The macos-ios-system-security from zhutony

Here is some resources about macOS/iOS system security.

exploit writeup

https://blog.pangu.io/

https://bugs.chromium.org/p/project-zero/issues/list

https://talosintelligence.com/vulnerability_reports#disclosed

CVE	modules	POC/writeup link
CVE-2015-????	Kernel	https://github.com/kpwn/tpwn http://nirvan.360.cn/blog/?p=469
CVE-2016-????	XPC	https://marcograss.github.io/security/apple/xpc/2016/06/17/containermanagerd-xpc-array-oob.html
CVE-2016-1758&CVE-2016-1828	Kernel	https://bazad.github.io/2016/05/mac-os-x-use-after-free/
CVE-2016-1824	IOHIDFamily	https://marcograss.github.io/security/apple/cve/2016/05/16/cve-2016-1824-apple-iohidfamily-racecondition.html
CVE-2016-1825	IOHIDFamily	https://bazad.github.io/2017/01/physmem-accessing-physical-memory-os-x/
CVE-2016-1865	Kernel	https://marcograss.github.io/security/apple/cve/2016/07/18/cve-2016-1865-apple-nullpointers.html
CVE-2016-1722	syslogd	https://blog.zimperium.com/analysis-of-ios-os-x-vulnerability-cve-2016-1722/
CVE-2016-1757	Kernel	https://googleprojectzero.blogspot.com/2016/03/race-you-to-kernel.html http://turingh.github.io/2016/04/03/CVE-2016-1757%E7%AE%80%E5%8D%95%E5%88%86%E6%9E%90/ https://turingh.github.io/2016/04/19/CVE-2016-1757%E5%88%A9%E7%94%A8%E7%A8%8B%E5%BA%8F%E5%88%86%E6%9E%90/
CVE-2016-4633	Intel Graphics Driver	https://marcograss.github.io/security/apple/cve/2016/07/21/cve-2016-4633-apple-graphics-another-osx-bug.html
CVE-2016-4673	CoreGraphics	https://marcograss.github.io/security/apple/cve/macos/ios/2016/11/21/cve-2016-4673-apple-coregraphics.html
CVE-2016-7595	CoreText	https://security.tencent.com/index.php/blog/msg/111
CVE-2017-13861	IOSurface	https://siguza.github.io/v0rtex/ https://paper.seebug.org/472/
CVE-2017-13868	Kernel	https://bazad.github.io/2018/03/a-fun-xnu-infoleak/
CVE-2018-4124	CoreText	https://blog.zecops.com/vulnerabilities/analyzing-the-ios-telugu-crash-part-i/
CVE-2018-4184	sandbox	https://ubrigens.com/posts/linking_a_microphone.html
CVE-2018-4185	Kernel	https://bazad.github.io/2018/04/kernel-pointer-crash-log-ios/
CVE-2018-4229&CVE-2020-3854	sandbox	https://ubrigens.com/posts/sandbox_initialisation_bypasses.html
CVE-2018-4248	libxpc	https://bazad.github.io/2018/07/xpc-string-leak/
CVE-2018-4280	libxpc	https://github.com/bazad/blanket
CVE-2018-4331&CVE-2018-4332&CVE-2018-4343	Heimdal	https://bazad.github.io/2018/11/introduction-userspace-race-conditions-ios/
CVE-2018-4346	Dictionary	https://www.securing.pl/en/secure-implementation-of-webview-in-ios-applications/
CVE-2018-4407	kernel	https://securitylab.github.com/research/apple-xnu-icmp-error-CVE-2018-4407
CVE-2018-4415	CoreAnimation	https://ssd-disclosure.com/ssd-advisory-ios-macos-safari-sandbox-escape-via-quartzcore-heap-overflow/
CVE-2018-4431	Kernel	https://ssd-disclosure.com/ssd-advisory-ios-macos-kernel-task_inspect-information-leak/
CVE-2019-6225	Kernel	https://blogs.360.cn/post/IPC%20Voucher%20UaF%20Remote%20Jailbreak%20Stage%202.html https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-5.html https://googleprojectzero.blogspot.com/2019/01/voucherswap-exploiting-mig-reference.html http://highaltitudehacks.com/2020/06/01/from-zero-to-tfp0-part-1-prologue/ http://highaltitudehacks.com/2020/06/01/from-zero-to-tfp0-part-2-a-walkthrough-of-the-voucher-swap-exploit/
CVE-2019-6231	CoreAnimation	https://www.fortinet.com/blog/threat-research/detailed-analysis-of-macos-ios-vulnerability-cve-2019-6231
CVE-2019-8507	CoreAnimation	https://www.fortinet.com/blog/threat-research/detailed-analysis-mac-os-vulnerability-cve-2019-8507
CVE-2019-8549	Power Management	https://ssd-disclosure.com/ssd-advisory-ios-powerd-uninitialized-mach-message-reply-to-sandbox-escape-and-privilege-escalation/
CVE-2019-8561	PackageKit	https://0xmachos.com/2021-04-30-CVE-2019-8561-PoC//
CVE-2019-8605	Kernel	https://googleprojectzero.blogspot.com/2019/12/sockpuppet-walkthrough-of-kernel.html https://github.com/jakeajames/sock_port http://blog.asm.im/2019/11/17/Sock-Port-%E6%BC%8F%E6%B4%9E%E8%A7%A3%E6%9E%90%EF%BC%88%E4%B8%80%EF%BC%89UAF-%E4%B8%8E-Heap-Spraying/ http://blog.asm.im/2019/11/24/Sock-Port-%E6%BC%8F%E6%B4%9E%E8%A7%A3%E6%9E%90%EF%BC%88%E4%BA%8C%EF%BC%89%E9%80%9A%E8%BF%87-Mach-OOL-Message-%E6%B3%84%E9%9C%B2-Port-Address/ http://blog.asm.im/2019/12/01/Sock-Port-%E6%BC%8F%E6%B4%9E%E8%A7%A3%E6%9E%90%EF%BC%88%E4%B8%89%EF%BC%89IOSurface-Heap-Spraying/ http://blog.asm.im/2019/12/08/Sock-Port-%E6%BC%8F%E6%B4%9E%E8%A7%A3%E6%9E%90%EF%BC%88%E5%9B%9B%EF%BC%89The-tfp0/
CVE-2019-8635	AMD	https://www.trendmicro.com/en_us/research/19/f/cve-2019-8635-double-free-vulnerability-in-apple-macos-lets-attackers-escalate-system-privileges-and-execute-arbitrary-code.html
CVE-2019-8761	UIFoundation	https://www.paulosyibelo.com/2021/04/this-man-thought-opening-txt-file-is.html
CVE-2019-8794&CVE-2019-8795&CVE-2019-8797	Kernel&AVEVideoEncoder&Audio	https://ssd-disclosure.com/ssd-advisory-via-ios-jailbreak-sandbox-escape-and-kernel-r-w-leading-to-rce/
CVE-2020-3847&CVE-2020-3848	CoreBluetooth	https://blogs.360.cn/post/macOS_Bluetoothd_0-click.html
CVE-2020-3852&CVE-2020-3864&CVE-2020-3865&CVE-2020-3885&CVE-2020-3887&CVE-2020-9784&CVE-2020-9787	safari&webkit	https://www.ryanpickren.com/webcam-hacking
CVE-2020-3919	IOHIDFamily	https://alexplaskett.github.io/CVE-2020-3919/
CVE-2020-9771	sandbox	https://theevilbit.github.io/posts/cve_2020_9771/ https://theevilbit.github.io/posts/reversing_cve_2020_9771/
CVE-2020-9817	PackageKit	https://research.nccgroup.com/2020/07/02/technical-advisory-macos-installer-local-root-privilege-escalation-cve-2020-9817/
CVE-2020-9854	Security	https://a2nkf.github.io/unauthd_Logic_bugs_FTW/
CVE-2020-9934	CoreFoundation	https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8
CVE-2020-9964	IOSurfaceAccelerator	https://muirey03.blogspot.com/2020/09/cve-2020-9964-ios-infoleak.html
CVE-2020-9967	Kernel	https://alexplaskett.github.io/CVE-2020-9967/
CVE-2020-9968	sandbox	https://blog.xpnsec.com/we-need-to-talk-about-macl/
CVE-2020-9971	libxpc	https://xlab.tencent.com/en/2021/01/11/cve-2020-9971-abusing-xpc-service-to-elevate-privilege/
CVE-2020-9979	Assets	https://blog.chichou.me/2020/08/06/x-site-escape-part-ii-look-up-a-shell-in-the-dictionary/
CVE-2020-9992	IDE Device Support	https://blog.zimperium.com/c0ntextomy-lets-debug-together-cve-2020-9992/
CVE-2020-27897	Kernel	https://www.zerodayinitiative.com/blog/2020/12/9/cve-2020-27897-apple-macos-kernel-oob-write-privilege-escalation-vulnerability
CVE-2020-27932	Kernel	https://worthdoingbadly.com/specialreply/
CVE-2020-27935	XNU	https://github.com/LIJI32/SnatchBox
CVE-2020-27949	Kernel	https://github.com/seemoo-lab/dtrace-memaccess_cve-2020-27949
CVE-2020-27950	Kernel	https://www.synacktiv.com/publications/ios-1-day-hunting-uncovering-and-exploiting-cve-2020-27950-kernel-memory-leak.html
CVE-2020-9900&CVE-2021-1786	Crash Reporter	https://theevilbit.github.io/posts/macos_crashreporter/
CVE-2020-9905	Kernel	https://blog.zecops.com/vulnerabilities/from-a-comment-to-a-cve-content-filter-strikes-again/
CVE-2020–9922	Mail	https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c
CVE-2021-1740&CVE-2021-30855&CVE-2021-30995	Preferences	https://jhftss.github.io/CVE-2021-1740-Invalid-Patch/ https://www.trendmicro.com/en_us/research/22/a/analyzing-an-old-bug-and-discovering-cve-2021-30995-.html
CVE-2021-1747	CoreAudio	https://mp.weixin.qq.com/s/9dmQH4qIw95Gsx92wLSr6w
CVE-2021-1757	IOSkywalkFamily	https://github.com/b1n4r1b01/n-days/tree/main/CVE-2021-1757
CVE-2021-1782	Kernel	https://github.com/ModernPwner/cicuta_virosa https://www.synacktiv.com/publications/analysis-and-exploitation-of-the-ios-kernel-vulnerability-cve-2021-1782
CVE-2021-1815	Preferences	https://www.offensive-security.com/offsec/macos-preferences-priv-escalation/
CVE-2021-30655	Wi-Fi	https://wojciechregula.blog/post/press-5-keys-and-become-root-aka-cve-2021-30655/
CVE-2021-30657	System Preferences	https://objective-see.com/blog/blog_0x64.html
CVE-2021-30659	CoreFoundation	https://sector7.computest.nl/post/2022-08-process-injection-breaking-all-macos-security-layers-with-a-single-vulnerability/
CVE-2021-30660	Kernel	https://alexplaskett.github.io/CVE-2021-30660/
CVE-2021-30713	TCC	https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/
CVE-2021-30724	CVMS	https://gist.github.com/jhftss/1bdb0f8340bfd56f7f645c080e094a8b https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
CVE-2021-30734&CVE-2021-30735	WebKit&Graphics Drivers	https://github.com/ret2/Pwn2Own-2021-Safari
CVE-2021-30740&CVE-2021-30768&CVE-2021-30769&CVE-2021-30770&CVE-2021-30773	Kernel&dyld&Identity Service	https://github.com/LinusHenze/Fugu14
CVE-2021-30798	TCC	https://jhftss.github.io/CVE-2021-30798-TCC-Bypass-Again-Inspired-By-XCSSET/
CVE-2021-30807	IOMobileFrameBuffer	https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/
CVE-2021-30833	xar	https://research.nccgroup.com/2021/10/28/technical-advisory-apple-xar-arbitrary-file-write-cve-2021-30833/
CVE-2021-30853	GateKeeper	https://objective-see.com/blog/blog_0x6A.html
CVE-2021-30860	CoreGraphics	https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
CVE-2021-30861&CVE-2021-30975	Script Editor&WebKit	https://www.ryanpickren.com/safari-uxss
CVE-2021-30864	LaunchServices	https://perception-point.io/a-technical-analysis-of-cve-2021-30864-bypassing-app-sandbox-restrictions/
CVE-2021-30869	XNU	https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/
CVE-2021-30883	IOMobileFrameBuffer	https://saaramar.github.io/IOMFB_integer_overflow_poc/
CVE-2021-30892	zsh	https://www.microsoft.com/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/
CVE-2021-30902	Voice Control	https://blog.zecops.com/research/use-after-free-in-voice-control-cve-2021-30902/
CVE-2021-30955	Kernel	https://www.cyberkl.com/cvelist/cvedetail/24 https://github.com/tihmstar/desc_race-fun_public https://gist.github.com/jakeajames/37f72c58c775bfbdda3aa9575149a8aa
CVE-2021-30970	TCC	https://www.microsoft.com/security/blog/2022/01/10/new-macos-vulnerability-powerdir-could-lead-to-unauthorized-user-data-access/
CVE-2021-30990	LaunchServices	https://ronmasas.com/posts/bypass-macos-gatekeeper
CVE-2022-22582	xar	https://research.nccgroup.com/2022/03/15/technical-advisory-apple-macos-xar-arbitrary-file-write-cve-2022-22582/
CVE-2022-22616	Safari Downloads	https://jhftss.github.io/CVE-2022-22616-Gatekeeper-Bypass/
CVE-2022-22639	SoftwareUpdate	https://www.trendmicro.com/en_us/research/22/d/macos-suhelper-root-privilege-escalation-vulnerability-a-deep-di.html
CVE-2022-22660	System Preferences	https://rambo.codes/posts/2022-03-15-how-a-macos-bug-could-have-allowed-for-a-serious-phishing-attack-against-users
CVE-2022-26706	LaunchServices	https://www.microsoft.com/security/blog/2022/07/13/uncovering-a-macos-app-sandbox-escape-vulnerability-a-deep-dive-into-cve-2022-26706/
CVE-2022-26712	PackageKit	https://jhftss.github.io/CVE-2022-26712-The-POC-For-SIP-Bypass-Is-Even-Tweetable/
CVE-2022-26766&CVE-2022-26763	CoreTrust&DriverKit	https://worthdoingbadly.com/coretrust/
CVE-2022-32787	ICU	https://ssd-disclosure.com/ssd-advisory-apple-safari-icu-out-of-bounds-write/
CVE-2022-32816	WebKit	https://ssd-disclosure.com/ssd-advisory-apple-safari-idn-url-spoofing/
CVE-2022-32832	APFS	https://github.com/Muirey03/CVE-2022-32832
CVE-2022-32883	Maps	https://github.com/breakpointHQ/CVE-2022-32883
multiple	lock screen bypass	https://blog.dinosec.com/2014/09/bypassing-ios-lock-screens.html

tools

Just some little dev tools to probe IOKit:

https://github.com/Siguza/iokit-utils

Dyld Shared Cache Support for BinaryNinja:

https://github.com/cxnder/bn-dyldsharedcache

iOS/MacOS Kernelcache/Extensions analysis tool:

https://github.com/lilang-wu/p-joker

static analysis tool for analyzing the security of Apple kernel drivers:

https://github.com/alibaba-edu/Driver-Security-Analyzer

Coralsun is a small utility cython library used to provide python support for low level kernel features:

https://github.com/FSecureLABS/coralsun

fuzzers

public:

macOS 10.13 kernel fuzzer

https://github.com/FSecureLABS/OSXFuzz

binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM

https://github.com/ant4g0nist/ManuFuzzer

automate the generation of syscall specifications for closed-source macOS drivers and facilitate interface-aware fuzzing

https://github.com/seclab-ucr/SyzGen_setup

binary code-coverage fuzzer for Windows and macOS

https://github.com/googleprojectzero/Jackalope

a fork of XNU that contains support for fuzzing the network stack in userland on macOS and Linux-based hosts

https://github.com/googleprojectzero/SockFuzzer

fuzzing OSX kernel vulnerability based on passive inline hook mechanism in kernel mode

https://github.com/SilverMoonSecurity/PassiveFuzzFrameworkOSX

patch honggfuzz to get coverage guided fuzzing of closed source libraries on macOS based on trap

https://github.com/googleprojectzero/p0tools/tree/master/TrapFuzz

patch honggfuzz to fuzz iOS library on M1 mac

https://github.com/googleprojectzero/p0tools/tree/master/iOSOnMac

patch that build WebKitGTK+ with ASAN and make some changes that make fuzzing easier

https://github.com/googleprojectzero/p0tools/tree/master/WebKitFuzz

private:

LLDBFuzzer Debug for Bug: Crack and Hack Apple Core by Itself

LynxFuzzer Improving Mac OS X Security Through Gray Box Fuzzing Technique

Port Syzkaller to Support macOS XNU Fuzzing Drill Apple Core: Up and Down - Fuzz Apple Core Component in Kernel and User Mode for Fun and Profit

conference

conference	link
blackhat asia 2021	Racing the Dark: A New TOCTTOU Story from Apple's Core
blackhat asia 2021	Apple Neural Engine Internal: From ML Algorithm to HW Registers
blackhat asia 2021	The Price of Compatibility: Defeating macOS Kernel Using Extended File Attributes
blackhat europe 2015	Attacking the XNU Kernel in El Capitan
blackhat usa 2021	20+ Ways to Bypass Your macOS Privacy Mechanisms
blackhat usa 2021	Everything has Changed in iOS 14,but Jailbreak is Eternal
blackhat usa 2021	Reverse Engineering the M1
blackhat usa 2021	Hack Different:Pwning iOS 14 With Generation Z Bugz
blackhat usa 2021	Wibbly Wobbly, Timey Wimey:What's Really Inside Apple's U1 Chip
CanSecWest 2016	Don't Trust Your Eye: Apple Graphics Is Compromised!
CanSecWest 2017	Port(al) to the iOS Core
CSS 2019	如何批量挖掘macOS/iOS内核信息泄漏漏洞
defcon26	Attacking the macOS Kernel Graphics Driver
defcon29	Caught you - reveal and exploit IPC logic bugs inside Apple
HITB AMS 2021	macOS local security:escaping the sandbox and bypassing TCC
HITB GSEC 2019	Recreating an iOS 0-day jailbreak out of Apple’s security patches
HITB SIN 2022	One-Click to Completely Take Over A macOS Device
mch2022	My journey to find vulnerabilities in macOS
Objective by the Sea	https://objectivebythesea.com/
syscan360 2016	Memory corruption is for wusies!

zhutony / macos-ios-system-security Goto Github PK

macos-ios-system-security's Introduction

exploit writeup

tools

fuzzers

conference

macos-ios-system-security's People

Contributors

Watchers

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent