Mickey Jin
@patch1t
Followers
3,570
Following
218
Media
34
Statuses
206
Exploring the world with my sword of debugger : )
Joined August 2013
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Israel
• 5140747 Tweets
Iran
• 3317130 Tweets
Vance
• 1339478 Tweets
Vance
• 1339478 Tweets
Vance
• 1339478 Tweets
The VP
• 259324 Tweets
Moderators
• 172132 Tweets
イスラエル
• 149739 Tweets
60 Minutes
• 91544 Tweets
Margaret
• 87928 Tweets
Minnesota
• 87863 Tweets
Tampon Tim
• 75295 Tweets
#WWENXT
• 71581 Tweets
Pence
• 64093 Tweets
Tiananmen Square
• 49556 Tweets
からくりサーカス
• 44572 Tweets
ケンタッキー
• 37467 Tweets
Megyn
• 28567 Tweets
Knucklehead
• 26371 Tweets
Go JD
• 21764 Tweets
Nora
• 20534 Tweets
#GandhiJayanti
• 20026 Tweets
महात्मा गांधी
• 19891 Tweets
Aces
• 19425 Tweets
Amber Thurman
• 19108 Tweets
Yale
• 18668 Tweets
Timmy
• 18316 Tweets
Giulia
• 16451 Tweets
Roxanne
• 16398 Tweets
ブリーダーズカップ
• 14852 Tweets
#マックのコーヒー記念カキコ
• 13431 Tweets
लाल बहादुर शास्त्री
• 13030 Tweets
Gago
• 12683 Tweets
Obamacare
• 11416 Tweets
ネットオーダー
• 10779 Tweets
I disclosed 10+ critical SIP-Bypass Vulnerabilities, and Apple had addressed 8 of them as:
CVE-2022-22646
CVE-2022-22583
CVE-2022-26688
CVE-2022-22676
CVE-2022-22617
CVE-2022-26690
CVE-2022-26712
CVE-2022-26727
4 CVEs were assigned while not public yet, coming soon.
13
66
372
I just found iOS 14.8 not just patched two 0 days.
It also patched CVE-2021-1740 again silently.
5
97
294
[New Blog Post]
Simple way to bypass GateKeeper, hidden for years
Demo:
5
109
255
Today is my last working day at Trend Micro and I will be working as an independent researcher. 😎
18
1
253
New Blog Post:
PoC in One Line:
sudo /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove -X /tmp/crafted.db /Library/Application\ Support/com.apple.TCC/TCC.db
7
66
241
[ New Blog Post ]
Get a Root Shell on Monterey
POC:
Demo:
2
56
200
[New Blog Post]
My analysis for the
#pegasus
0-click vulnerability.
All is just based on a screenshot from Citizen Lab, but I got the root cause and other conclusions :
2
76
190
New blog post here:
CVE-2022-32902: Patch One Issue and Introduce Two
4
42
131
AppleAVDUserClient::_decodeFrameFig
CAVDAvcDecoder::VADecodeFrame
AVC_RBSP::parseSPS
AVC_RBSP::parseVUI
AVC_RBSP::parseHRD <---
2
17
108
Thanks, my slides is uploaded here:
Demo:
Pretty excited for this talk by
@patch1t
about a one-click macOS takeover, starting out mentioning P0’s iMessage exploit and NSO’s Pegasus spyware.
#HITB2022SIN
1
11
39
1
29
102
It is funny to see
#Apple
patching one
#Vulnerability
Again and Again.
Writeup later, stay tuned ~
I just found iOS 14.8 not just patched two 0 days.
It also patched CVE-2021-1740 again silently.
5
97
294
3
21
92
Simple POC for CVE-2021-30724 :
And here is the details :
6
36
94
macOS Sonoma patched about 10 reports of mine. But only 2 CVEs are published.
4 of them are newly introduced vulnerabilities in macOS 14 beta version. The weird thing is that Apple removed the CVE entries that they assigned before and put them in Additional Recognitions. 😳😳
11
10
94
Really excited that this topic was accepted by
#OBTS
v6.0!
@objective_see
However, it is now too difficult for a Chinese researcher to apply for a Schengen visa. 😭😭
8
3
71
Thanks
@andyrozen
and
@patrickwardle
It’s my first time to join the
#OBTS
and travel in EU. I really enjoy it.
I wrote a blog post for my talk on my flight to Barcelona:
Hope you like it
3
14
70
My first batch of SIP-Bypass vulnerabilities will be public at
#POC2022
tomorrow, and my blog drafts are ready now, stay tuned 😉
3
8
59
Sorry for the delay, here it comes:
2
11
52
My slides is uploaded, enjoy : )
Summary in Chinese:
Join Mickey Jin (
@patch1t
), Trend Micro's Malware Analyst & Vulnerability Hunter, as he presents his tool called IDA2Obj in this year's
#HITB2021SIN
. Learn more about this tool and how it's designed mainly for Static Binary Instrumentation.
REGISTER HERE:
0
11
10
0
6
47
I just wrote a simple IDAPython to make symbolizations using the bindiff results. And I managed to symbolize the latest M1 kernel (t8101), whose symbol file wasn't contained in the KDK. 🤣🤣🤣
1
9
46
CVE-2021-30798: TCC Bypass Again, Inspired By XCSSET
@theevilbit
@_r3ggi
Hope it is useful for you, and I am looking forward to your BH USA talk next month.
0
6
41
Just share a piece of code, if you don't know how to boot the M1 VM into recoveryOS and disable SIP.
Enjoy :D
0
7
37
I am busy with Chinese New Year, not have too much time for writing now. Maybe I can publish my exploitation code along with my writeup after the Spring Festival.
Just sharing an exploitation demo from my vuln report to Apple:
Apple shared the credit for CVE-2022-22583 between
@patch1t
and myself.
My exploit is a SIP bypass, using Apple-signed packages (similar to "shrootless" by
@yo_yo_yo_jbo
) and mounting (inspired by
@theevilbit
research), so thanks for both
Writeup is coming soon.
4
6
34
0
4
31
It's my first time to participate in the plugin contest. Still very excited,although not win the prize from
@HexRaysSA
Now it's time to open source:
I will take actions as
@IgorSkochinsky
suggested, and give another demo at
#BHEU
#Arsenal
@BlackHatEvents
0
7
32
I really enjoy debugging everything inside the IDA Pro, because it is awesome and powerful.
But I want to use the lldb command, like "po object" when debugging the objc program. Why don't you support lldb ?
@HexRaysSA
So I just wrote a simple script:
0
6
31
Never expected my name to be listed on the TOP 100.
Because I mainly focus on Apple Products Security. I submitted only one report to MSRC. 😂
Congratulations to all the researchers recognized in this quarter’s MSRC 2022 Q2 Security Researcher Leaderboard! For more information, check out our blog post:
#cybersecurity
#securityresearch
#msrc
3
5
43
2
0
31
Got the answer from Apple:
“CVEs are only assigned to software vulnerabilities previously released to production and not to vulnerabilities for beta-only software.”
macOS Sonoma patched about 10 reports of mine. But only 2 CVEs are published.
4 of them are newly introduced vulnerabilities in macOS 14 beta version. The weird thing is that Apple removed the CVE entries that they assigned before and put them in Additional Recognitions. 😳😳
11
10
94
4
3
31
Why are they so critical? Because I found a new way to get arbitrary kernel code execution on macOS Monterey, with the SIP-Bypass primitive I got. 😎
1
2
28
#HITB2022SIN
Hope I can see you in Singapore :)
2
5
26
I reported 6 vulnerabilities in WeChat, while No CVE Assigned 👀👀
With the publication of some
#Tencent
#WeChat
advisories and plenty of
#Bentley
bugs, we've officially eclipsed the total number of published advisories from last year, making this our busiest year ever.
#MoreToCome
0
4
36
1
4
24
#HITB2021SIN
Thinking from a different angle, I come up with a new idea to implement Static Binary Instrumentation.
It could be cross-platform in theory, but I just made it come true for 64-bit PE binaries.
Stay tuned ~
0
9
21
@alkalinesec
hahaha! 12 CVEs + 2 Additional recognitions in macOS 13.3. Actually, there are still a few of my reports addressed in this release without the CVE being published yet.
4
1
14
Report this bug along with my root cause analysis to
@HexRaysSA
3 days later, they sent me a new debug server, and it works now. Super quick response, isn't it ?
2
1
11
I reported the issue to
@thezdi
on July 29, 2020 (case id: ZDI-CAN-11654), because it was actively exploited by
#XCSSET
malware. Time flies... 😂😂😂
macOS security advisories for 11.3 was updated 9 months later.
@theevilbit
@_r3ggi
was this the ability to SSH to localhost to access all files?
1
0
4
2
2
6
Yeah, I think this CVE is assigned to me.
Maybe I will post the details for it, and another C++ object on the stack Use-After-Free issue for IDA Pro.
CVE-2021-22545 An attacker can craft a specific IdaPro *.i64 file that will cause the BinDiff plugin to load an invalid memory offset. This can allow the attacker to control the instruction pointer and execute arbitrary code. It is recommended to upgrad...
4
74
255
0
0
5
I just post the details for the CVE here:
CVE-2021-22545 An attacker can craft a specific IdaPro *.i64 file that will cause the BinDiff plugin to load an invalid memory offset. This can allow the attacker to control the instruction pointer and execute arbitrary code. It is recommended to upgrad...
4
74
255
0
0
6
Thanks for the explanation from Citizen Lab
@billmarczak
It confused me for a long time 😂
We still don't know how the pegasus spyware bypass those security features.
1
0
3
[Update for XCSSET]
Steal your account login files, such as , ...
And it also steals your notes. So don't put anything important into the Apple , all are belong to the XCSSET now.
0
1
4
@theevilbit
@_r3ggi
Haha, great minds think alike 🤣
I know that "configd" is a TCC-Bypass. I don't know "AMFI" is mapped to which case I reported. I often have similar confusions when Apple published its security bulletins.
1
0
4
1
0
4
@theevilbit
@0xmachos
It seems that this topic got rejected by BH USA, I will try to share it at other conferences. Maybe BH EU ? God bless it will be accepted then.🤣🤣🤣
2
0
4
@jbradley89
@malwarezoo
Coincidently, we found the same issue from different angles. Pretty cool :D
1
0
4
0
0
3
@sickcodes
@defcon
Yes, no feedback. I think they just want to make sure there are no new 0 days in the slides.
0
0
3
@HexRaysSA
Got it, thanks for your answer.
Yes, the script API "dbg_appcall" is very powerful. 😎
0
0
1
@_saagarjha
@HexRaysSA
The debug server was trying to scan the memory region to find the dyld like this:
0
0
2
@theevilbit
@gergely_kalman
But the truth is not. I don’t know why. Maybe the budget for ASB is tight now.
1
0
3
@theJoshMeister
@ProteasWang
Yes for Big Sur, No for Catalina (AppleAVD.kext only works on M1 Mac)
0
0
3
@TimGMichaud
@Peterpan980927
@_r3ggi
Maybe Apple thinks it is not too elegant to publish them all at once 🤣🤣🤣
(they have already disclosed 112 CVEs in this release!
0
0
3
@patrickwardle
@objective_see
Using VT Query with filter:
metadata:"x86 64-bit, ARM 64-bit" tag:signed positives:2+
I got only 7 samples matched:
0
0
0
@georgexploit
@thezdi
Mainly focus on Apple now, but no just Apple. Memory corruption issues before, now I pay more effort on logical vulnerabilities.
0
0
2
@billmarczak
I have pointed out the possibility in my writeup that the crash log was modified before taking screenshot. But I just want to remind everyone of the bad possibility (ASLR disabled). Fortunately, it is not.
0
0
2
Exploitation Demo:
0
2
1
@dedbeddedbed
Sure, I am going to disclose this bug in a few weeks. You can also send me a DM, of course.
1
0
2
@theevilbit
Looking forward to running with you one day in the future, I enjoy long-distance running too :D
1
0
2
My solution is simple :
Create shortcuts for ida(64).exe, and copy them to the folder:
C:\Users\yourname\AppData\Roaming\Microsoft\Windows\SendTo
Every time right click the binary to analyze, click "Send to", and try 64-bit IDA shortcut first.
Ever wishes opening stuff in IDA wasn't a guesswork of whether you need ida.exe or ida64.exe? You no longer have to:
5
63
229
0
0
0
Last year, I managed to dlopen the xnu kernel in usermode too, and did similar things as the post did.
My fuzzer for the iOS kernel networking stack is now open source! You can read the implementation details here:
12
324
1K
0
0
2
@0xshlomi
@ronhass7
@yo_yo_yo_jbo
@theevilbit
Nice writeup, and I am giving up the idea for my writeup :D
But it seems that I used a better trick than the "mount" trick, and that makes me win the race immediately just in one shot.✌️
1
0
2
@theevilbit
@BlackHatEvents
Congrats! I wonder whether the TCC Bypass in the talk is this one (CVE-2021-30972)
🍎🪳CVE-2021-30972: Looks like many people think alike :)
Finding shared by
@another1024
@R3dF09
@yuebinsun2020
@_r3ggi
@patch1t
and myself.
The big question: who knows what particular vulnerability is this? :)
4
4
25
1
0
1
@theevilbit
@Viss
@another1024
@R3dF09
@yuebinsun2020
@_r3ggi
@patrickwardle
@xorrior
Me too, I am trying to find out which one of my reports is matched with the issue...
0
0
1
@yo_yo_yo_jbo
Yes, it's kind of like a phishing attack. The malicious Installer app is asking for your admin credentials! But it is launched automatically by installing a legal software package, and its UI is completely the same as the system one.
So the attack is easy:
2
0
1
@0xmachos
@theJoshMeister
@ProteasWang
Yes, on an Intel mac, the kext binary is just an arm64e macho, so it couldn't be loaded.
0
0
1
@yo_yo_yo_jbo
At the present time, the majority of the configuration agents (or bundles) hosted by configd are from trusted location /System/Library/SystemConfiguration/, it disallows to load self-signed bundle now.
1
0
1
@AnthonyJGRCETTN
All the SIP-Bypass vulnerabilities here are logical issues, no memory corruption. So they are very easy to exploit without the R/W primitive you said.
1
0
1