Linus Henze
@LinusHenze
Followers
27,306
Following
22
Media
22
Statuses
150
macOS and iOS Fan. CTF with @allesctf and @Sauercl0ud . Founder @pinauten . they/them
Koblenz, Germany
Joined February 2016
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Nigéria
• 204655 Tweets
DAOUOFFROAD COL EP6
• 200757 Tweets
Jasper
• 123940 Tweets
Newsweek
• 119899 Tweets
Ricardo
• 76121 Tweets
Nodal
• 64162 Tweets
Marta
• 41751 Tweets
Lorena
• 41077 Tweets
LONE LION MUNAWAR
• 39151 Tweets
#انا_مش_روبوت_انا_سعودي
• 36460 Tweets
Guayaquil
• 31843 Tweets
スペイン
• 29366 Tweets
Fields
• 29054 Tweets
Espanha
• 27241 Tweets
Southwest
• 20202 Tweets
DECADE OF KICK MADNESS
• 17536 Tweets
#なでしこジャパン
• 17367 Tweets
アプリDL
• 15577 Tweets
$BUB
• 10026 Tweets
Pinned Tweet
Happy Halloween! 👻
Fugu15 is now available on GitHub:
236
516
2K
Demo of CVE-2021-30740, CVE-2021-30768, CVE-2021-30769, CVE-2021-30770 and CVE-2021-30773 on iOS 14.5.1, iPhone 12 Pro Max
219
687
3K
Say Hello to Sileo!
(iPad Pro 2017, iPadOS 13.1.3, custom Jailbreak, not checkra1n)
67
271
2K
Q: Wen eta? A: October 21 (open source)
Demo of CVE-2021-30740, CVE-2021-30768, CVE-2021-30769, CVE-2021-30770 and CVE-2021-30773 on iOS 14.5.1, iPhone 12 Pro Max
219
687
3K
134
262
1K
Some clarification: 1. I did test multiple unc0ver builds before the release and they worked just fine. 2. The untether is safe to use as long as you don't start messing around with the code. 3. An installer for easy installation will probably be available soon-ish
111
172
1K
I've updated Fugu14 to finally fix that sleep/wake bug. Additionally, Fugu14 will now automatically be installed when installing unc0ver via the latest version (1.4.8) of AltStore.
161
175
940
I’ve decided to submit my keychain exploit to
@Apple
, even though they did not react, as it is very critical and because the security of macOS users is important to me. I’ve sent them the full details including a patch. For free of course.
47
173
825
On Tuesday
@Apple
contacted me and asked me if I would send them the details about my exploit. I told them that I would if they accept my offer. However, I’ve got no response from them. Today I wrote them again. Attached is an image of what I wrote.
35
243
805
Unfortunately, I’ll have to postpone the release to Sunday. Testing revealed bugs on some devices/iOS versions that I’ll have to fix first. And I don’t want to release Fugu14 if it doesn’t support all devices/iOS versions it’s supposed to
195
130
787
I've updated Fugu14 to support more devices (iPads) and increase PAC bypass reliability. Additionally, the snapshot issue ("Fugu14 is already installed") should be fixed as well
103
96
710
Want a free Safari 0day? (Ok, it's actually a 1day because it's fixed in the latest WebKit version, but it still works in the latest version of Safari) Then go to
Please don't do evil stuff with this.
15
303
673
CVE-2023-28206 PoC:
44
161
674
Fugu15 T-Shirt is out now and can be purchased from me. Fugu15 will be released once I've sold 10k.
127
120
646
I’ve just uploaded my Jailbreak for the iPad Pro (2017) to GitHub. Right now, SSH and Sileo can be installed. Due to lack of devices, I cannot currently implement support for other devices. Feel free to create PRs if you would like to help me!
19
122
487
Fugu15 slides erratum: 15.5b4 is not supported. If you're wondering why I said it is: I thought I tested on 15.5b4 but my zsh history shows that I accidentally downloaded the 15.4b4 kernel instead...
80
60
416
I've created a modified version of checkm8 that doesn't cause your iPhone to crash when loading img4 images (e.g. iBSS):
Also includes a signature check removal tool to load unsigned images (currently only supports iPhone 5s, only patches SecureROM).
16
118
407
My tweak compatibility mode for Fugu15 works pretty well, it even supports arm64 code in arm64e processes now.
Before and after:
32
65
406
Hopefully you all updated your Macs to the latest macOS version, because as promised in my talk at
#OBTS
, KeySteal is now available on Github:
Please, only use this exploit for educational purposes. Don’t be evil!
5
168
395
iOS 16 not only introduced "Launch Constraints", it also introduced a new TrustCache format to apply these constraints to all preinstalled applications. I've looked into both and noted down some stuff:
12
79
374
20e763b575a104f6e7ed54f2e120de864a843ed0dc17167ac8505c503ff5a681
45
31
293
Clarification: iOS 15 is supported up to 15.4.1. Some iOS 15.5 betas are supported too (might need some changes to the offsets though) but beta 4 is definitely not supported
33
42
256
I've released a new version of Fugu which finally renames the root fs snapshot (i.e. Tweaks and other stuff will now be preserved across reboots). Of course it also supports iOS 13.4.1
Check it out here:
14
40
203
I’ve added support for t8011 (iPad Pro 2017) to my
#checkm8
fork!
Fully supports unsigned img4 loading!
12
37
202
I've decided to take a look at the Tamarin Cable today and noticed that it wouldn't work most of the time so I've created a fork of it's firmware that actually works! Supports UART/DCSD, Reset and Reset to DFU (no JTAG right now).
5
28
182
I can confirm that my keychain Exploit still works with the latest macOS security update
5
36
178
I just released a Writeup for the WebKid challenge of
#35C3CTF
. You can find it here:
Writeup for pillow will follow soon...
1
65
174
Fugu now supports iOS/iPadOS 13.4 and has a new auto-installer that installs Sileo, Substitute and SSH!
15
36
162
Finally solved the WebKid/chaingineering Challenge from
#35C3CTF
. Writeup will follow soon…
3
23
171
Remember KeychainStealer by
@patrickwardle
which can steal all your keychain passwords?
While his vulnerability is patched now, I've found a new one, affecting macOS Mojave and lower.
More information can be found in my video:
#OhBehaveHack
#OhBehaveApple
11
102
134
@tihmstar
Sure!
cc -Wno-all -xc -<<<‘main(f){fcntl(f=open(&f,513),48,1);write(f,0xFFFFFC000,1<<14);}’;./a.out
4
14
135
@opa334dev
Rewrite the *Swift* code? What?! I originally intended to rewrite the C part in Swift (PAC and PPL bypass - kernel r/w can't use Swift because of the stupid DriverKit dyld shared cache which doesn't contain the Swift runtime).
Why does everyone hate Swift? :(
10
9
124
Are you fu**ing kidding me
@github
?I've tried to submit a DMCA takedown notice (ticket 1908899) and now they make up random stuff so they don't have to process it.They claim that I didn't include my physical address but the original notice (quoted in their email) shows that I did
12
9
106
There’s a special place in hell for people who use fork on iOS
13
11
104
Because everyone seems to write that my WebKit exploit only works on iOS 12.1 and below: It works on iOS 12.1.1 as well (but still no support for shellcode loading on iOS, might implement that later)
3
22
77
Just FYI: The WebKit exploit still works on iOS 12.1.2. The best thing however is that the iOS 12.1.2 public beta is patched, but the final version is not.
@Apple
why is it so hard to update WebKit? The vulnerability was reported over 1 month ago with a fix available.
4
21
75
I just uploaded the slides for my KeySteal presentation at Objective by the Sea
#OBTS
. You can find them here:
Thanks again
@patrickwardle
and
@andyrozen
for organizing this awesome conference!
0
29
67
Another quick update: I’ve added experimental MobileSubstrate support. Bloard and PreferenceLoader work, Anemone will cause Safe Mode to be entered.
2
10
45
Quick update: NewTerm and other Apps that do not rely on tweak injection work now
4
5
42
Update: JTAG should work now, with some known bugs (device must be reconnected to reset when in JTAG mode)
1
0
38
My pwning your kernelz challenge from the
#CCCamp19
#CTF
finally got its first solve, from
@ntrung03
! See his writeup and enjoy the 0day while it lasts ;)
Introducing a new tag to my blog: "0day"
Thanks
@Apple
and
@LinusHenze
Don't worry, it can't be exploited in wild :D
1
24
86
0
11
33
New challenge released! pwning your kernelz, a macOS 0day LPE challenge!
1
3
32
The CCCamp CTF hosted by
@allesctf
has started and features a Keychain Challenge authored by me! Spoiler: 0days might be required ;)
(And yes, we‘ve got a solution (there are at least two ways to solve this challenge). Writeup will be published afterwards)
0
4
20
OS X 10.11 - 10.11.3 SIP bypass (and 10.11.4 still has many bugs btw)
0
2
16
@zhuowei
Your assumption is incorrect: The WiFi driver never opens the WiFi card so Fugu15 can simply open it
4
2
16
@0xmachos
Unfortunately you cannot use entitlements that are checked in the kernel. I'll release a writeup soon, you'll then understand why you can't use these kind of entitlements.
However, you can use the bug to become root and then use a second bug (not fixed yet) to bypass SIP.
0
5
16
@zhuowei
Yes. There is a new check in iOS 15 that prevents binaries from checking in with DriverKit unless the binary was launched as a DriverKit driver
0
5
15
@zhuowei
The DriverKit setup is incredibly cursed. The oobPCI binary is not even a valid DriverKit binary (Fugu15 patches dyld...) and linking against any function in the dyld shared cache will fail for whatever reason. Additionally, DriverKit shared cache != normal shared cache
1
3
10
@zhuowei
IOMatchCategory is the wrong key. You need IOProviderClass = IOPCIDevice and IONameMatch = wlan, otherwise it won't work
2
3
8
@Pwn20wnd
@sdotknight
Nope. On macOS, the kernel will ignore the binary PLIST data because it can't read it. Additionally, because it can't find any restricted entitlement, it will allow your App to run without asking amfid. Userspace entitlement checks will however succeed because they accept bplists
1
0
7
@A2nkF_
@SevenLayerJedi
@Apple
@BleepinComputer
And SMAP needs to be disabled, i.e. Macs from 2015 and later are not affected
0
0
7
@lucasfryer
@ihackbanme
Excerpt from Apple’s iOS license agreement, this should answer your question:
1
1
6
@patrickwardle
Disable SIP. Afterwards you can remount the file system writable using "mount -u -o rw /"
1
2
5
@paranoidshthot
@GSMDRONE
That’s expected. Before sending an image, you need to reset the USB connection (which also disables pwned DFU but keeps all patches applied to SecureROM). You can do so by sending a random file using irecovery. Afterwards, irecovery/idevicerestore should work as expected.
4
1
6
@Jakeashacks
@Pwn20wnd
@sdotknight
Most XPC services perform entitlement checks, even on iOS. AFAIK the bug is unexploitable on iOS
0
0
5
@moski_dev
Try to reconnect your device to the Tamarin Cable after entering JTAG mode (keep the Tamarin Cable itself plugged in)
1
0
4
@mkolsek
This might affect other WebKit based Browsers as well iff they use JavaScriptCore as their JavaScript Engine (that means no Chrome) and use a relatively new WebKit Version (must be not too old and not too new, should be the Version used in iOS 12.0 to 12.1)
0
1
4
@phakeobj
@_niklasb
@qwertyoruiopz
I've got no R/W primitive right now but I can help you with your burger skills: I've got a great vegan burger recipe ;)
0
0
3
@hackerfantastic
@patrickwardle
No, this also works when the ACL’s are not empty. Extracting passwords from the System keychain works as well, but not from the keychains of other users as the keychain must be unlocked (except for the System keychain, which can be locked)
1
1
4
0
0
4
@CodeColorist
@patrickwardle
Nope. Just dumping all Keychain passwords. No LPE/sandbox escape.
0
0
2
@wdormann
Yep. I’ve also updated the Readme so others know this as well. Btw, the Hello world line is printed by the injected assembly code which is currently the only thing it does.
1
0
2
0
0
1
@gruber
@patrickwardle
Not if it was signed or if you got it on the App Store. (Note that I don’t have a paid developer Account so I can’t sign it)
1
0
2
@mcelhearn
@patrickwardle
It works as long as the keychain is unlocked (which it usually is as long as you’re logged in), except for the System keychain - containing WiFi passwords etc. - which may be locked.
I know that the first subtitle is a bit dumb - It was meant to be
1
0
2
@SindormirNet
Did you put some sort of self-destruction in the Bootloader? After trying to dump the Firmware the Board is not working anymore 😢 (And the dump only contains 0xFF)
1
1
1
@Michael_Kan
I’m not quite sure yet. I definitely know that I won’t keep it forever (and I definitely won’t sell it!). I’ll probably present my findings someday.
0
0
1
@gruber
@patrickwardle
That depends on how the sandbox is configured. I tried the “standard” configuration (used by Mac App Store Apps for example) by enabling App Sandbox in Xcode and it still worked.
1
0
1
Linus Henze Retweeted
Just announced: the talks for
#OBTS
v5.0:
...and this year's lineup is beyond stacked! 🤯🤗
7
34
139
@jleyden
Yes, the vulnerability has been patched in March. It could have been exploited through a malicious App (including Apps in the App Store!) and by chaining it with another exploit (e.g. a WebKit exploit so you could have been exploited by visiting a malicious website)
0
0
1
@Cimmerian_Iter
This should be fixed in the latest version. Make sure to run the Fugu installer again by rebooting once without the Jailbreak (this will reset the root file system if you never ran the new installer) or by deleting /.Fugu_installed
2
0
0