Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The BootROM is the only part of the iOS system that is not patchable. So, finding a vulnerability in the BootROM means that it will last forever on the phones that it exists on.

When Malloc runs out of memory, NULL or 0x0 is sent back to the user. In order to prevent bad accesses on 0x0, a check is made, similar to the following:

if (pointer == NULL) {
	// handle error
} else {
	// pointer is valid, continue
}

The vulnerability comes from an issue with the Malloc implementation. Older versions of Malloc improperly return 0x8 instead of 0x0 when the heap allocator has ran out of memory. Hence, because 0x8 is returned, it is viewed as a valid pointer!

Where does 0x8 point to? On ARM processors the exception vector table starts at 0x0. This is used for handling bad actions, such as OOB reads and such. By overwriting entries in the table, we can control the flow of execution upon particular error messages!

To fill up the heap, a large plethora of images are sent to the system. Once they are freed, the pointer (at 0x8) will cause an invalid memory exception and execute the code from the exception table. Now, it is game on!

Super simple bug that caused the complete downfall of the system. I wonder how many more simple bugs like this are out in the wild, just waiting to be found :)