak base on the 12.4 updates. Pwn20wnd, a known jailbreak creator, created a publicly available free jailbreak that works on devices running the latest version of iOS or any version of iOS below iOS 12.3.
For those who are unfamiliar with what iOS jailbreaking is, it is the process by which hackers creates a privilege escalation on an Apple device which effectively removes software restrictions imposed by iOS. It is typically done using kernel patches in order to allow unauthorized and root installation of applications that are not available in the official Apple App Store. This time, the hacker was able to design a jailbreak by exploiting the supposedly patched vulnerability in iOS, which was unpatched by the new update.
Pwn20nd has posted the assets for the publicly available jailbreak codes in a Github forum with multiple updates since yesterday. As of the writing time, the latest update for the jailbreak code was posted five hours ago. While the assets can be accessed for free, the hacker is also asking for donations through his Paypal and Patreon accounts.
“Rebooting user space using launchd’s built-in feature which can be triggered by running launchctl reboot userspace (unc0ver’s launchctl binary lacks the entitlement that is needed to perform this operation, this will be fixed soon, but in the meantime, to perform your testing, you can simply resign /bin/launchctl with these entitlements (which are the entitlements that we are supposed to have) using ldid2 (not ldid because the kernel trust cache only accepts SHA256 signatures on iOS 11 and up) (Should be installed from the Elucubratus repository, the package is called Link Identity Editor) or jtool by Jonathan Levin from http://www.newosxbook.com/tools/jtool.html and inject it back to the trust cache using the trust cache injection tool that comes as default with unc0ver v2.0.0 or up, also available in the Elucubratus repository,” the hacker wrote on Github.
The jailbreak that the hacker created is interesting. Most jailbreaks codes are kept hidden so that Apple will find a hard time to fix and patch the problem; but this is the first time, for a while, that a publicly available jailbreak code has been released. The jailbreak codes were discovered when a user tried to reuse an old iOS 12.4 and found that the jailbreak has been reverted.
Jonathan Levin, a security researcher, said that the new accidental vulnerability could also potentially put iPhone users in a vulnerable position. He said that users could be vulnerable to “100+ day exploit,” referring to how long the bug has been around.
Another security researcher also said that the new accidental bug could also be exploited by threat actors smuggle spyware and other malicious codes to a target’s iPhone.
“Somebody could make a perfect spyware” taking advantage of Apple’s mistake. For example, he said, a malicious app could include an exploit for this bug that allows it to escape the usual iOS sandbox–a mechanism that prevents apps from reaching data of other apps or the system–and steal user data. Another scenario is a hacker including the exploit in a malicious webpage, and pairing it with a browser exploit, according to the researcher,” said Ned Williamson from Google Project Zero.
Furthermore, because of the jailbreak is publicly available, many applications that are downloadable from the App Store could also smuggle the code into a target phone, Stefan Esser, a cybersecurity expert, explained in a Twitter post.
“I hope people are aware that with a public jailbreak being available for the latest iOS, 12.4 people must be very careful what Apps they download from the Apple AppStore. Any such app could have a copy of the jailbreak in it,” his tweet reads.
Many users have already confirmed that the new jailbreak code available in GitHub from Pwn20nd works and many devices has already been jailbroken by exploiting the accidental bug from iOS 12.4 update.
However, until now, Apple is yet to comment regarding the unpatched vulnerability and no explanation on why and how the reversal of the bug fixes happened. Nonetheless, Apple is most likely to fix the issue soon, now that that the hacker has publicly offered his jailbreak codes.