Another week, another intriguing write-up by the young and talented hobbyist security researcher @alfiecg_dev, who just this weekend published a blog post about a new deterministic kernel exploit called Trigon that is based on CVE-2023-32434, the same bug that the Kernel File Descriptor (KFD) exploit utilized with puaf_smith and was patched in iOS & iPadOS 16.5.1.
Important to note right off the bat is that Trigon doesn’t support any newer firmware than KFD did already, and that’s because it’s based on the same CVE-2023-32434 – so before you ask the age-old ‘wen ETA jelbrek’ question, just hold your horses. The Trigon exploit won’t result in a jailbreak on the latest devices and firmware. Instead, it can be thought of as an exploit to refine existing tools for older handsets.
What makes Trigon so special, on the other hand, is the fact that it’s a deterministic kernel exploit. Unlike physical use-after-free (puaf)-based kernel exploits, which can be particularly unstable either during or after the exploitation process, deterministic kernel exploits cannot fail during the exploitation process and are substantially more stable after the fact.
Remember how add-ons installed via the MacDirtyCow and Kernel File Descriptor exploits through package manager apps like Misaka would frequently result in random system crashes and instability? Well, this is exactly the reason why. It wasn’t Misaka’s fault, or the add-on, but rather the exploit’s stability.
With the help of other security researchers in the community, including @staturnzz, @TheRealClarity, and @kok3shidoll, Alfie found an entirely new way to exploit CVE-2023-32434 and the result is the first public instance of such a bug and a very stable exploit.
As for what devices are supported, this is where things get a little bit tricky. Alfie’s goal was a non-failing, totally reliable exploit, and this isn’t the case on every single device type and firmware combination, so there are some limitations for the exploit to make it fit within its intended scope. After all, if it’s not going to be 100% reliable, then why not just use the already available puaf_smith method?
A12 and newer devices (arm64e) aren’t supported by Trigon because of various reasons discussed in Alfie’s post that we’ll refer you to if you want more information on that. On the other hand, the Kaspersky team should be publishing an in-depth analysis about how they exploited CVE-2023-32434 on arm64e devices in the future, which may change the tide on Trigon’s support. These devices can also already use puaf_smith.
Trigon supports iOS 11 and earlier on non-KTRR devices such as A7-A9(X) without a hitch, but support for iOS 12 on these devices requires the additional step of initializing tfp0 (a kernel task port), so this means it wouldn’t be deterministic on the first go-around, but it would be on the second. Newer firmware on these devices wouldn’t be deterministic, so users can fall back on checkm8 exploit-based tools.
A10(X) devices are supported on iOS 12 and earlier, however by using a trick found by security researcher Brandon Azad, reading special hardware registers, Aflie could make Trigon deterministic even on iOS 12 for these devices. For newer firmware, checkm8-based tools have users covered.
A11 devices, such as the iPhone X, aren’t supported by the Trigon exploit whatsoever due to a kernel panic, which isn’t an issue because these devices can be jailbroken already with checkm8 exploit-based tools.
Alfie says that the Trigon exploit was a fun and interesting project that came from “many failed attempts at different strategies during the development,” and while it appears limited in its scope as of right now, it’s a powerful primitive. When the Kaspersky team releases its in-depth analysis of CVE-2023-32434, there’s a possibility that Trigon could be adapted to work on newer devices as well, potentially with its deterministic qualities.
If you want to read more about Alfie CG’s new Trigon exploit, then we would recommend taking a look at their write-up to see more about what’s happening behind the scenes.
Are you excited to see what becomes of Alfie’s new Trigon exploit? Let us know in the comments section down below.