John Åkerblom

@jaakerblom

RE and language enthusiast

Joined November 2014
1 Photo or video Photos and videos

Tweets

You blocked @jaakerblom

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @jaakerblom

  1. Jul 8

    How to root/sandbox escape iOS12: proc 11.4->12 0x100->0xf8 0x10->0x60 0x268->0x250 0xa8->0xa0 0x2c0->0x2a8 0x30->0x28

    14 replies 49 retweets 232 likes
    Undo
  2. Retweeted
    Jun 17

    Safari exploit for iPhone 8, iOS 11.3.1 NOT USEFUL FOR USERS. Stage 2 is not open source so people can't abuse it easily. Won't have time to work on this more, but as a developer lmk if you want to turn this into something cool and I can share sources.

    54 replies 518 retweets 1,478 likes
    Undo
  3. Jun 6

    (2/2) This is good to know as there is another overflow in mptcp_subflow_add() which has its own new check in the kernel. This one can be reached through connectx with entitlement check, but there is another path where it's not as clear if the entitlement is actually needed

    2 replies 6 retweets 36 likes
    Show this thread
    Show this thread
    Undo
  4. Retweeted
    Jun 5

    iOS 11.4 patched kernel memory corruption bugs I reported in two distinct areas: mptcp and vfs. My exploit for the mptcp bug is here: Please read the README. It requires an Apple developer cert.

    146 replies 658 retweets 1,906 likes
    Show this thread
    Show this thread
    Undo
  5. Jun 4

    Regarding multipath bugs: 3rd overflow looks reachable without entitlement. It also has a separate fix in the kernel code from the first two, which should warrant a CVE. So my current guess is 1 Ian CVE for first 2, 1 for 3rd. See mptcp_subflow_add

    Replying to @s1guza @Fady4lyf and 4 others
    So the reasoning is that the two multipath buffer overflows (there's atleast one more third you could also count), are the same CVE. Actually had a second look and it makes sense, exploitation of the two is slightly different but in the kernel code the same path is taken
    1 reply 7 retweets 47 likes
    Undo
  6. Jun 3

    The iOS 11.3.1 kernel exploit has been reliable on my test device, but some users have been reporting very low reliabiltity. A solution that worked for those who tried was to disable Siri. I've updated the repo with a note and a few details about this:

    12 replies 75 retweets 235 likes
    Undo
  7. Retweeted
    Jun 3
    Replying to and

    Talked to Ian, he said one bug requires the entitlement, the other doesn't.

    20 replies 30 retweets 233 likes
    Undo
  8. Jun 3

    To anyone banking on Ian's upcoming exploit using different bugs: could be the case, but you are overlooking what we know so far if you don't see the risk (unless you mistrust Apple): Surprised no one agrees. No doubt Ian will make a dope exploit though

    Replying to @s1guza @Fady4lyf and 4 others
    Ian's exploit is going to be using the same entitlement unless Apple have omitted something from 11.4 log (like before) or conflated 2 CVEs to 1 as of the 3 kernel bugs there, Ian's 2 are marked as heap overflow with close CVE numbers and there 2 heap overflows fixed in multipath
    21 likes
    Undo
  9. Jun 3

    To average JB users: wait for a developer like who focuses on the part after all exploitation (all public since June 1, reliability/non-X aside). He hasn't shown any interest in my 11.3.1 exploit but he is welcome to use it. My focus is research, not development

    6 replies 13 retweets 105 likes
    Undo
  10. Jun 2

    Added root and sandbox escape to the iPhone X 11.3.1 exploit using QiLin by @Morpheus______ : Anyone care to explain what the big circlejerk about tfp0 is about? @Morpheus______ has made clear in the past it's not needed for his jailbreak framework

    10 replies 87 retweets 249 likes
    Undo
  11. Jun 1

    Updated repo with easy API for the iPhone X 11.3.1 kernel RWX. To be clear: this is a complete kernel exploit from inside the app sandbox, do whatever post-exploitation you want

    2 replies 26 retweets 141 likes
    Undo
  12. Jun 1

    iPhone X 11.3.1 kernel exploit simple PoC for the bug from my 30th May tweet: I am not a developer and promise no further commits. Deres tur, ETA boys

    26 replies 166 retweets 381 likes
    Undo
  13. May 30

    iOS 11.4 kills a couple of heap overflows that easily grant full kernel RWX from normal app (but not Safari). Unlike the extra_recipe/yalu102 bug previously exploited by , and there is no need to overwrite next allocation, same struct is enough

    1 reply 21 retweets 112 likes
    Undo
  14. Apr 5

    2 replies 9 retweets 20 likes
    Show this thread
    Show this thread
    Undo
  15. Apr 5

    How to defeat KASLR on 11.2.6: 1. Create a new xcode project 2. Close it and delete it, choose 'Delete Immediately' from trash 3. Open extra_recipe instead 4. Add a 2 on line 547 so that "i < 28". 5. Remove line 527 6. Who would win, an American multi billion company or one 2boi

    4 replies 26 retweets 80 likes
    Show this thread
    Show this thread
    Undo

@jaakerblom hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·