In-depth exploration found in the wild iOS exploit chain V-vulnerability warning-the black bar safety net

This exploit chain are currently three different teams found, respectively, is the attacker's malicious organization, Project Zero Brandon Azad and 360 Security@S0rryMybad it. In 2018, 11 December 17,@S0rryMybad exploit this vulnerability in the Tianfu Cup PWN the race to win the 20 million dolla...

In-the-wild iOS Exploit Chain 5

Posted by Ian Beer, Project Zero TL;DR This exploit chain is a three way collision between this attacker group, Brandon Azad from Project Zero, and @S0rryMybad from 360 security. On November 17th 2018, @S0rryMybad used this vulnerability to win $200,000 USD at the TianFu Cup PWN competition...

voucher_swap: Exploiting MIG reference counting in iOS 12

Posted by Brandon Azad, Project Zero In this post I'll describe how I discovered and exploited CVE-2019-6225, a MIG reference counting vulnerability in XNU's taskswapmachvoucher function. We'll see how to exploit this bug on iOS 12.1.2 to build a fake kernel task port, giving us the ability to re...

iOSmacOS - task_swap_mach_voucher() Use-After-Free

iOSmacOS - taskswapmachvoucher Use-After-Free / voucherswap-poc.c Brandon Azad / if 0 iOS/macOS: taskswapmachvoucher does not respect MIG semantics leading to use-after-free The dangers of not obeying MIG semantics have been well documented: see issues 926 CVE-2016-7612, 954 CVE-2016-7633, 1417...

iOS / macOS - task_swap_mach_voucher() Use-After-Free Exploit

/ voucherswap-poc.c Brandon Azad / if 0 iOS/macOS: taskswapmachvoucher does not respect MIG semantics leading to use-after-free The dangers of not obeying MIG semantics have been well documented: see issues 926 CVE-2016-7612, 954 CVE-2016-7633, 1417 CVE-2017-13861, asyncwake, 1520 CVE-2018-4139,...