iOS 7.1.1 was jailbroken with techniques taught in our iOS 7 Kernel Exploitation Trainings

Background For a few years now SektionEins has been performing iOS security research on application and kernel level. Since last year we have started organizing iOS Kernel Exploitation Trainings in various locations around the globe. In these courses we teach the students everything required to know to get started with iOS kernel research and exploitation. Every time we return home after these trainings we have not only shared our knowledge with our students but usually have gained new ideas through discussions with the students. So after every training we sit down and try to improve the course by creating new examples and adjusting the course to new changes in latest iOS versions. We develop new tools, improve existing tools and try out new exploitation methods against a collection of iOS kernel vulnerabilities we possess. A by-product of these experiments are usually new jailbreaks for the latest iOS versions. Our latest jailbreak for example covers iOS 7.1.1 and is described a bit down below. Throughout the next weeks we will keep you posted about some of the new tools we are developing for iOS kernel research and exploitation that we share with our students that attend the trainings. If you want to enter the amazing world of iOS kernel exploitation check out our upcoming trainings. If not, continue reading about the iOS 7.1.1 jailbreak below.

Upcoming Trainings iOS 7 Kernel Exploitation Training at REcon, Montreal, Canada Dates: 4 Days, 23-26 June 2014 Location: Hyatt Hotel, Montreal, Canada Instructor: Stefan Esser Language: English Capacity: about 10 seats still available More Info: http://recon.cx/2014/trainingios.html

iOS 7 Kernel Exploitation Training in Frankfurt, Germany Dates: 5 Days, 21-25 July 2014 Location: Le Meridien Parkhotel, Frankfurt, Germany Instructor: Stefan Esser Language: English Capacity: about 7 seats still available More Info: https://www.sektioneins.de/en/blog/14-02-17-trainingFrankfurt.html

iOS 7 Kernel Exploitation Training at YOUR COMPANY Dates: 4 or 5 Days Location: At your company Instructor: Stefan Esser Language: Deutsch / English Capacity: depends on you More Info: Ask us for potential dates, locations and prices training@sektioneins.de



iOS 7.1.1 Jailbreak Today we have shared with the world that we developed a new jailbreak for iOS 7.1.1 by releasing a picture of a jailbroken yellow iPhone 5c at iOS 7.1.1. This jailbreak is a completely reimplemented exploit for an iOS kernel vulnerability that is completely based on an exploitation technique we discuss in our trainings. The discussion of this technique (not this specific vulnerability) was added to our course in March and makes exploitation of this specific kernel bug 99.99% stable. We mainly developed this new exploit in the last days to test the technique in the real world. You might wonder what is so special about this specific jailbreak. It is the fact that a kernel bug is used that is hidden inside some functionality that can be easily reached even from within the iOS application sandbox. This means that the exploit code can be used to break out of any application that you exploit. This is very different from nearly all of the kernel vulnerabilities used in iOS jailbreaks since iOS 4. There have been only 2 publicly disclosed vulnerabilities that had this power. The first has been used in comex's JailbreakMe3 and the other one is the posix_spawn() vulnerability disclosed by SektionEins during SyScan 2013 and later used by the jailbreak community in the p0sixpwn jailbreak. Potential initial injection vectors for such an exploit are: exploit against an internal app like MobileSafari

exploit against any vulnerable app from the AppStore

exploit from within a developer/enterprise app Considering that there is no month without some Safari/WebKit vulnerability becoming public and that many AppStore applications are linking against old and vulnerable libraries it is therefore quite easy to deliver this exploit. Especially because applications downloaded from the AppStore and put into a backup do not go away and can be re-exploited in the future. We will show this within the next few weeks. However because the exploit can also be shipped with a developer or enterprise application anyone with an enterprise certificate could easily roll out this jailbreak to all devices of the enterprise.