|
@i41nbeer | |||||
|
The trigger is here: bugs.chromium.org/p/project-zero… If you're in to iOS exploit dev take a go at it and blog about it! I'll publish what I have soon, hopefully this week.
|
||||||
|
||||||
|
Ian Beer
@i41nbeer
|
5. lip 2018. |
|
iOS 11.4 patched kernel memory corruption bugs I reported in two distinct areas: mptcp and vfs. My exploit for the mptcp bug is here: bugs.chromium.org/p/project-zero… Please read the README. It requires an Apple developer cert.
|
||
|
|
||
|
Ian Beer
@i41nbeer
|
5. lip 2018. |
|
That is the same bug as already publicly documented from the patch by @elvanderb and exploited by @jaakerblom, see John's repo here: github.com/potmdehex/mult…
|
||
|
|
||
|
Ian Beer
@i41nbeer
|
5. lip 2018. |
|
The vfs bug doesn't require an Apple developer cert but is considerably harder to exploit. You get to write 8 NULL bytes off the end of a kalloc.16 buffer. It's sufficiently hard to exploit that it's worth trying just to demonstrate that such issues are reliably exploitable...
|
||
|
|
||
|
Ian Beer
@i41nbeer
|
5. lip 2018. |
|
see eg The Poisoned Nul Byte, 2014 by @scarybeasts googleprojectzero.blogspot.com/2014/08/the-po… . But it takes time. The mptcp exploit is mostly recycled bits of earlier exploits. The getvolattrlist bug needs some new techniques.
|
||
|
|
||
|
Ian Beer
@i41nbeer
|
5. lip 2018. |
|
Finally: always keep your personal iOS devices up to date and only use these tools on devices which don't have any personal information and are only used for research.
|
||
|
|
||
|
Ian Beer
@i41nbeer
|
5. lip 2018. |
|
(footnote: for the vfs bug technically you can control a handful of bits in the 8 overflow bytes, the overflow value is actually two 4 byte flag fields. This may or may not help.)
|
||
|
|
||
|
Javier🇺🇸🇲🇽
@Javier___Torres
|
5. lip 2018. |
|
Thank you @i41nbeer you sir are a freaking LEGEND YOU NEVER LET US DOWN pic.twitter.com/uS8zYnyH2Q
|
||
|
|
||
|
Vanilla Bean
@Vani11a_Bean
|
5. lip 2018. |
|
😂😂😂😂
|
||
|
|
||
|
zerak
@zerak1234567
|
5. lip 2018. |
|
Cydia 11.3.1 when come out
|
||
|
|
||
|
Javier🇺🇸🇲🇽
@Javier___Torres
|
5. lip 2018. |
|
Please don’t start , when it’s ready it’s ready
|
||
|
|
||
|
derrek
@derrekr6
|
6. lip 2018. |
|
dup'd... but good job!
|
||
|
|
||
|
Luiz Henrique
@margosinho
|
5. lip 2018. |
|
Ahahahahahahahahhahahahahha pic.twitter.com/5DOpthh0wG
|
||
|
|
||
|
Nathan Teig
@TeigNathan
|
5. lip 2018. |
|
|
||