simo

@vtky_ Nothing special about my approach; I don't fuzz, all my findings come from manual source code/binary review with the help of a tracing framework for fast code evaluation.

@_simo36 Would love to understand your approach. Did you go the source code/static analysis route or fuzzing or a mixture of both?

I've audited the Android kernel in late 2023, and reported 10+ kernel bugs to Google, along with 2 exploits. Today, I'm releasing the first exploit, targeting the Mali GPU on Pixel devices, accessible from an untrusted_app context. github.com/0x36/Pixel_GPU…

I'm sharing two other iOS kernel vulnerabilities reachable from the default app sandbox that don’t require you to open a UserClient: 0x36.github.io/CVE-2022-32898/

CVE-2022-32932 is another vulnerability I discovered in the ANE kernel interface; this is a double fetch issue that resulted in an interesting OOB write. 0x36.github.io/CVE-2022-32932/

My #POC2022 slides + the iOS kernel r/w exploit can be found here :) github.com/0x36/weightBuf… Thanks @POC_Crew for a fantastic conference and truly honored to have been part of it.

+16 kernel bugs I reported to Apple have been fixed in iOS 16/16.1. I'll give a talk on how I chained some bugs to achieve kernel r/w at #POC2022 next month, and the kernel exploit for iOS 15 will be released along with a some other high impact vulns after the conference.

My favorite IDA 8.0 feature so far: artificial Obj-C method imports

In iOS 15.5 beta 3, Apple removed IOMallocAligned(KHEAP_DEFAULT,...) from IOSharedDataQueue/IODataQueue::initWithCapacity() ( now uses kernel_memory_allocate() with KMA_DATA flag). It was an elegant technique to groom the kernel default heap with user controlled data. RIP

And if you lean more toward IDA, you can also import the C header from Ghidra and parse it there :-)

I’ve updated ghidra_kernelcache! now it’s compatible with Ghidra 10.1+, macOS KEXT/Kernelcache support, PAC Xrefs, better class definition with custom class construction feature, dwarf4 and more ... check it out. github.com/0x36/ghidra_ke…

Looks like Ghidra does not support LC_DYLD_CHAINED_FIXUPS for macOS M1 KEXTs, here is a dirty script to fix it . gist.github.com/0x36/5ea657f08…

@ahsucnneh @Externalist I use emacs + helm + gtags for coding and quick browsing, and @scitools for auditing.

Hi @Externalist , I just watched your OffensiveCon 2020 talk, and it was really good! I have one question: what kind of software do you use when auditing code? I have been using vscode but I'm curious if there are better tools out there. Thanks!

I've updated oob_events exploit and it should work fine in on A12+ devices (with 60 % of success rate) and ~95% in devices with lower ram size i.e A10. Tested on iPhone 11 and iPhone 7.

The exploit in arm64e is not quite reliable unlike iPhone 9,3 (which works 9/10 times), expect a lot of kernel panics, it needs some work and it’s hard to make such exploit generic and working across all devices.

Here is a PoC kernel exploit, it demonstrates how to get kernel task port on iOS 13.7. I will update the PoC with a writeup later. github.com/0x36/oob_events

I dont recommend using it in your personal device or to use it for a jailbreak. it may leave your device in unstable state. You’ve been warned.

I've checked iOS 14.1 shipped with IOGPU Family (the successor of IOAcceleratorFamily) and didn't find a matching pattern to trigger the bug, so it works only on iOS 13.x and all devices using IOAcceleratorFamily i.e: macOS.

PoC for iOS kernel bug reachable from within the sandbox, I may drop the exploit later gist.github.com/0x36/ebb6af89f…