Coder Social home page Coder Social logo

weightbufs's Introduction

WeightBufs:

WeightBufs is a kernel r/w exploit for all Apple devices with Neural Engine support. Bugs and Exploit by @simo36, you can read my presentation slides at POC for more details about the vulnerabilities and the exploitation techniques.

The exploit doesn't rely on any hardcoded address or offset, and it should work AS IS on macOS12 up to 12.4 and *OS 15 up to 15.5.

The kernel vulerabilties affect all iOS 15 versions (up to 16.0), however the sandbox escape has been fixed on iOS 15.6. As a result, breaking the exploit chain and another sandbox escape is required to get things working again on iOS 15.6/15.7. Although I have another sandbox escape that works up to iOS 16.1, I'm not sure if the kernel exploit techniques are still usable on iOS 15.6+.

Vulnerabilities:

The exploit chains 4 vulnerabilities which I independently discovered and reported to Apple:

  • CVE-2022-32845 : aned signature check bypass for model.hwx.
  • CVE-2022-32948 : DeCxt::FileIndexToWeight() OOB Read due to lack of array index validation.
  • CVE-2022-42805 : ZinComputeProgramUpdateMutables() potential arbitrary read due to Integer overflow issue.
  • CVE-2022-32899 : DeCxt::RasterizeScaleBiasData() Buffer underflow due to integer overflow issue.

Tested devices:

  • iPhone12 Pro (iPhone13,3) with iOS 15.5.
  • iPad Pro (iPad8,10) with iPadOS 15.5.
  • iPhone11 Pro (iPhone12,3) with iOS 15.4.1.
  • MacBookAir10,1 M1 with macOS 12.4.

Notes:

There are some situations where the exploit may fail:

  • The target IOSurface or IOSurfaceClient object address is upper to the mutable kernel buffer MUTK,however the exploit detects the failure early, preventing the device from crashing. It's sufficient to run the exploit again and it should succeed on the second attempt.
  • If the exploit frequently crashes the device at stage 2 or stage 3, that means it must be tuned to the tested device, make sure to read DEBUG_EXPLOIT_STAGE_2_KERN_PANIC and DEBUG_EXPLOIT_STAGE_3_KERN_PANIC for more details.
  • The target device needs to be in an idle state, and it's preferable to reboot it before using the exploit, even better if the airplane mode is turned off.

weightbufs's People

Contributors

0x36 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.