With the release of iOS 17, we’ve seen a deluge of new vulnerabilities being patched. Some of these vulnerabilities were kernel ones, others were WebKit vulnerabilities, but in iOS 17 Apple patched something even scarier than mere kernel exploits.
iOS 17 hastily patched a full spyware exploit chain that was found in the wild. The chain of exploits contained a WebKit exploit that served as an entry point, a CodeSign / CoreTrust vulnerability to allow unsigned iOS binaries to run, and an RCE (Remote Code Execution) vulnerability to get kernel privileges.
As scary as this might sound, the WebKit vulnerability as well as all the rest of the chain’s components can be used for peaceful purposes too, for a jailbreak.
Apple can’t be serious right now…
After patching CVE-2023-41993 (The webkit vulnerability) in iOS 17.0, Apple released iOS 17.0.1, iOS 17.0.2 and even iOS 17.0.3. All good.
Except that in iOS 17.1 Beta Apple reintroduced the bug, so iOS 17.0 and iOS 17.1 Beta work just fine with this WebKit vulnerability. Cheers, Apple!
iOS 17 Safari / WebKit Vulnerability RELEASED
A couple of days ago, developer @po6ix released a proof of concept on their GitHub account for CVE-2023-41993 which is the WebKit vulnerability.
The code released provides the basic techniques to trigger the WebKit vulnerability. This vulnerability, once exploited, allows full control of the webcontent process. This could then be chained with other exploits such as a kernel exploit, a PPL bypass, etc. to build a jailbreak that can be triggered directly from Safari.
Known Unaffected iOS Versions:
- iOS 16.1.1, 16.2, 16.5, 16.5.1, 16.6 beta 1, 16.6.1, 16.7.1, 17.1 RC
- iPadOS 17 beta 1
Known affected iOS versions:
- iOS 17.1 Beta
- iOS 17.0
- iOS 16.1 (?)
What are the advantages of a safari-based jailbreak?
Compared to a traditional IPA-based jailbreak, a Safari-based jailbreak has numerous advantages, especially when it comes to convenience. These are as follows:
- No 7 days re-signing. The jailbreak never expires because there is no IPA / App to keep re-signing with AltStore.
- Convenience. The jailbreak can be triggered by just visiting a website in Safari and pressing a button on the page.
- Live updates. Since there’s no IPA to keep updating, any changes done to the webpage that trigger the jailbreak will reflect automatically for all users when they re-jailbreak, and there’s no need for the user to do anything else.
I guess we’ll see if somebody will eventually use this in a jailbreak but the WebKit vulnerability is rather promising.
- iOS 17 Jailbreak RELEASED! How to Jailbreak iOS 17 with PaleRa1n
- Download iRemovalRa1n Jailbreak (CheckRa1n for Windows)
- Dopamine Jailbreak (Fugu15 Max) Release Is Coming Soon for iOS 15.0 – 15.4.1 A12+
- Cowabunga Lite For iOS 16.2 – 16.4 Released in Beta! Install Tweaks and Themes Without Jailbreak
- Fugu15 Max Jailbreak: All Confirmed Working Rootless Tweaks List
- iOS 14.0 – 16.1.2 – All MacDirtyCow Tools IPAs
- iOS Jailbreak Tools for All iOS Versions