
Mickey Jin
@patch1t
Exploring the world with my sword of debugger : )
ID: 1714323002
https://jhftss.github.io/ 31-08-2013 02:32:21
254 Tweet
4,4K Followers
232 Following

Thrilled to announce my new Project Zero blog post is LIVE! š I detail my knowledge-driven fuzzing process to find sandbox escape vulnerabilities in CoreAudio on MacOS. I'll talk about this and the exploitation process next week offensivecon! googleprojectzero.blogspot.com/2025/05/breakiā¦


Stoked for Jaron Bradley's soon to be released 2nd-book: "Threat Hunting macOS" šš (And was honored to write its forward). Jaron is an outstanding researcher, speaker, trainer, & friend, and this book will become an essential macOS security resource. linkedin.com/feed/update/urā¦




I lightly mentioned CVE-2025-31235, a double-free I found in coreaudiod/CoreAudio, during my OffensiveCon presentation last month. It's been derestricted now, so enjoy my writeup which includes a PoC and dtrace script to help understand the vulnerability! project-zero.issues.chromium.org/issues/4062711ā¦

š¢ Just dropped: the full #OBTS v8 talk lineup! objectivebythesea.org/v8/talks.html And for the first time we'll have 3 full days of presentations! 𤩠Congrats to the selected speakers and mahalo to all who submitted. With ~100 submissions, selecting the final talks was a daunting task! š«

So CVE-2025-43268 was indeed my vuln in cryptexctl, but Arsenii Kostromin found it first, kudos to him. Here's the "exploit", which makes sudo try and load an unsigned dylib from the current directory: /S*/L*/S*/u*/b*/c*.r* exec $PWD/ sudo ls




š #AppleDevelopers use NSFileManager thinking itās safe ā but Mickey Jin found a race condition once thought āimpossible to exploit.ā At #NullconBerlin2025, heāll show how it works, why CVE-2024-54566 failed, and Appleās final fix. š nullcon.net/berlin-2025/sp⦠#iOS #applesecurity




