Team Pangu is finally back after quite a long hiatus from iOS and jailbreak development. Here’s what a Team Pangu member shared on Twitter.

iOS 11.2 patches iOSurface kernel extension

iOS kernel is about to get a whole lot more secure as Apple patches a buggy kernel extension in 11.2.

Wang Teilei, a member of Team Pangu has just disclosed that Apple has fully patched IOSurface Kernel extension. Moreover, Apple has also fixed a few other modules that were vulnerable to attacks.

Here’s a tweet from Wang’s official Twitter handle that confirms this.

IOSurface is one of my favorite kernel extensions. We had a talk at @SyScan360 that introduced the long bug history in IOSurface.  This time Apple also fixed a few similar issues in other modules. A big loss.

— Tielei (@WangTielei) December 5, 2017

Team Pangu discovered this vulnerability sometime in 2016. They then used it extensively to develop exploits for iOS in a research environment.

According to Wang, this is a “big loss” for iOS hackers, in general, and jailbreak developers, in particular.

For those who don’t know, a bug in IOSurface kernel extension allows hackers to develop an exploit from within the Sandbox.

The real vulnerability lies in the calling function of the IOSurfaceRootUserClient class, which can cause the port’s UAF to leak critical information.

How iOSurface UAF port vulnerability works?

It is difficult to explain the mechanism of this vulnerability to a layman but here’s brief explanation of how it works –

• The hacker creates an arbitrary fake port and then releases it. The user-mode port still points to the port address that has just been released.

• The hacker then performs a cross-zone attack to fill the fake port.

• Port address is now readable leading to a heap address leak.

• The hacker now accesses base address of the kernel.

• By filling the fake task port, the hacker achieves kernel read-write permissions.

Affected iOS versions

This vulnerability is present in pretty much all iOS firmware versions older than iOS 11.2. Here’s a list of affected firmware versions –

iOS 10.3 - 10.3.3

iOS 10.3.x versions are vulnerable to a similar exploit. Although iOS 10.3 increases the security of the kernel task port, this vulnerability is still present in these versions.

iOS 11-11.1.2

This vulnerability is also present in all iOS 11 versions up till iOS 11.1.2. Apple implemented several measures to prevent a cross-zone attack.

However, Team Pangu still found a way to trigger it through another method. This means the vulnerability still exists in versions below iOS 11.2.