Brightiup’s CVE-2021-30955kernel bugfor iOS & iPadOS 15.0-15.1.1 has received tons of publicity lately after two prestigious security researchers includingJake Jamesand@Peterpan980927each went hands-onto develop proof-of-concepts (PoCs) based on the original write-up, which didn’t come with a PoC of its own.
As of Tuesday morning, another progression was made after hacker@b1n4r1b01publishedwhat appears to be a full-blown iOS & iPadOS 15.0-15.1.1 exploit proof of concept dubbed desc_race based on Brightiup’s kernel bug.
What makes@b1n4r1b01’sPoC different from the two other hackers’ PoCs is that this one is actually a full exploit that, according to@b1n4r1b01, grants the user with kernel memory write primatives on handsets running the affected firmware versions.
@b1n4r1b01went on to explain that all initial tests were made using an iPhone 11 running iOS 15.1, but it should play nicely with all handsets equipped with at least 4GB of RAM. It was also explained that the exploit could be optimized for other devices and that@b1n4r1b01won’t have the time to make those optimizations, which puts the ball in someone else’s court to do exactly that.
The new exploit PoC isavailable on@b1n4r1b01’sGitHub page.
Jake James, the hacker who made and published a PoC on the same CVE-2021-30955 kernel bug by Brightiup just yesterday,Tweetedthat@b1n4r1b01’s exploit PoC “should be enough to getjailbreakdevelopers going,” which is excellent news for anyone waiting for an iOS or iPadOS 15 jailbreak:
James also said he was working on his own exploit in the meantime.
So when should we expect an iOS & iPadOS 15 jailbreak? Well now that we have an exploit for iOS & iPadOS 15.0-15.1.1, jailbreak developers can start working on one, however it won’t happen as quickly as iOS & iPadOS 14 jailbreaks did because there’s are a lot of new security mitigations in iOS & iPadOS 15 that will require circumventing.
For example, iOS & iPadOS 15’s secure system volume (SSV) security mechanism makes it substantially more challenging to tap the root filesystem, which means semi-untethered jailbreaks such asunc0verwould likely need to be rootless, and therefore require an entirely different bootstrap. This shouldn’t impact the usability of mostjailbreak tweaks, however.
It’s worth noting that thecheckra1nteam istrying a different approachand using bind mounts instead of union mounts, and that they will attempt setting up a separate volume for all things that can’t be bind-mounted. This should get around having to go rootless, but it remains to be seen if similar methods could be used for other jailbreaks. Checkra1n only supports A7-A11-equipped handsets due to the checkm8 hardware-based bootrom exploit present on those devices. Because of this, it can’t be patched by Apple.
Now that we have a working exploit for iOS & iPadOS 15.0-15.1.1 in the wild, it should be interesting to see what happens next. Of course, we’ll be closely watching James’ work as he says he’s working on an exploit of his own.
Are you excited for what may happen in the foreseeable future? Let us know in the comments section down below.
