• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • Luca Todesco releases zero day exploit for iOS 9.3.3b and lower
    Luca Todesco, infamous for not releasing Jailbreak tools, has posted on Twitter a zero day exploit for iOS 9.3.3 and lower. Luca has dropped an essential part (but not nearly everything) needed for a Jailbreak because it was apparently fixed in the iOS 10 beta.

    https://ghostbin.com/paste/qw8z7 - GasGauge double free race condition 0day exploit for iOS 9.3.3b and lower
    The code released on Twitter by Luca Todesco needs a sandbox escape, which includes any uid, and gives you arbitrary alloc and free primitives. Luca Todesco also mentions that iOS 10 security is tight and has broken his exploit.

    So what is a zero day exploit anyway? Well its basically an exploit Apple isn't aware of or hasn't been made public before. GasGauge does not refer to the race against KPP, AFAIK. It's not a race against KPP.

    It's an attack against an IOKit service called GasGauge. IOKit is Apples device driver framework in the iOS, OS X, watchOS, and tvOS kernels. What is probably happening is that GasGauge is allocating some memory to perform an operation, then releasing it.

    However, some part of GasGauge still thinks that memory is there. If Luca can force additional data to be reallocated in the same spot that GasGauge thinks has its own data he can cause GasGauge to perform an operation that he controls, such as reading and writing kernel memory.

    What makes it a race condition is that he has to set up his attack within a certain window of time ("racing" GasGauge) or it won't work. It could just fail or it could crash the device.

    You can find it in Ghostbin here.

    [via Luca Todesco Twitter]
    This article was originally published in forum thread: Luca Todesco releases zero day exploit for iOS 9.3.3b and lower started by Caiden Spencer View original post
    Comments 15 Comments
    1. xushi's Avatar
      xushi -
      Am i reading this incorrectly, or did he just perform a dumb move by giving it out to the wild as such, instead of, say Pangu or other jailbreakers?
    1. dsg's Avatar
      dsg -
      or getting a big payday from the FBI or NSA, Hopefully the Chinese will jump on it
    1. rickybuckets's Avatar
      rickybuckets -
      Im assuming apple wont care about ios9 an wont patch anything and this speeds up jailbrake worldwide for those few that dont upgrade to 10
    1. Simon's Avatar
      Simon -
      Quote Originally Posted by xushi View Post
      Am i reading this incorrectly, or did he just perform a dumb move by giving it out to the wild as such, instead of, say Pangu or other jailbreakers?
      Releasing it publicly allows all the jailbreak teams access to it, Pangu and Taig included. If it's patched in iOS 10 no need to keep it private anymore. Although this does give Apple a chance to patch it in 9.3.3 maybe when it is released publicly.
    1. xushi's Avatar
      xushi -
      Quote Originally Posted by Simon View Post
      Releasing it publicly allows all the jailbreak teams access to it, Pangu and Taig included. If it's patched in iOS 10 no need to keep it private anymore. Although this does give Apple a chance to patch it in 9.3.3 maybe when it is released publicly.
      Exactly! Couldn't they just send it to Pangu / Taig directly? Even if Apple misses patching it in 9.3.3, they could easily release a 9.3.4 shortly afterwards just for that (and they have before)
    1. sand_man's Avatar
      sand_man -
      So, in light of this, those of us that hold JB dear, what is the most profitable course of action?

      I would say 9.3.2 would be the firmware release with the best prospects? Other than of course, sticking to a version of iOS currently Jailbroken?
    1. novadam's Avatar
      novadam -
      yeah, for the dummies like me here, does this make a 9.3.2 JB likely?

      in other words, should I ditch my JB 9.0.2 and upgrade to 9.3.2 now, before Apple patches this exploit in 9.3.3?
    1. King_O_Hill's Avatar
      King_O_Hill -
      I would hold tight. Typically Apple doesn't close the window on the previous firmware the instant they drop a new one. When it's dropped, Luca will surely test it and let people know if it's still good. If it is patched in 9.3.3, then you got a quick decision to make!
    1. littlelisa63's Avatar
      littlelisa63 -
      It would be fantastic if pangu or taig got hold of this and released a jailbreak...I would be one happy person amongst the other thousands
    1. Albut's Avatar
      Albut -
      Talk in English sound like a foreign language uid alloc etc
    1. vinaygoel2000's Avatar
      vinaygoel2000 -
      Quote Originally Posted by novadam View Post
      yeah, for the dummies like me here, does this make a 9.3.2 JB likely?

      in other words, should I ditch my JB 9.0.2 and upgrade to 9.3.2 now, before Apple patches this exploit in 9.3.3?
      No. Stay where you are.
    1. miketurbo123's Avatar
      miketurbo123 -
      Quote Originally Posted by novadam View Post
      yeah, for the dummies like me here, does this make a 9.3.2 JB likely?

      in other words, should I ditch my JB 9.0.2 and upgrade to 9.3.2 now, before Apple patches this exploit in 9.3.3?
      Just stay on iOS 9.0.2. If apple does happen to release ios 9.3.4, you can still download the iOS 9.3.3 ipsw before apple stops signing it (apple normally keeps it still signed for another week).
    1. SpiderManAPV's Avatar
      SpiderManAPV -
      Does this make a 9.3 jb more likely? Yes. Does it make it guaranteed? No.
    1. Simon's Avatar
      Simon -
      Quote Originally Posted by SpiderManAPV View Post
      Does this make a 9.3 jb more likely? Yes. Does it make it guaranteed? No.
      Perfect summation.
    1. miketurbo123's Avatar
      miketurbo123 -
      Quote Originally Posted by littlelisa63 View Post
      It would be fantastic if pangu or taig got hold of this and released a jailbreak...I would be one happy person amongst the other thousands
      I wonder if either Pangu or Taig know about this. Is there a way to contact them?