|
Ian Beer
@i41nbeer
|
5. lip 2018. |
|
iOS 11.4 patched kernel memory corruption bugs I reported in two distinct areas: mptcp and vfs. My exploit for the mptcp bug is here: bugs.chromium.org/p/project-zero… Please read the README. It requires an Apple developer cert.
|
||
|
|
||
|
Ian Beer
@i41nbeer
|
5. lip 2018. |
|
That is the same bug as already publicly documented from the patch by @elvanderb and exploited by @jaakerblom, see John's repo here: github.com/potmdehex/mult…
|
||
|
|
||
|
Ian Beer
@i41nbeer
|
5. lip 2018. |
|
The vfs bug doesn't require an Apple developer cert but is considerably harder to exploit. You get to write 8 NULL bytes off the end of a kalloc.16 buffer. It's sufficiently hard to exploit that it's worth trying just to demonstrate that such issues are reliably exploitable...
|
||
|
|
||
|
Ian Beer
@i41nbeer
|
5. lip 2018. |
|
see eg The Poisoned Nul Byte, 2014 by @scarybeasts googleprojectzero.blogspot.com/2014/08/the-po… . But it takes time. The mptcp exploit is mostly recycled bits of earlier exploits. The getvolattrlist bug needs some new techniques.
|
||
|
|
||
|
Ian Beer
@i41nbeer
|
5. lip 2018. |
|
The trigger is here: bugs.chromium.org/p/project-zero… If you're in to iOS exploit dev take a go at it and blog about it! I'll publish what I have soon, hopefully this week.
|
||
|
|
||
|
Ian Beer
@i41nbeer
|
5. lip 2018. |
|
(footnote: for the vfs bug technically you can control a handful of bits in the 8 overflow bytes, the overflow value is actually two 4 byte flag fields. This may or may not help.)
|
||
|
|
||
|
Gokhan
@g_yaka42
|
5. lip 2018. |
|
Do you give or plan to give training/courses for ios research or this kind of things? Would love to participate if you do.
|
||
|
|
||
|
小王
@niubniubniub
|
7. lip 2018. |
|
hhh
|
||
|
|
||
|
Gabriel T. Iannolsen
@KissMyTranceTv
|
8. lip 2018. |
|
Would be nice to find some exploits on iOS 12
|
||
|
|
||
|
boaz_vh
@boaz_vh
|
5. lip 2018. |
|
Or....you know...for jailbreak purposes :D
|
||
|
|
||
|
Liam Holland
@LiamHol68148155
|
5. lip 2018. |
|
THIS IS SUCH A GREAT NEWS! I’ve been really stressed out because of exams, and this news just made me happy. Thank you!
|
||
|
|
||
|
Liam Holland
@LiamHol68148155
|
5. lip 2018. |
|
Nvm. I spoke too soon.
|
||
|
|
||