Update: I will release information once the patch release, please note that this bug still not fix in the latest iOS version now(12.1.2)(I think because the vocation of Christmas and New Year), so please wait.On the other hand, this bug can work under A12.
AAPL fixed one of my kernel bug which I reported to them in iOS 12.2 . And it can trigger from any sandbox. But I can't find the CVE in their advisories. So am I the only one or not? Because there are too few kernel bugs this patch.
After MSRC merged, there are still 11 CVEs I got in May Patch.
They are ALL easy to exploit and RCE under Edge Process.
Even you are not focus on Edge but other browsers, I hope these bugs can help you as I always find browsers bug with inspiration from another browsers.
I want to see how many bugs can I find if I focus on the same thing for a month as I never tried to. Recently I am addicted to ChakraCore JIT compiler. Can't wait to share many interesting bugs.
@S0rryMybad
@n_b1a
from 360 ESG Vulnerability Research Institute only used 6 seconds to crack
#FireFox
. Bravo! We will udpate the final verification result and bug info later.
The ack information was corrected now. This is an interesting bug as the patch was commited and reverted and commited and reverted. I used it in the TianfuCup to get Chrome RCE. It is a bit similar to
@_tsuro
's Math.expm1. The bolg post will be as soon as possible.
@S0rryMybad
@n_b1a
from 360 ESG Vulnerability Research Institute only used 6 seconds to crack
#FireFox
. Bravo! We will udpate the final verification result and bug info later.
|MACH_MSG_TYPE_MOVE_SEND| means it drop send right and transfer it to receiver, it must hold send right from |host_get_atm_notification_port| before send. So it don't need to get a reference to the port in copyin as it drop the one belong to itself and the sum not change
Recently my two good exploitable safari bugs were collision with others. But I can't see any public analysis blog post about them. So the bugs were found by AAPL themself?
I think don't need to care which engine it is, because all the JS JIT compiler are similar, when you very good at one of them, you will very easy move to another one.
If you report the bugs at one time,they will merge it and you only have one CVE. But if you report one case and wait for the patch release, at that moment you report another case, the result you will get two cases and CVEs.😓😓😓
I suggest v8 dev consider to refactor part of the typer system. It seems like hard to kill all typer bugs and system is very friendly for exploitation. I've thought about it and have some ideas. Welcome everyone to discuss.
@v8js
Lucky November.
Mobile Pwn2Own Safari
Chrome Bounty
Edge Bounty CVE-2017-11837
A little unlucky is that CVE-2017-11873 I miss the bounty because I report the case just a day late : (
These bugs are interesting and will be release the detail(may be in Chinese) after it fixed.Why I choosed these bugs because they are almost can be exploited for RCE and conver different ideas of JIT.I think they are helpful for looking for JIT inspiration.
As we are wrapping up 2021, the Chrome VRP is pleased to announce the Top 20 Chrome VRP Researchers for this year. Congratulations and great work!
Thank you for your contributions and efforts over this past year in helping us make Chrome Browser and Chrome OS safe for all users!
It seems like the "necp_session_action" staff was copied from our blog here: by
@realBrightiup
(And I think it is not wrong, it indeed can casue panic)
Recently I came back to browsers and
reported some bugs about Edge, and I will write some blogs about
them after the is the first one(in Chinese):
If you feel these stuffs are helpful for you, please RT or like.
@tihmstar
I didn't deep into look this way and found another exploit way(in my blog post), may be you can try.I think someone will write a better exploit way than I used.
New blog post series "JITSploitation" about a fun WebKit JIT bug and how it can be exploited on iOS despite StructureID randomization, the Gigacage, and PAC+APRR!
May be you can try add a big "try catch" to all the |exploit.js| code, I think this may be reslove your problem(you can use loop to push staff) as try catch will disable the global JIT.
I have reported a case of Edge to MSRC which can reproduce on the lastest ChakraCore code(2018-07-04 on github) and lastest WIP Edge version.And MSRC said this is a duplicate of an CVE which was fixed two months ago.
How do you think?
ChakraCore has many opt measures to eliminite the BoundsCheck.But with the introduction of protection against Spectre:
The measures become no sense because protection lower more native code and it only has few opt even for loop hoist.