Developer MTJailed has released an IPA called UnjailMe. The project is described as a “sandbox escape based on the proof-of-concept (CVE-2018-4087) by Rani Idan,” which, as we all know, was a set of bugs found in bluetoothd and reported to Apple to be patched in iOS 11.2.5.
Before we actually dive right in and take a look at what this is, it’s worth discussing what this isn’t.
This particular project takes its roots from the research and discovery carried out by Rani Idan of the Zimperium zLabs Team. That work involved finding issues with bluetoothd daemons in iOS 11 which essentially mean that communications could be intercepted by someone with the requisite knowledge to put something together to that effect. MTJailed has used the initial proof-of-concept provided by Idan to essentially show this in action. With that said, this is not a jailbreak for iOS 11.2 through iOS 11.2.6. Nor is it a huge step towards one.
However, this is can be taken as an ever-so-small baby step towards someone with the required skills, capability, and interest working toward putting together the necessary components to produce a jailbreak for devices running iOS 11.2 through to iOS 11.2.6. And yes, the bug was supposedly patched with the release of iOS 11.2.5 but it would seem that Apple didn’t exactly do a great job of that by simply implementing a random number generator as part of the fix.
In order to demonstrate this, MTJailed has put together an available IPA which shows how relatively simple it is to achieve a privilege escalation situation where code can be run outside of the sandbox with system-level rights.
The developer has also stipulated that the app is meant for developers and researchers to gain a little more understanding and to see how the latest Zimperium bug can be used to get to this point. The theory here appears to be that MTJailed can show off this creation to show what is possible with the Rani Idan bug within the bluetoothd daemons but to also start the conversation around a potential iOS 11.2+ jailbreak “if code injection works.”
If you are interested in this project and want to give it a whirl for yourself, then you can head over to the GitHub page and see it for yourself.
Source: redmond pie