I've audited the Android kernel in late 2023, and reported 10+ kernel bugs to Google, along with 2 exploits. Today, I'm releasing the first exploit, targeting the Mali GPU on Pixel devices, accessible from an untrusted_app context.
simo
36 posts
- +16 kernel bugs I reported to Apple have been fixed in iOS 16/16.1. I'll give a talk on how I chained some bugs to achieve kernel r/w at #POC2022 next month, and the kernel exploit for iOS 15 will be released along with a some other high impact vulns after the conference.
- My #POC2022 slides + the iOS kernel r/w exploit can be found here :) github.com/0x36/weightBuf… Thanks @POC_Crew for a fantastic conference and truly honored to have been part of it.
- powerd exploit : Sandbox escape to root for Apple iOS < 12.2 on A11 devices
- PoC for iOS kernel bug reachable from within the sandbox, I may drop the exploit later
- Here is a PoC kernel exploit, it demonstrates how to get kernel task port on iOS 13.7. I will update the PoC with a writeup later.
- I'm sharing two other iOS kernel vulnerabilities reachable from the default app sandbox that don’t require you to open a UserClient: 0x36.github.io/CVE-2022-32898/
- a POC of an iOS kernel UAF I found last year, CVE-2018-4420 fixed in 12.1, this requires host_priv port to be triggered. more bugs soon github.com/0x36/CVE-pocs/…
- In iOS 15.5 beta 3, Apple removed IOMallocAligned(KHEAP_DEFAULT,...) from IOSharedDataQueue/IODataQueue::initWithCapacity() ( now uses kernel_memory_allocate() with KMA_DATA flag). It was an elegant technique to groom the kernel default heap with user controlled data. RIP
- CVE-2022-32932 is another vulnerability I discovered in the ANE kernel interface; this is a double fetch issue that resulted in an interesting OOB write. 0x36.github.io/CVE-2022-32932/
- a POC trigger for my CVE-2020-9768, Apple description is not acurate, this is a kernel bug in AppleJPEGDriverUserClient
