Skip to content

m0ck1ng/macOS-iOS-system-security

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

112 Commits
README.md
README.md
 
 

Repository files navigation

Here is some resources about macOS/iOS system security.

exploit writeup

https://blog.pangu.io/

https://starlabs.sg/advisories/

https://bugs.chromium.org/p/project-zero/issues/list

https://talosintelligence.com/vulnerability_reports#disclosed

CVE modules POC/writeup link
CVE-2015-???? Kernel https://github.com/kpwn/tpwn
http://nirvan.360.cn/blog/?p=469
CVE-2016-???? XPC https://marcograss.github.io/security/apple/xpc/2016/06/17/containermanagerd-xpc-array-oob.html
CVE-2016-1758&CVE-2016-1828 Kernel https://bazad.github.io/2016/05/mac-os-x-use-after-free/
CVE-2016-1824 IOHIDFamily https://marcograss.github.io/security/apple/cve/2016/05/16/cve-2016-1824-apple-iohidfamily-racecondition.html
CVE-2016-1825 IOHIDFamily https://bazad.github.io/2017/01/physmem-accessing-physical-memory-os-x/
CVE-2016-1865 Kernel https://marcograss.github.io/security/apple/cve/2016/07/18/cve-2016-1865-apple-nullpointers.html
CVE-2016-1722 syslogd https://blog.zimperium.com/analysis-of-ios-os-x-vulnerability-cve-2016-1722/
CVE-2016-1757 Kernel https://googleprojectzero.blogspot.com/2016/03/race-you-to-kernel.html
http://turingh.github.io/2016/04/03/CVE-2016-1757%E7%AE%80%E5%8D%95%E5%88%86%E6%9E%90/
https://turingh.github.io/2016/04/19/CVE-2016-1757%E5%88%A9%E7%94%A8%E7%A8%8B%E5%BA%8F%E5%88%86%E6%9E%90/
CVE-2016-4633 Intel Graphics Driver https://marcograss.github.io/security/apple/cve/2016/07/21/cve-2016-4633-apple-graphics-another-osx-bug.html
CVE-2016-4673 CoreGraphics https://marcograss.github.io/security/apple/cve/macos/ios/2016/11/21/cve-2016-4673-apple-coregraphics.html
CVE-2016-7595 CoreText https://security.tencent.com/index.php/blog/msg/111
CVE-2017-13861 IOSurface https://siguza.github.io/v0rtex/
https://paper.seebug.org/472/
CVE-2017-13868 Kernel https://bazad.github.io/2018/03/a-fun-xnu-infoleak/
CVE-2018-4124 CoreText https://blog.zecops.com/vulnerabilities/analyzing-the-ios-telugu-crash-part-i/
CVE-2018-4184 sandbox https://ubrigens.com/posts/linking_a_microphone.html
CVE-2018-4185 Kernel https://bazad.github.io/2018/04/kernel-pointer-crash-log-ios/
CVE-2018-4229&CVE-2020-3854 sandbox https://ubrigens.com/posts/sandbox_initialisation_bypasses.html
CVE-2018-4248 libxpc https://bazad.github.io/2018/07/xpc-string-leak/
CVE-2018-4280 libxpc https://github.com/bazad/blanket
CVE-2018-4331&CVE-2018-4332&CVE-2018-4343 Heimdal https://bazad.github.io/2018/11/introduction-userspace-race-conditions-ios/
CVE-2018-4346 Dictionary https://www.securing.pl/en/secure-implementation-of-webview-in-ios-applications/
CVE-2018-4407 kernel https://securitylab.github.com/research/apple-xnu-icmp-error-CVE-2018-4407
CVE-2018-4415 CoreAnimation https://ssd-disclosure.com/ssd-advisory-ios-macos-safari-sandbox-escape-via-quartzcore-heap-overflow/
CVE-2018-4431 Kernel https://ssd-disclosure.com/ssd-advisory-ios-macos-kernel-task_inspect-information-leak/
CVE-2019-6225 Kernel https://blogs.360.cn/post/IPC%20Voucher%20UaF%20Remote%20Jailbreak%20Stage%202.html
https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-5.html
https://googleprojectzero.blogspot.com/2019/01/voucherswap-exploiting-mig-reference.html
http://highaltitudehacks.com/2020/06/01/from-zero-to-tfp0-part-1-prologue/
http://highaltitudehacks.com/2020/06/01/from-zero-to-tfp0-part-2-a-walkthrough-of-the-voucher-swap-exploit/
CVE-2019-6231 CoreAnimation https://www.fortinet.com/blog/threat-research/detailed-analysis-of-macos-ios-vulnerability-cve-2019-6231
CVE-2019-8507 CoreAnimation https://www.fortinet.com/blog/threat-research/detailed-analysis-mac-os-vulnerability-cve-2019-8507
CVE-2019-8549 Power Management https://ssd-disclosure.com/ssd-advisory-ios-powerd-uninitialized-mach-message-reply-to-sandbox-escape-and-privilege-escalation/
CVE-2019-8561 PackageKit https://0xmachos.com/2021-04-30-CVE-2019-8561-PoC//
CVE-2019-8605 Kernel https://googleprojectzero.blogspot.com/2019/12/sockpuppet-walkthrough-of-kernel.html
https://github.com/jakeajames/sock_port
http://blog.asm.im/2019/11/17/Sock-Port-%E6%BC%8F%E6%B4%9E%E8%A7%A3%E6%9E%90%EF%BC%88%E4%B8%80%EF%BC%89UAF-%E4%B8%8E-Heap-Spraying/
http://blog.asm.im/2019/11/24/Sock-Port-%E6%BC%8F%E6%B4%9E%E8%A7%A3%E6%9E%90%EF%BC%88%E4%BA%8C%EF%BC%89%E9%80%9A%E8%BF%87-Mach-OOL-Message-%E6%B3%84%E9%9C%B2-Port-Address/
http://blog.asm.im/2019/12/01/Sock-Port-%E6%BC%8F%E6%B4%9E%E8%A7%A3%E6%9E%90%EF%BC%88%E4%B8%89%EF%BC%89IOSurface-Heap-Spraying/
http://blog.asm.im/2019/12/08/Sock-Port-%E6%BC%8F%E6%B4%9E%E8%A7%A3%E6%9E%90%EF%BC%88%E5%9B%9B%EF%BC%89The-tfp0/
CVE-2019-8635 AMD https://www.trendmicro.com/en_us/research/19/f/cve-2019-8635-double-free-vulnerability-in-apple-macos-lets-attackers-escalate-system-privileges-and-execute-arbitrary-code.html
CVE-2019-8761 UIFoundation https://www.paulosyibelo.com/2021/04/this-man-thought-opening-txt-file-is.html
CVE-2019-8794&CVE-2019-8795&CVE-2019-8797 Kernel&AVEVideoEncoder&Audio https://ssd-disclosure.com/ssd-advisory-via-ios-jailbreak-sandbox-escape-and-kernel-r-w-leading-to-rce/
CVE-2020-3847&CVE-2020-3848 CoreBluetooth https://blogs.360.cn/post/macOS_Bluetoothd_0-click.html
CVE-2020-3852&CVE-2020-3864&CVE-2020-3865&CVE-2020-3885&CVE-2020-3887&CVE-2020-9784&CVE-2020-9787 safari&webkit https://www.ryanpickren.com/webcam-hacking
CVE-2020-3919 IOHIDFamily https://alexplaskett.github.io/CVE-2020-3919/
CVE-2020-9771 sandbox https://theevilbit.github.io/posts/cve_2020_9771/
https://theevilbit.github.io/posts/reversing_cve_2020_9771/
CVE-2020-9817 PackageKit https://research.nccgroup.com/2020/07/02/technical-advisory-macos-installer-local-root-privilege-escalation-cve-2020-9817/
CVE-2020-9854 Security https://a2nkf.github.io/unauthd_Logic_bugs_FTW/
CVE-2020-9934 CoreFoundation https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8
CVE-2020-9964 IOSurfaceAccelerator https://muirey03.blogspot.com/2020/09/cve-2020-9964-ios-infoleak.html
CVE-2020-9967 Kernel https://alexplaskett.github.io/CVE-2020-9967/
CVE-2020-9968 sandbox https://blog.xpnsec.com/we-need-to-talk-about-macl/
CVE-2020-9971 libxpc https://xlab.tencent.com/en/2021/01/11/cve-2020-9971-abusing-xpc-service-to-elevate-privilege/
CVE-2020-9979 Assets https://blog.chichou.me/2020/08/06/x-site-escape-part-ii-look-up-a-shell-in-the-dictionary/
CVE-2020-9992 IDE Device Support https://blog.zimperium.com/c0ntextomy-lets-debug-together-cve-2020-9992/
CVE-2020-27897 Kernel https://www.zerodayinitiative.com/blog/2020/12/9/cve-2020-27897-apple-macos-kernel-oob-write-privilege-escalation-vulnerability
CVE-2020-27932 Kernel https://worthdoingbadly.com/specialreply/
CVE-2020-27935 XNU https://github.com/LIJI32/SnatchBox
CVE-2020-27949 Kernel https://github.com/seemoo-lab/dtrace-memaccess_cve-2020-27949
CVE-2020-27950 Kernel https://www.synacktiv.com/publications/ios-1-day-hunting-uncovering-and-exploiting-cve-2020-27950-kernel-memory-leak.html
CVE-2020-9900&CVE-2021-1786 Crash Reporter https://theevilbit.github.io/posts/macos_crashreporter/
CVE-2020-9905 Kernel https://blog.zecops.com/vulnerabilities/from-a-comment-to-a-cve-content-filter-strikes-again/
CVE-2020–9922 Mail https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c
CVE-2021-1740&CVE-2021-30855&CVE-2021-30995 Preferences https://jhftss.github.io/CVE-2021-1740-Invalid-Patch/
https://www.trendmicro.com/en_us/research/22/a/analyzing-an-old-bug-and-discovering-cve-2021-30995-.html
CVE-2021-1747 CoreAudio https://mp.weixin.qq.com/s/9dmQH4qIw95Gsx92wLSr6w
CVE-2021-1757 IOSkywalkFamily https://github.com/b1n4r1b01/n-days/tree/main/CVE-2021-1757
CVE-2021-1782 Kernel https://github.com/ModernPwner/cicuta_virosa
https://www.synacktiv.com/publications/analysis-and-exploitation-of-the-ios-kernel-vulnerability-cve-2021-1782
CVE-2021-1815 Preferences https://www.offensive-security.com/offsec/macos-preferences-priv-escalation/
CVE-2021-30655 Wi-Fi https://wojciechregula.blog/post/press-5-keys-and-become-root-aka-cve-2021-30655/
CVE-2021-30657 System Preferences https://objective-see.com/blog/blog_0x64.html
CVE-2021-30659 CoreFoundation https://sector7.computest.nl/post/2022-08-process-injection-breaking-all-macos-security-layers-with-a-single-vulnerability/
CVE-2021-30660 Kernel https://alexplaskett.github.io/CVE-2021-30660/
CVE-2021-30713 TCC https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/
CVE-2021-30724 CVMS https://gist.github.com/jhftss/1bdb0f8340bfd56f7f645c080e094a8b https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
CVE-2021-30734&CVE-2021-30735 WebKit&Graphics Drivers https://github.com/ret2/Pwn2Own-2021-Safari
CVE-2021-30740&CVE-2021-30768&CVE-2021-30769&CVE-2021-30770&CVE-2021-30773 Kernel&dyld&Identity Service https://github.com/LinusHenze/Fugu14
CVE-2021-30798 TCC https://jhftss.github.io/CVE-2021-30798-TCC-Bypass-Again-Inspired-By-XCSSET/
CVE-2021-30807 IOMobileFrameBuffer https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/
CVE-2021-30833 xar https://research.nccgroup.com/2021/10/28/technical-advisory-apple-xar-arbitrary-file-write-cve-2021-30833/
CVE-2021-30853 GateKeeper https://objective-see.com/blog/blog_0x6A.html
CVE-2021-30860 CoreGraphics https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
CVE-2021-30861&CVE-2021-30975 Script Editor&WebKit https://www.ryanpickren.com/safari-uxss
CVE-2021-30864 LaunchServices https://perception-point.io/a-technical-analysis-of-cve-2021-30864-bypassing-app-sandbox-restrictions/
CVE-2021-30869 XNU https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/
CVE-2021-30883 IOMobileFrameBuffer https://saaramar.github.io/IOMFB_integer_overflow_poc/
CVE-2021-30892 zsh https://www.microsoft.com/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/
CVE-2021-30902 Voice Control https://blog.zecops.com/research/use-after-free-in-voice-control-cve-2021-30902/
CVE-2021-30955 Kernel https://www.cyberkl.com/cvelist/cvedetail/24
https://github.com/tihmstar/desc_race-fun_public
https://gist.github.com/jakeajames/37f72c58c775bfbdda3aa9575149a8aa
CVE-2021-30970 TCC https://www.microsoft.com/security/blog/2022/01/10/new-macos-vulnerability-powerdir-could-lead-to-unauthorized-user-data-access/
CVE-2021-30990 LaunchServices https://ronmasas.com/posts/bypass-macos-gatekeeper
CVE-2022-22582 xar https://research.nccgroup.com/2022/03/15/technical-advisory-apple-macos-xar-arbitrary-file-write-cve-2022-22582/
CVE-2022-22616 Safari Downloads https://jhftss.github.io/CVE-2022-22616-Gatekeeper-Bypass/
CVE-2022-22639 SoftwareUpdate https://www.trendmicro.com/en_us/research/22/d/macos-suhelper-root-privilege-escalation-vulnerability-a-deep-di.html
CVE-2022-22660 System Preferences https://rambo.codes/posts/2022-03-15-how-a-macos-bug-could-have-allowed-for-a-serious-phishing-attack-against-users
CVE-2022-26696 Terminal https://wojciechregula.blog/post/macos-sandbox-escape-via-terminal/
CVE-2022-26706 LaunchServices https://www.microsoft.com/security/blog/2022/07/13/uncovering-a-macos-app-sandbox-escape-vulnerability-a-deep-dive-into-cve-2022-26706/
CVE-2022-26712 PackageKit https://jhftss.github.io/CVE-2022-26712-The-POC-For-SIP-Bypass-Is-Even-Tweetable/
CVE-2022-26743 Kernel https://pwning.systems/posts/easy-apple-kernel-bug/
CVE-2022-26766&CVE-2022-26763 CoreTrust&DriverKit https://worthdoingbadly.com/coretrust/
CVE-2022-32787 ICU https://ssd-disclosure.com/ssd-advisory-apple-safari-icu-out-of-bounds-write/
CVE-2022-32816 WebKit https://ssd-disclosure.com/ssd-advisory-apple-safari-idn-url-spoofing/
CVE-2022-32832 APFS https://github.com/Muirey03/CVE-2022-32832
CVE-2022-32883 Maps https://github.com/breakpointHQ/CVE-2022-32883
CVE-2022-32895 PackageKit https://www.trendmicro.com/en_us/research/22/k/cve-2019-8561-a-hard-to-banish-packagekit-framework-vulnerabilit.html
CVE-2022-32910 Archive Utility https://www.jamf.com/blog/jamf-threat-labs-macos-archive-utility-vulnerability/
CVE-2022-32929 Backup https://theevilbit.github.io/posts/cve-2022-32929/
CVE-2022-32845&CVE-2022-32899&CVE-2022-32948&CVE-2022-42805 Apple Neural Engine https://github.com/0x36/weightBufs
CVE-2022-32898 Apple Neural Engine https://0x36.github.io/CVE-2022-32898/
CVE-2022-32932 Apple Neural Engine https://0x36.github.io/CVE-2022-32932/
multiple lock screen bypass https://blog.dinosec.com/2014/09/bypassing-ios-lock-screens.html

tools

Just some little dev tools to probe IOKit:

https://github.com/Siguza/iokit-utils

Dyld Shared Cache Support for BinaryNinja:

https://github.com/cxnder/bn-dyldsharedcache

iOS/MacOS Kernelcache/Extensions analysis tool:

https://github.com/lilang-wu/p-joker

static analysis tool for analyzing the security of Apple kernel drivers:

https://github.com/alibaba-edu/Driver-Security-Analyzer

Coralsun is a small utility cython library used to provide python support for low level kernel features:

https://github.com/FSecureLABS/coralsun

fuzzers

public:

macOS 10.13 kernel fuzzer

https://github.com/FSecureLABS/OSXFuzz

binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM

https://github.com/ant4g0nist/ManuFuzzer

automate the generation of syscall specifications for closed-source macOS drivers and facilitate interface-aware fuzzing

https://github.com/seclab-ucr/SyzGen_setup

binary code-coverage fuzzer for Windows and macOS

https://github.com/googleprojectzero/Jackalope

a fork of XNU that contains support for fuzzing the network stack in userland on macOS and Linux-based hosts

https://github.com/googleprojectzero/SockFuzzer

fuzzing OSX kernel vulnerability based on passive inline hook mechanism in kernel mode

https://github.com/SilverMoonSecurity/PassiveFuzzFrameworkOSX

patch honggfuzz to get coverage guided fuzzing of closed source libraries on macOS based on trap

https://github.com/googleprojectzero/p0tools/tree/master/TrapFuzz

patch honggfuzz to fuzz iOS library on M1 mac

https://github.com/googleprojectzero/p0tools/tree/master/iOSOnMac

patch that build WebKitGTK+ with ASAN and make some changes that make fuzzing easier

https://github.com/googleprojectzero/p0tools/tree/master/WebKitFuzz

private:

LLDBFuzzer Debug for Bug: Crack and Hack Apple Core by Itself

LynxFuzzer Improving Mac OS X Security Through Gray Box Fuzzing Technique

Port Syzkaller to Support macOS XNU Fuzzing Drill Apple Core: Up and Down - Fuzz Apple Core Component in Kernel and User Mode for Fun and Profit

conference

conference link
blackhat asia 2021 Racing the Dark: A New TOCTTOU Story from Apple's Core
blackhat asia 2021 Apple Neural Engine Internal: From ML Algorithm to HW Registers
blackhat asia 2021 The Price of Compatibility: Defeating macOS Kernel Using Extended File Attributes
blackhat europe 2015 Attacking the XNU Kernel in El Capitan
blackhat usa 2021 20+ Ways to Bypass Your macOS Privacy Mechanisms
blackhat usa 2021 Everything has Changed in iOS 14,but Jailbreak is Eternal
blackhat usa 2021 Reverse Engineering the M1
blackhat usa 2021 Hack Different:Pwning iOS 14 With Generation Z Bugz
blackhat usa 2021 Wibbly Wobbly, Timey Wimey:What's Really Inside Apple's U1 Chip
CanSecWest 2016 Don't Trust Your Eye: Apple Graphics Is Compromised!
CanSecWest 2017 Port(al) to the iOS Core
CSS 2019 如何批量挖掘macOS/iOS内核信息泄漏漏洞
defcon26 Attacking the macOS Kernel Graphics Driver
defcon29 Caught you - reveal and exploit IPC logic bugs inside Apple
HITB AMS 2021 macOS local security:escaping the sandbox and bypassing TCC
HITB GSEC 2019 Recreating an iOS 0-day jailbreak out of Apple’s security patches
HITB SIN 2022 One-Click to Completely Take Over A macOS Device
mch2022 My journey to find vulnerabilities in macOS
Objective by the Sea https://objectivebythesea.com/
syscan360 2016 Memory corruption is for wusies!

About

Here is some resources about macOS/iOS system security.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published