Some clarification: 1. I did test multiple unc0ver builds before the release and they worked just fine. 2. The untether is safe to use as long as you don't start messing around with the code. 3. An installer for easy installation will probably be available soon-ish
I've updated Fugu14 to finally fix that sleep/wake bug. Additionally, Fugu14 will now automatically be installed when installing unc0ver via the latest version (1.4.8) of AltStore.
I’ve decided to submit my keychain exploit to
@Apple
, even though they did not react, as it is very critical and because the security of macOS users is important to me. I’ve sent them the full details including a patch. For free of course.
On Tuesday
@Apple
contacted me and asked me if I would send them the details about my exploit. I told them that I would if they accept my offer. However, I’ve got no response from them. Today I wrote them again. Attached is an image of what I wrote.
Unfortunately, I’ll have to postpone the release to Sunday. Testing revealed bugs on some devices/iOS versions that I’ll have to fix first. And I don’t want to release Fugu14 if it doesn’t support all devices/iOS versions it’s supposed to
I've updated Fugu14 to support more devices (iPads) and increase PAC bypass reliability. Additionally, the snapshot issue ("Fugu14 is already installed") should be fixed as well
Want a free Safari 0day? (Ok, it's actually a 1day because it's fixed in the latest WebKit version, but it still works in the latest version of Safari) Then go to
Please don't do evil stuff with this.
I’ve just uploaded my Jailbreak for the iPad Pro (2017) to GitHub. Right now, SSH and Sileo can be installed. Due to lack of devices, I cannot currently implement support for other devices. Feel free to create PRs if you would like to help me!
Fugu15 slides erratum: 15.5b4 is not supported. If you're wondering why I said it is: I thought I tested on 15.5b4 but my zsh history shows that I accidentally downloaded the 15.4b4 kernel instead...
I've created a modified version of checkm8 that doesn't cause your iPhone to crash when loading img4 images (e.g. iBSS):
Also includes a signature check removal tool to load unsigned images (currently only supports iPhone 5s, only patches SecureROM).
Hopefully you all updated your Macs to the latest macOS version, because as promised in my talk at
#OBTS
, KeySteal is now available on Github:
Please, only use this exploit for educational purposes. Don’t be evil!
iOS 16 not only introduced "Launch Constraints", it also introduced a new TrustCache format to apply these constraints to all preinstalled applications. I've looked into both and noted down some stuff:
Clarification: iOS 15 is supported up to 15.4.1. Some iOS 15.5 betas are supported too (might need some changes to the offsets though) but beta 4 is definitely not supported
I've released a new version of Fugu which finally renames the root fs snapshot (i.e. Tweaks and other stuff will now be preserved across reboots). Of course it also supports iOS 13.4.1
Check it out here:
I've decided to take a look at the Tamarin Cable today and noticed that it wouldn't work most of the time so I've created a fork of it's firmware that actually works! Supports UART/DCSD, Reset and Reset to DFU (no JTAG right now).
Remember KeychainStealer by
@patrickwardle
which can steal all your keychain passwords?
While his vulnerability is patched now, I've found a new one, affecting macOS Mojave and lower.
More information can be found in my video:
#OhBehaveHack
#OhBehaveApple
@opa334dev
Rewrite the *Swift* code? What?! I originally intended to rewrite the C part in Swift (PAC and PPL bypass - kernel r/w can't use Swift because of the stupid DriverKit dyld shared cache which doesn't contain the Swift runtime).
Why does everyone hate Swift? :(
Are you fu**ing kidding me
@github
?I've tried to submit a DMCA takedown notice (ticket 1908899) and now they make up random stuff so they don't have to process it.They claim that I didn't include my physical address but the original notice (quoted in their email) shows that I did
Because everyone seems to write that my WebKit exploit only works on iOS 12.1 and below: It works on iOS 12.1.1 as well (but still no support for shellcode loading on iOS, might implement that later)
Just FYI: The WebKit exploit still works on iOS 12.1.2. The best thing however is that the iOS 12.1.2 public beta is patched, but the final version is not.
@Apple
why is it so hard to update WebKit? The vulnerability was reported over 1 month ago with a fix available.
I just uploaded the slides for my KeySteal presentation at Objective by the Sea
#OBTS
. You can find them here:
Thanks again
@patrickwardle
and
@andyrozen
for organizing this awesome conference!
My pwning your kernelz challenge from the
#CCCamp19
#CTF
finally got its first solve, from
@ntrung03
! See his writeup and enjoy the 0day while it lasts ;)
The CCCamp CTF hosted by
@allesctf
has started and features a Keychain Challenge authored by me! Spoiler: 0days might be required ;)
(And yes, we‘ve got a solution (there are at least two ways to solve this challenge). Writeup will be published afterwards)
@0xmachos
Unfortunately you cannot use entitlements that are checked in the kernel. I'll release a writeup soon, you'll then understand why you can't use these kind of entitlements.
However, you can use the bug to become root and then use a second bug (not fixed yet) to bypass SIP.
@zhuowei
Yes. There is a new check in iOS 15 that prevents binaries from checking in with DriverKit unless the binary was launched as a DriverKit driver
@zhuowei
The DriverKit setup is incredibly cursed. The oobPCI binary is not even a valid DriverKit binary (Fugu15 patches dyld...) and linking against any function in the dyld shared cache will fail for whatever reason. Additionally, DriverKit shared cache != normal shared cache
@Pwn20wnd
@sdotknight
Nope. On macOS, the kernel will ignore the binary PLIST data because it can't read it. Additionally, because it can't find any restricted entitlement, it will allow your App to run without asking amfid. Userspace entitlement checks will however succeed because they accept bplists
@paranoidshthot
@GSMDRONE
That’s expected. Before sending an image, you need to reset the USB connection (which also disables pwned DFU but keeps all patches applied to SecureROM). You can do so by sending a random file using irecovery. Afterwards, irecovery/idevicerestore should work as expected.
@mkolsek
This might affect other WebKit based Browsers as well iff they use JavaScriptCore as their JavaScript Engine (that means no Chrome) and use a relatively new WebKit Version (must be not too old and not too new, should be the Version used in iOS 12.0 to 12.1)
@phakeobj
@_niklasb
@qwertyoruiopz
I've got no R/W primitive right now but I can help you with your burger skills: I've got a great vegan burger recipe ;)
@hackerfantastic
@patrickwardle
No, this also works when the ACL’s are not empty. Extracting passwords from the System keychain works as well, but not from the keychains of other users as the keychain must be unlocked (except for the System keychain, which can be locked)
@LisaVaas
Yes,
@Apple
(more specific: their Product Security Team) did write me an email (asking me if I would provide full details, ignoring the reason why I don’t want to).
I replied to them (telling them no unless they accept what I wrote them) but I’m still waiting for an answer…
@wdormann
Yep. I’ve also updated the Readme so others know this as well. Btw, the Hello world line is printed by the injected assembly code which is currently the only thing it does.
@mcelhearn
@patrickwardle
It works as long as the keychain is unlocked (which it usually is as long as you’re logged in), except for the System keychain - containing WiFi passwords etc. - which may be locked.
I know that the first subtitle is a bit dumb - It was meant to be
@SindormirNet
Did you put some sort of self-destruction in the Bootloader? After trying to dump the Firmware the Board is not working anymore 😢 (And the dump only contains 0xFF)
@Michael_Kan
I’m not quite sure yet. I definitely know that I won’t keep it forever (and I definitely won’t sell it!). I’ll probably present my findings someday.
@gruber
@patrickwardle
That depends on how the sandbox is configured. I tried the “standard” configuration (used by Mac App Store Apps for example) by enabling App Sandbox in Xcode and it still worked.
@jleyden
Yes, the vulnerability has been patched in March. It could have been exploited through a malicious App (including Apps in the App Store!) and by chaining it with another exploit (e.g. a WebKit exploit so you could have been exploited by visiting a malicious website)
@Cimmerian_Iter
This should be fixed in the latest version. Make sure to run the Fugu installer again by rebooting once without the Jailbreak (this will reset the root file system if you never ran the new installer) or by deleting /.Fugu_installed