Qixun Zhao (@S0rryMybad), a security researcher with the Qihoo 360 Vulcan Team, discovered a way to jailbreak the latest iOS system on iPhone X using a second stage of an exploit chain.
On 23rd of January, Zhao let his followers know of a kernel vulnerability that can be reached in the sandbox releasing proof of concept (PoC). He also dubbed it as Chaos. Regarding the tfp0 exploit, he provides intricate details for beginners, but the exploit code is not revealed.
Instead of doing so, he stated that you would need to wait for the jailbreak community’s release or complete the exploit code yourself if you want to jailbreak. In addition to that, he would not mention the exploit details of the posted exploit because that is the jailbreak community’s responsibility as they are handling it.
The jailbreak is demonstrated by Zhao in a video posted to Twitter.
Zhao, following his intuition, said he believed that a path that would cause a leak could be found and this is what he used before iOS 12 was even a plan.
Zhao also wrote that after seeing the code he realized that the quality is not high enough and it lacks review. You can reach the code directly in the sandbox which means that the kernel developer might not be familiar with what they should do to generate MIG codes. Finding the bug is not more important than this information.
The fact that PAC mitigation was the end of UAF or jailbreak is a misguided belief so Zhao added that you can still use the UAF hole in the PAC environment. You need to convert the type obfuscation if you want to be closer to using the UAF vulnerability as it also depends on the released object’s data structures.