Photographers WannCry (2017)

Photographers WannCry (2017)

Back to 2017 I was still doing app pentesting. I came across that my DSLR camera has an Android subsystem and it supports photography apps, therefore I started to investigate if there is a way to pwn it. I did it.

Continue Reading

Mistuned Part 3: PAC Bypass

Mistuned Part 3: PAC Bypass

In the previous parts, we have trigger use-after-free on Objective-C objects, and successfully refilled the dangling pointer with fully-controlled data. Now take a look at some prior research articles for further exploitation.

Continue Reading

Mistuned Part 2: Butterfly Effect

Mistuned Part 2: Butterfly Effect

In the last post, I used a client-side XSS to get JavaScript injected to a local pre-installed app. It has no process isolation while it still supports in-process just-in-time (JIT). Any working WebKit exploit works there too, with much more access than WebContent renderer. It doesn’t even need real code execution to launch Calculator app.

Continue Reading

Mistuned Part 1: Client-side XSS to Calculator and More

Mistuned Part 1: Client-side XSS to Calculator and More

Ever since Pointer Authentication Code (PAC) has been introduced, iPhone remained standing for more than two years on various pwn contests until TianfuCup 2020 (Project Zero has reported a remote zero click exploit in 2019). Ant Security and Qihoo 360 used two different bug chains respectively to successfully gained remote code execution with userspace sandbox escape on iPhone 11 with iOS 14.2.

Continue Reading

Quick Analysis for the SSID Format String Bug

Quick Analysis for the SSID Format String Bug

Days ago a twitter post revealed a bug in iOS Wi-Fi service:

Continue Reading

See No Eval: Runtime Dynamic Code Execution in Objective-C

See No Eval: Runtime Dynamic Code Execution in Objective-C

I designed the challenge Dezhou Instrumentz for RealWorldCTF. For further explaination I gave a talk regarding the motivation and expected solution for it:

Continue Reading