Meysam
@R00tkitSMM
Followers
9,449
Following
653
Media
18
Statuses
466
Explore trending content on Musk Viewer
#2024MAMAVOTE
• 3620330 Tweets
Columbus
• 388414 Tweets
山本太郎
• 162305 Tweets
Bills
• 133309 Tweets
Bret
• 84438 Tweets
Jets
• 77398 Tweets
無料クーポン
• 73780 Tweets
GALA TU PATRONA
• 69088 Tweets
連休明け
• 67127 Tweets
#WWERaw
• 48314 Tweets
Geraldo
• 41708 Tweets
Gago
• 37647 Tweets
Soto
• 27555 Tweets
SHOW DO SACHA
• 26475 Tweets
緊急入院
• 25180 Tweets
Guardians
• 25122 Tweets
Trabajaba
• 23208 Tweets
Hail Mary
• 20334 Tweets
Josh Allen
• 17101 Tweets
Raquel
• 12026 Tweets
#BUFvsNYJ
• 11506 Tweets
C’mon Apple, iOS kernel vulnerability is not eligible for bounty? What would then be?
It could have been ended up in
@DonnchaC
or
@jsrailton
blogs. 🤦♂️
I reported CVE-2024-27804, an iOS/macOS kernel vulnerability that leads to the execution of arbitrary code with kernel privileges.
Will publish the POC soon.
42
149
1K
91
184
2K
I reported CVE-2024-27804, an iOS/macOS kernel vulnerability that leads to the execution of arbitrary code with kernel privileges.
Will publish the POC soon.
42
149
1K
POC for CVE-2024-27804
Wanted to share it after finishing a blogpost. but decided to share it.
I reported CVE-2024-27804, an iOS/macOS kernel vulnerability that leads to the execution of arbitrary code with kernel privileges.
Will publish the POC soon.
42
149
1K
30
141
534
seem Apple have concluded that the reported CVE is not exploitable and they are planning to update the description to accurately describe the issue as an unexpected system termination rather than arbitrary code execution, but for good faith they will reward me 1000$.thanks
@Apple
C’mon Apple, iOS kernel vulnerability is not eligible for bounty? What would then be?
It could have been ended up in
@DonnchaC
or
@jsrailton
blogs. 🤦♂️
91
184
2K
26
16
295
I wrote a blog "Structure-Aware linux kernel Fuzzing with libFuzzer"
Why not syzkaller? Because why not.
2
69
192
I have received another CVE in iOS/macOS
CVE-2024-27802
Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution.
5
22
168
۱۲ تا CVE تو ۲۰۲۳ و ۲۰۲۴ تا الان از ایفون/مک. 📈
12
4
147
I added two more post to my three days old blog
1- "ImageIO, the infamous iOS Zero Click Attack Vector."
2- "CVE-2016-0040 Story of Uninitialized Pointer in Windows Kernel"
0
35
140
Holy Mother Dragon, what a blogpost about CoreSight.
ARMored CoreSight: Towards Efficient Binary-only Fuzzing
1
31
139
good arm64 tutorials
and
2
29
127
The new Google Project Zero blog shows how much effort is required to do research and how to build foundation and where to get started.
0
22
124
See you in Korea/Seoul soon!
[POC2024] SPEAKER UPDATE 7⃣
👤
@R00tkitSMM
- "Pishi: Coverage-Guided Fuzzing of the XNU Kernel and Arbitrary KEXT"
#POC2024
0
7
66
11
10
122
POC and blog
use-after-free in linux kernel reported by me and
@zer0legday
is fixed here:
fix:
add missing locking around taking dentry fid list
will publish the POC very soon.
3
12
99
0
26
123
forget to say that I found CVE-2024-27802 in Apple's Metal.framework while was trying to find attack surface in WebGPU to escape to GPU process. after spending considerable time on
Render<->GPU IPC, I found that some texture parsing happens in GPU.
4
16
120
I used Ghidra in this project as a first experience, it worked very well even better than IDA Pro.
[POC2024] SPEAKER UPDATE 7⃣
👤
@R00tkitSMM
- "Pishi: Coverage-Guided Fuzzing of the XNU Kernel and Arbitrary KEXT"
#POC2024
0
7
66
4
7
116
in Intel based macOS, Crowdstrike's falcon utilizes a KEXT which could potentially be vulnerable. however on Apple Silicon it employs System Extensions instead.
thanks Apple for keeping kernel a forbidden place :)
8
10
102
use-after-free in linux kernel reported by me and
@zer0legday
is fixed here:
fix:
add missing locking around taking dentry fid list
will publish the POC very soon.
3
12
99
writing externally optimized code is difficult
I had deadly performance issue, after a lot of investigation the issue turned out to be:
for
bool condition;
if(condition == true) // is a lot slower than
if ( condition)
11
6
98
use-after-free in linux kernel reported by me and
@zer0legday
is fixed here:
fix:
add missing locking around taking dentry fid list
will publish the POC very soon.
3
12
99
2
1
86
Republishing my old works in my new blog
"Exploiting MS15-061 with reverse engineering Win32k.sys"
1
21
85
Analysing an image exploit sample is so major work, you have to see how it modifies states inside its own "weird machine".
#WebP
Ian Beer - Blasting Past Webp.
1
13
83
Hyperpom: An Apple Silicon Fuzzer for 64-bit ARM Binaries, using Hypervisor.framework
1
15
73
I’m soo happy that my new macOS kernel fuzzer works like a charm. 🪄 🧙♀️🐈
2
0
71
یه CVE دیگه از اپل 🍎 دریافت شد. 🔥
I have received another CVE in iOS/macOS
CVE-2024-27802
Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution.
5
22
168
2
3
71
Paper day
1- EXPRACE: Exploiting Kernel Races through Raising Interrupts
and
2- Racing against the clock -- hitting a tiny kernel race window ( this is really cool)
0
15
68
Very good article about windows kernel fuzzing
0
12
68
Inspired by
@ifsecure
, to force h.264/h.265 decoding to be "inprocess", then I fuzzed both IOConnectCallMethod and h.264/h.265 input video together.
4
8
64
I don’t do bug bounty for bounty, I do it because I love to understand how things work. And mostly at my free time.
5
3
65
Damn it, there was a very ridiculous mistake in my blogpost "Structure-Aware linux kernel Fuzzing with libFuzzer"
I had forgotten to stop/start KCOV, in case you are using it. 🤦♂️🤦♂️
0
8
64
macOS/iOS kernel research needs a real dev. couldn't find a way to load kext via parallels desktop even though it allows to disable SIP in last versions.
and It is currently impossible to sign in with your Apple ID in a macOS Arm VM🤦♂️ and don't want to mess up my own macBook 👇
3
2
60
fuzzing TIP: if you see "Image File Format" (in this case: AV1) inside a container format(in this case: HEIF/AVIF), try to fuzz the "Image File Format" directly too.
0
1
69
Most of my research happens at a cafe in Berlin, I should share my bounties with baristas.
1
1
61
0
0
58
I can’t agree more with Mateusz
Personal takeaways
Long, persistent analysis pays off
0
2
56
PACMAN: Attacking ARM Pointer Authentication with Speculative Execution
1
10
52
Going to finish some TODOs in my soon to be open source macOS kernel fuzzer.
1
1
47
CROWBAR: Natively Fuzzing Trusted Applications Using ARM CoreSight
2
3
49
The difficult part of vulnerability research is sticking to one particular target :)
1
1
48
If I document how much I have spent on failed steps to have a working idea, my blog would be a book. But we just document the last successful steps.
0
1
45
CVE-2024-39463 assigned to our report.
use-after-free in linux kernel reported by me and
@zer0legday
is fixed here:
fix:
add missing locking around taking dentry fid list
will publish the POC very soon.
3
12
99
2
2
43
LightEMU: Hardware Assisted Fuzzing of Trusted Applications
CROWBAR: Natively Fuzzing Trusted Applications Using ARM CoreSight
2
3
49
1
7
44
The first thing that I going to do is panicking the kernel. 😈
1
1
43
For those who want to start learning assembly especially Arm, you can order
@Fox0x01
’s book now.
4
3
38