iOS 15.0 Nehelper Wifi Info Entitlement Check Bypass

Zero day exploit for Nehelper Wifi Info on iOS 15.0. XPC endpoint accepts user-supplied parameter sdk-version, and if its value is less than or equal to 524288, the entitlement check is skipped. This makes it possible for any qualifying application (e.g. possessing location access authorization) to gain access to Wifi information without the required entitlement. This happens in -[NEHelperWiFiInfoManager checkIfEntitled:] in /usr/libexec/nehelper.

MD5 | 8e0fa4b843bff3eb37d125be61cefb65

Related Posts