Ian Beer publishes PoC that could allow arbitrary code execution on iOS 14.4-14.5.1

Modern jailbreak tools like Taurine and unc0ver can currently jailbreak all iOS & iPadOS 14 devices running up to and including iOS & iPadOS 14.3. It’s been quite a while since any of these tools have picked up support for new firmware, but there’s always the very real possibility that these tools could add support for new firmware in the future.

Fortunately for those whose devices are operating on iOS or iPadOS 14.4 through 14.5.1, there just might be some hope. Renowned security researcher Ian Beer of Google Project Zero has just released documentation of what appears to be a kernel-level proof of concept (PoC) impacting up to and including iOS & iPadOS 14.5.1.

According to the notes on Apple’s website, the bug (CVE-2021-30736) is now patched in iOS & iPadOS 14.6 and later, however it continues to impact all modern iPhones and iPads currently running iOS or iPadOS 14.4 through 14.5.1 and could potentially allow an application to run arbitrary code with kernel privileges.

Ian Beer has publicly released kernel bugs and exploits in the past, and many of those went on to become integral components of some of the most-used jailbreak tools in recent memory. Assuming that the latest bug PoC can be finagled into a full-blown exploit by the talented hackers in the jailbreak community, semi-untethered jailbreak tools such as Taurine and unc0ver could potentially add support for new versions of iOS & iPadOS. Whether or not this will happen, however, remains to be seen at this time, as it would require more work. And interestingly enough, taking advantage of this PoC may also be more effort than it’s worth, as it appears to reference the need for an Ethernet adapter, among other things.

Just under two months ago, following the public release of iOS & iPadOS 14.6, arbitrary code execution was achieved on iOS & iPadOS 14.5.1 and below by way of a unique certificate-driven security vulnerability by @xerub. A writeup on that particular vulnerability is still in the pipeline with an unknown ETA, however Ian Beer’s new writeup is already available.

Since iOS & iPadOS 14.4 through 14.5.1 are no longer signed by Apple, it would be impossible for most iPhone and iPad users to downgrade from the newer iOS & iPadOS 14.6 firmware without saved shsh2 blobs at the time of their signing. This is one reasons why we repeatedly recommend that both jailbreakers and potential jailbreakers-to-be stay on the lowest possible firmware and avoid software updates, as these older versions are the ones most likely to be pwned.

While there’s no guarantee that Beer’s latest security research will go on to aid jailbreak teams in updating existing or releasing new jailbreak tools, it is indeed interesting to see public write-ups and learn from the mechanisms that they use to hack iOS and iPadOS. If nothing else, these PoCs can help aspiring security researchers learn and hone their skills, and this is good for the entire jailbreak community since it effectively depends on software exploits to thrive.

Are you hopeful that jailbreak teams will be able to use Ian Beer’s latest writeup to incorporate support for new devices and firmware combinations? Be sure to let us know in the comments section down below.