New Kernel exploit for iOS 15 – iOS 15.1.1 / Latest vulnerabilities and Kernel mitigations on iOS 15.2 – iOS 15.5
New Kernel exploit for iOS 15 – iOS 15.1.1 released by John Åkerblom. He is also known as @jaakerblom on twitter. At zer0con 2022 in seoul, south korea, he demonstrated exploits as well as vulnerabilities and Kernel mitigations on iOS 15.2 – iOS 15.5 which is important for jailbreak.
Latest iOS 15 Jailbreak status
We are aware that there is a Palera1n jailbreak for iOS 15 and higher now. Also there are many iOS 15 & higher jailbreak solutions, please refer to the following pages for information.
Also, this exploit differed from the one first published by b1n4r1b01 in that it could be adapted to support the most recent versions of iOS 14 – iOS 14.8.1. CoolStar, the Odyssey Team’s lead developer, appears to be interested in using AKerblom’s recently-unveiled kernel exploit to advance the development of the original Taurine jailbreak for iOS 14. Currently it is supported only for iOS 14 – iOS 14.3 jailbreak only. So, it might upgrade up to iOS 14.8.1 jailbreak.
IOMobileFramebuffer (Kernel Driver) : CVE-2021-30883
- This was patched in iOS 15.0.2.
- Affect iPhone 8/X to iPhone 11
IOMobileFramebuffer (Kernel Driver) : CVE-2021-30983, CVE-2021-30985, CVE-2021-30991
Kernel : CVE-2021-30937
- This was patched in iOS 15.2
- Affect iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Kernel Mitigations on iOS 15.2 – iOS 15.5
More kernel memory randomization was finally added in iOS 15.2, significantly reducing the reliability of statically hardcoding.
Predictions of kernel memory addresses
- This means for example a hardcoded address that would always land in KHEAP_DATA_BUFFERS on 15.1.1 could now e.g land in KHEAP_KEXT instead
- Whether zones start at their beginning or end is also random (50-50), making overflows and OOB vulnerabilities trickier to exploit (Recent Kernel Mitigations on iOS 15.2- iOS 15.5)
- In iOS 15.3, mitigations for IOSurfaceClient were added
- PAC signing was added to the IOSurfaceClients in the IOSurfaceClient array
- Various back references checks also added to prevent IOSurfaceClient/IOSurface faking(Recent Kernel Mitigations on iOS 15.2- iOS 15.5)
- In iOS 15.5 beta 1, PAC signing validation was finally added for the destroy path of kmsg
- The kfree primitive covered in this talk now triggers a kernel panic
According to him, there were many more mitigations in these versions.