cool

We are going to release #unc0ver 5.0.0 with support for every signed iOS version on every device using a 0day kernel vulnerability from @Pwn20wnd in sponsorship with phonerebel.com very soon. Update your devices to 13.5 and follow our progress on unc0ver.dev.

Cool and good job! I am more interested in what 0day vulnerabilities are used, but the entire payload has been obfuscated and it will take some time to analyze. 😅

make old bug great again...

The exp uses IOGraphicsAccelerator2 and IOSurfaceRoot to do heap fengshui in kalloc.16, but the bug is in XNU.

KTRW now has proper support for kernel debugging iOS 13. It uses checkra1n to insert an XNU kernel extension into the kernelcache before boot.

Nice summary

Mosec 2020, iOS 14 JailBreak DEMO by Pangu

📝 new (guest) blog post: "CVE-2020–9934: Bypassing TCC ...for unauthorized access to sensitive user data" 🔗 objective-see.com/blog/blog_0x4C… ✍️ by: Matt Shockley (Matt Shockley) "...and then directly modify the TCC database to give myself every TCC entitlement" ...no code required 🤩

One Byte to Rule Them All: An iOS 13 exploit technique that turns a one-byte kernel heap overflow into an arbitrary physical address mapping primitive, all while avoiding the kernel task port and sidestepping mitigations like PAC, KASLR, and zone_require. googleprojectzero.blogspot.com/2020/07/one-by…

zone_require() mitigation (address verification for Mach port objects) was changed on iOS 13.6, looking forward to seeing a new bypass~

Cool! iOS 14 GM pwned by Tielei from PanguTeam yesterday.👍

Here is a PoC kernel exploit, it demonstrates how to get kernel task port on iOS 13.7. I will update the PoC with a writeup later. github.com/0x36/oob_events

Cann’t believe that I also missed the bug. Motived by this blog, I also prepared a blog, sharing another bug in the same extension. blog.pangu.io/?p=221

COOL!

You can use frida or lldb to hook or debug iOS apps on MacBook with M1 chip. hits: disable SIP and resign apps.

We planned to open source checkra1n in 2020, but unfortunately we're not quite ready for a full release yet. HOWEVER: We just open sourced the entirety of PongoOS, including our kernel patchfinder and SEP exploit! All available at: github.com/checkra1n/pong…

See No Eval: Runtime Dynamic Code Execution in Objective-C blog.chichou.me/2021/01/16/see… It reveals more detail that I didn't have time to cover in my previous talk slides

It's been a long time coming: we’re very excited to announce that virtual iOS-based devices are now available for individual accounts on our groundbreaking security research platform. corellium.com/blog/ios-for-i…

An Objective-See Foundation tool, flagged what may be the first instance of malicious code that natively targets Apple Silicon (M1)! 🍎🐛 Read: "Arm'd & Dangerous" objective-see.com/blog/blog_0x62…