Mistuned Part 3

Mistuned Part 3

Unfortunately I didn’t finish this blog series before September. For the rest of the content, please refer to the slides and paper

Continue Reading

Mistuned Part 2: Butterfly Effect

Mistuned Part 2: Butterfly Effect

In the last post, I used a client-side XSS to get JavaScript injected to a local pre-installed app. It has no process isolation while it still supports in-process just-in-time (JIT). Any working WebKit exploit works there too, with much more access than WebContent renderer. It doesn’t even need real code execution to launch Calculator app.

Continue Reading

Mistuned Part 1: Client-side XSS to Calculator and More

Mistuned Part 1: Client-side XSS to Calculator and More

Ever since Pointer Authentication Code (PAC) has been introduced, iPhone remained standing for more than two years on various pwn contests until TianfuCup 2020 (Project Zero has reported a remote zero click exploit in 2019). Ant Security and Qihoo 360 used two different bug chains respectively to successfully gained remote code execution with userspace sandbox escape on iPhone 11 with iOS 14.2.

Continue Reading

Quick Analysis for the SSID Format String Bug

Quick Analysis for the SSID Format String Bug

Days ago a twitter post revealed a bug in iOS Wi-Fi service:

Continue Reading

See No Eval: Runtime Dynamic Code Execution in Objective-C

See No Eval: Runtime Dynamic Code Execution in Objective-C

I designed the challenge Dezhou Instrumentz for RealWorldCTF. For further explaination I gave a talk regarding the motivation and expected solution for it:

Continue Reading

X Site eScape (Part II): Look Up a Shell in the Dictionary

X Site eScape (Part II): Look Up a Shell in the Dictionary

This post is the last part of this silly series, but I think it’s the only noteworthy one. The exploit chain triggers two XSS across two privileged WebViews and bypasses GateKeeper to execute arbitrary native code outside the sandbox. It works on both High Sierra and Mojave.

Continue Reading

Projects

Grapefruit

Grapefruit is an open source iOS app offensive testing tool, powered by frida and Vue.js

Sploits

Disclosing security vulnerabilities. For educational purpurse only

vscode-frida

Unofficial frida extension for VSCode. Makes it easier to attach the targets

Global WebInspect

Enable WebInspect globally, allowing frontend debugging for third party apps on jailbroken devices

Presentations

Many Birds, One Stone: Exploiting a Single SQLite Vulnerability Across Multiple Software (BlackHat USA 2017) ModJack: Hijacking the macOS Kernel (HITB Ams 2019) I Want to Break Free: Unusuall Logic Safari Sandbox Escapes (TyphoonCon 2019) Cross-Site Escape: Pwning macOS Safari Sandbox the Unusual Way (BlackHat EU 2020) macOS “非主流”逻辑提权漏洞研究 Bifröst 揭秘:VMware Fusion REST API 漏洞分析 See No Eval: Runtime Dynamic Code Execution in Objective-C (RWCTF 2021)