Min(Spark) Zheng

277 posts

Min(Spark) Zheng

@SparkZheng

Android/iOS Senior Security Engineer @ Alibaba, CUHK PhD, a member of Blue-lotus and Insight-labs, worked in FireEye , Baidu and Tencent.

Katılım Aralık 2013

84 Takip Edilen23.4K Takipçiler

Sabitlenmiş Tweet

Min(Spark) Zheng@SparkZheng·9 Ağu

The slides of our BlackHat USA 2019 talk: i.blackhat.com/USA-19/Thursda… Thank you~

English

110

Min(Spark) Zheng retweetledi

checkra1n@checkra1n·1 Oca

We planned to open source checkra1n in 2020, but unfortunately we're not quite ready for a full release yet. HOWEVER: We just open sourced the entirety of PongoOS, including our kernel patchfinder and SEP exploit! All available at: github.com/checkra1n/pong…

English

282

332

1.8K

Min(Spark) Zheng retweetledi

Objective-See Foundation@objective_see·17 Şub

An @objective_see tool, flagged what may be the first instance of malicious code that natively targets Apple Silicon (M1)! 🍎🐛 Read: "Arm'd & Dangerous" objective-see.com/blog/blog_0x62…

English

Min(Spark) Zheng retweetledi

[email protected]@CodeColorist·20 Oca

See No Eval: Runtime Dynamic Code Execution in Objective-C blog.chichou.me/2021/01/16/see… It reveals more detail that I didn't have time to cover in my previous talk slides

English

135

Min(Spark) Zheng retweetledi

Corellium@CorelliumHQ·26 Oca

It's been a long time coming: we’re very excited to announce that virtual iOS-based devices are now available for individual accounts on our groundbreaking security research platform. corellium.com/blog/ios-for-i…

English

214

869

Min(Spark) Zheng@SparkZheng·4 Ara

You can use frida or lldb to hook or debug iOS apps on MacBook with M1 chip. hits: disable SIP and resign apps.

English

332

Min(Spark) Zheng@SparkZheng·2 Ara

COOL!

Ian Beer@i41nbeer

Excited to finally publish my lockdown project from earlier this year: an iOS zero-click radio proximity exploit odyssey. googleprojectzero.blogspot.com/2020/12/an-ios…

English

Min(Spark) Zheng retweetledi

simo@_simo36·11 Kas

Here is a PoC kernel exploit, it demonstrates how to get kernel task port on iOS 13.7. I will update the PoC with a writeup later. github.com/0x36/oob_events

English

115

459

Min(Spark) Zheng retweetledi

Tielei@WangTielei·14 Kas

Cann’t believe that I also missed the bug. Motived by this blog, I also prepared a blog, sharing another bug in the same extension. blog.pangu.io/?p=221

Ben Hawkes@benhawkes

Our good friend @_bazad has a few things left over in the Project Zero publishing pipeline -- "it's really easy to miss bugs, even ones that you feel should have been obvious".

English

142

Min(Spark) Zheng@SparkZheng·17 Eyl

Cool! iOS 14 GM pwned by @WangTielei from @PanguTeam yesterday.👍

English

124

587

Min(Spark) Zheng@SparkZheng·31 Ağu

zone_require() mitigation (address verification for Mach port objects) was changed on iOS 13.6, looking forward to seeing a new bypass~

CoolStar@CStar_OW

Who needs a write-up when you can see the source code? tardy0n for iOS 13.0 - 13.5, co-developed by @tihmstar and me: github.com/TheOdysseyJB/O…

English

Min(Spark) Zheng retweetledi

Objective-See Foundation@objective_see·30 Tem

📝 new (guest) blog post: "CVE-2020–9934: Bypassing TCC ...for unauthorized access to sensitive user data" 🔗 objective-see.com/blog/blog_0x4C… ✍️ by: Matt Shockley (@mattshockl) "...and then directly modify the TCC database to give myself every TCC entitlement" ...no code required 🤩

English

Min(Spark) Zheng retweetledi

Brandon Azad@_bazad·30 Tem

One Byte to Rule Them All: An iOS 13 exploit technique that turns a one-byte kernel heap overflow into an arbitrary physical address mapping primitive, all while avoiding the kernel task port and sidestepping mitigations like PAC, KASLR, and zone_require. googleprojectzero.blogspot.com/2020/07/one-by…

English

252

712

Min(Spark) Zheng@SparkZheng·24 Tem

Mosec 2020, iOS 14 JailBreak DEMO by Pangu

Indonesia

316

1.5K

Min(Spark) Zheng@SparkZheng·23 Tem

@cxm95 I am writing an email to ask them about this issue.

English

Min(Spark) Zheng@SparkZheng·12 Haz

Nice summary

Brandon Azad@_bazad

I've compiled a summary of every original public iOS kernel exploit from app context since iOS 10, describing the high-level exploit flow to get stable kernel read/write. The trends of how these exploits have evolved over time are quite interesting: googleprojectzero.blogspot.com/2020/06/a-surv…

English

Min(Spark) Zheng retweetledi

Brandon Azad@_bazad·9 Haz

KTRW now has proper support for kernel debugging iOS 13. It uses checkra1n to insert an XNU kernel extension into the kernelcache before boot.

English

400

Min(Spark) Zheng@SparkZheng·29 May

The exp uses IOGraphicsAccelerator2 and IOSurfaceRoot to do heap fengshui in kalloc.16, but the bug is in XNU.

Min(Spark) Zheng@SparkZheng

Cool and good job! I am more interested in what 0day vulnerabilities are used, but the entire payload has been obfuscated and it will take some time to analyze. 😅

English

Min(Spark) Zheng@SparkZheng·29 May

make old bug great again...

Synacktiv@Synacktiv

Return of the iOS sandbox escape: lightspeed's back in the race!! The XNU bug @JohnCool__ described last year was reintroduced and is still exploitable in the last version of iOS, as shown by @unc0verTeam: synacktiv.com/posts/exploit/…

English

Min(Spark) Zheng@SparkZheng·25 May

Cool and good job! I am more interested in what 0day vulnerabilities are used, but the entire payload has been obfuscated and it will take some time to analyze. 😅

@Pwn20wnd@Pwn20wnd

#unc0ver v5.0.1 is now out - unc0ver.dev.

English

Min(Spark) Zheng retweetledi

unc0ver Team@unc0verTeam·21 May

We are going to release #unc0ver 5.0.0 with support for every signed iOS version on every device using a 0day kernel vulnerability from @Pwn20wnd in sponsorship with phonerebel.com very soon. Update your devices to 13.5 and follow our progress on unc0ver.dev.

English

1.1K

7.2K

Keşfet

@objective_see @WangTielei @PanguTeam @mattshockl @cxm95 @Pwn20wnd @elonmusk @BarackObama