I've audited the Android kernel in late 2023, and reported 10+ kernel bugs to Google, along with 2 exploits. Today, I'm releasing the first exploit, targeting the Mali GPU on Pixel devices, accessible from an untrusted_app context.
+16 kernel bugs I reported to Apple have been fixed in iOS 16/16.1. I'll give a talk on how I chained some bugs to achieve kernel r/w at
#POC2022
next month, and the kernel exploit for iOS 15 will be released along with a some other high impact vulns after the conference.
My
#POC2022
slides + the iOS kernel r/w exploit can be found here :)
Thanks
@POC_Crew
for a fantastic conference and truly honored to have been part of it.
In iOS 15.5 beta 3, Apple removed IOMallocAligned(KHEAP_DEFAULT,...) from IOSharedDataQueue/IODataQueue::initWithCapacity() ( now uses kernel_memory_allocate() with KMA_DATA flag). It was an elegant technique to groom the kernel default heap with user controlled data. RIP
CVE-2022-32932 is another vulnerability I discovered in the ANE kernel interface; this is a double fetch issue that resulted in an interesting OOB write.
Apple fixed two nasty sandbox escapes bugs I reported in iOS CVE-2019-8549 & CVE-2019-8552 , full exploit of CVE-2019-8549 will be released soon in coordination with
@SecuriTeam_SSD
I've updated oob_events exploit and it should work fine in on A12+ devices (with 60 % of success rate) and ~95% in devices with lower ram size i.e A10.
Tested on iPhone 11 and iPhone 7.
I’ve updated ghidra_kernelcache! now it’s compatible with Ghidra 10.1+, macOS KEXT/Kernelcache support, PAC Xrefs, better class definition with custom class construction feature, dwarf4 and more ... check it out.
The exploit in arm64e is not quite reliable unlike iPhone 9,3 (which works 9/10 times), expect a lot of kernel panics, it needs some work and it’s hard to make such exploit generic and working across all devices.
if you want to debug the exploit just uncomment MEMDBG/MEMDUMP, if you want to debug the ROP chains enable LOCAL_EXP, and if someone wants to port it to another device or wants to chain it with a kernel bug to have a tfp0, I'll be glad to help
I've checked iOS 14.1 shipped with IOGPU Family (the successor of IOAcceleratorFamily) and didn't find a matching pattern to trigger the bug, so it works only on iOS 13.x and all devices using IOAcceleratorFamily i.e: macOS.
@vtky_
Nothing special about my approach; I don't fuzz, all my findings come from manual source code/binary review with the help of a tracing framework for fast code evaluation.
@0x6d696368
@ArrrCaptain
you have to work with pcode, this script might help : . see fix_metacast() function.
Note that you need to compiler GHIDRA 9.2_dev to use it