
Race you to the kernel - ingve
https://googleprojectzero.blogspot.com/2016/03/race-you-to-kernel.html
======
0x0
When I try to zoom in to read the rather small image illustrations on iOS
MobileSafari, it just takes me to a different blog post. Going back again
leaves a huge animgif running at the side of the page :( Please don't override
scroll and zoom gestures :(

~~~
ikeboy
[https://archive.is/WRDSx](https://archive.is/WRDSx)

------
dietrichepp
I always find these exploits interesting, since they show how Unix primitives
are implemented in terms of Mach.

------
TorKlingberg
Could this be used to jailbreak iOS <9.3?

~~~
HappyTypist
No, due to full userspace codesigning.

~~~
ikeboy
Then what _can_ it do on iOS <9.3?

You can load any code you want by signing it yourself, so if this lets you
escalate from there it should work for a jailbreak, although a more complex
one than usual. IIRC some jailbreak releases used developer certificates to
get the first code running.

~~~
ikeboy
From reddit:

>it doesn't yield kernel code execution (except on OS X where you can just
load kexts with the right entitlement), and it requires execve (which you
cannot call under the container sandbox profile on iOS).

[https://www.reddit.com/r/jailbreak/comments/4bm9ka/news_proj...](https://www.reddit.com/r/jailbreak/comments/4bm9ka/news_project_zero_race_you_to_the_kernel/d1ahphr)

