About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Bindiff and POC for the IOMFB vulnerability, iOS 15.0.2- 649

saaramarPosted 4 Years Ago
  • The author of this post found integer calculations being mode on 32-bit numbers without overflow checks. As a result, this value could be overflowed to cause memory corruption.
  • A lot of the time, integer overflows turn into wildcopies that make exploitation difficult. To me, the author has great insight into how to exploit these.
  • The first part is turning this into a wildcopy in the first place, as opposed to a NULL dereference panic. After playing with the input values to trigger the vulnerability, they found a better code path that triggers the bug. At this point, the loop is MUCH too large and we are writing to non-mapped memory.
  • There are a few options for exploiting wildcopies:
    • Relying on a race condition between threads. If you can alter something in another thread while the corruption is occurring, this may be possible.
    • Stop the loop via some logic once we have corrupted what we wanted to.
    • Overwrite a function pointer or a function being used by the function itself to cause memory corruption.
  • In this case, the author found some logic that could be used to stop the wildcopy. This was done via memory compare checks that could be triggered. At the end, they have a really good POC that was likely exploitable. Awesome!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed