Thx to someone (thx!) I now know that Apple also did this in the past for CVE-2020-3858/-9974/-3831 and CVE-2021-30674 which are all in kexts but got attributed to the kernel. So I guess that we won't see this getting "fixed" in the advisory :(
Follow
Click to Follow littlelailo
littlelailo
@littlelailo
interested in RE and pwning stuff | hacking *OS atm
ROMJoined September 2015
littlelailo’s Tweets
I really hope that the advisor is updated to reflect the correct component and that in the future Apple labels the component correctly. 4/4
1
12
Show this thread
I didn't get around to build a crasher PoC (yet?) so I also can't say with 100% certainty that this is a security relevant diff, but static analysis makes it look like one (the index is now checked, while it was previously unchecked -> trivial OOB write) 3/
1
11
Show this thread
I obviously can't say for certain that this is actually the fix for this CVE (only Apple could confirm), but multiple people have diffed the main kernel and found nothing other than exploit mitigations so it's probably it. 2/
1
10
Show this thread
CVE-2022-32894 seems to be another DCP vulnerability (look for `IOP Buffer array length exceeded`) where Apple (purposely?) mislabeled the vulnerable component in their security advisor (it says Kernel while it's actually in AppleFirmwareKit). 1/
3
9
101
Show this thread
Finally got working blackbird implementation for A8/A9/A9X. Only tested A9 and A9X but A8 should be fine too.
Shoutout to for assistance with SEPROM RE and listening to my monologues about making exploit strat.
15
41
220
Show this thread
age += 1;
I'm not longer a teen and start to feel old :P
Last year was definitely a lot of fun & I learned a lot.
Really missed the cons tho so I'm looking forward for them this year (finally 🎉)
14
77
🤯 this is super awesome wow
Quote Tweet
Not sure if this is widely known, but you can go to storage.googleapis.com/syzkaller/cove and click on any file and line in the kernel that syzkaller/syzbot knows how to reach and it will give you the smallest testcase that reaches it.
Show this thread
read image description
ALT
1
15
Fixed as CVE-2022-26743
Quote Tweet
3
14
Show this thread
but all accesses we could find are bounds checked. Did anyone else also look into it and found an interesting field to corrupt? Or has anyone links to a project that allows fine control over the h264 NAL units so that we could emit different pattern to see if sth crashes?
3/3
1
11
Show this thread
We also reversed a lot of the structures surrounding the bug and it seems like you can either corrupt an adjacent SPS block or the first PPS block (by overflowing from the last SPS into it). There are a couple of interesting fields in there (indexes into other arrays)
2/3
1
13
Show this thread
In the last couple weeks & I looked into the ITW bug in H264 parsing that got fixed in 15.4.1. We managed to create a file that creates the failure log on a patched Mac, but it doesn't crash an iPhone: github.com/b1n4r1b01/n-da
1/3
2
15
110
Show this thread
Finally got around to diff 15.5 b1 vs b2 and found this nicely tweetable bug:
int f = open("/dev/rmd0", O_RDWR);
uint64_t * x = malloc(0x4000);
for (uint64_t i = 0;;i += 0x4000)
pread(f,x,0x4000,-i);
Decided to tweet it since it needs a ramdisk, root and unsbxed code exec
10
38
206
Show this thread
Finally 🎉 searchable PDFs🔥
Quote Tweet
Venit tempus eius (1/2): #MOXiI FINALLY available in PDF. You can now get any or all three of my #MacOS/#iOS #Internals in the way they were planned to be read: Full color, fully searchable!
Pay (US): $75, PYPal: $85 (-$25 if you have paper ed)
DM or Email moxii@u.know.where
1
16
kudos to phrack.org for everything it stands for :)
excuses for me being a bad writer :(
phrack.org/issues/70/12.h
18
68
297
Show this thread
#checkra1n 0.12.0 released with many under the hood improvements, a SEPROM exploit for A10(X) on iOS 14 and iOS 14.2 support! Grab it at
475
988
3,250
Show this thread
I chose the name because SR 71 “blackbird” was designed to fly so high the enemy’s radars couldn’t see them and this bug allows you to set a bit so high the seprom can’t see it
2
4
46
Show this thread
twitter.com/littlelailo/st - thanks again for everything yall know who you are :)
Quote Tweet
Last week was super awesome; had so much fun (Thx @s1guza and @i41nbeer ) and I even found another upsi by apple:
sha256(blackbird.txt) = ad360a459b3f89438c315f5767ecfda2fdfb92131d5922df4f73192f3079b453
2
2
31
Show this thread
Super awesome presentation I’ll publish my write up/blackbird.txt in the next few days :) Finding and loosing two ROM bugs in one year feels bittersweet, but it’s super cool that I can talk about it now.
(To avoid confusion - we found it independent and liked my name)
Quote Tweet
enjoy "blackbird" 
raw.githubusercontent.com/windknown/pres
raw.githubusercontent.com/windknown/pres4
24
101
Show this thread
this.isminor = false; holy shit what a year! Thanks again to everybody who supported and helped me, let’s see what next year brings :)
17
59
Sickest bug in 2020 so far - love logic flaws and that's a really awesome one
Quote Tweet
New blog post: "Psychic Paper"
The story of the best. Sandbox escape. Ever.
siguza.github.io/psychicpaper/
Show this thread
1
4
52
Beta tested it and it's super cool, really really good job!!!
Quote Tweet
Here's project Sandcastle's announcement: twitter.com/iblametom/stat
Show this thread
4
1
24
New ROM -> new bugs? ;p apple why the hell do you think this is a good idea lol
5
12
168
What a ride. As you can see I didn't put much more work in after I found checkm8/apollo in march, I hope someone can build upon it or build upon acorn, but unfortunately even now I won't have the time because I need to prepare for finals :/
btw spice is an anagram for ipsec
Quote Tweet
We opensourced Spice @ github.com/JakeBlair420/S
4
10
65
checkra1n for Linux is now available at checkra.in! 🌧️📲
It’s been months of hard work in the making and we’re so glad to finally show it to you.
417
1,049
3,632
Show this thread
I just realized that CPA is also short for correlation power analysis, I meant chosen plaintext attack. Sry if that causes confusion :|
1
4
Show this thread
From looking at the AES spec it seems like it's not a huge improvement because the second round key differs (and with that each other round key?), but I still wanna know :p
2
7
Show this thread
Question to the crypto ppl: is there a known attack on AES, that deals with the fact that the same key is used for an AES128/192 and AES256 encryption (talking about CPA attacks and one half of the 256 bit key == 128 bit key). Just wonderd what the complexity of such an attack is
4
4
26
Show this thread
2019 has been a really cool year. I found some good bugs, met awesome ppl and had a lot of fun in the IT world as well as the "real" world. Thanks to all the people who help me achieving my dreams and let's see what the next decade offers!
1
3
45
#CCC was super cool this year. Had a lot of fun and it was awesome to see y'all. Till next year and have fun hacking all the things ;)
3
51
github.com/xerub/acorn untethered+unsandboxed code execution based on media.ccc.de/v/36c3-11034-t /cc
27
201
525
7
4
180
Historical moment! Highest amount of #ra1n ever recorded since the beginning of weather records! Truely phenomenal! #checkra1n checkra.in
Quote Tweet
checkra1n beta 0.9 is now available at checkra.in! - this is an early release and as such you should not be running it on a primary release. please read the FAQ on the website for additional information. reddit: reddit.com/r/jailbreak/co
Show this thread
17
152
605
Finally rc 0.9 is out. This is such an amazing project, thanks to everyone putting so much time into it and I'm really thankful that I can be a part of this <3
2
8
103
checkra1n beta 0.9 is now available at checkra.in! - this is an early release and as such you should not be running it on a primary release. please read the FAQ on the website for additional information. reddit:
290
1,120
2,697
Show this thread
And now you can debug your demoted iPhone over JTAG/SWD with the Bonobo Cable and OpenOCD ! ! shop.lambdaconcept.com/home/37-bonobo
22
155
500
Show this thread
New episode today in under an hour at 10AM EST about the new BootROM exploit for A5-A11 devices! Featuring , , , and !
Same place as usual: discord.gg/jb!
4
14
61
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).
962
7,654
15.3K
Show this thread
3
4
35