Share this page!

Zhuowei Zhang Profile picture
Twitter logo
Jan 14 6 tweets 3 min read
Ian Beer released his proof-of-concept for CVE-2022-46689 (MacDirtyCow):
bugs.chromium.org/p/project-zero…
His exploit accomplishes two things I didn't know was possible:
- writing the last byte in a 16k page
- take over system daemons
Both of Ian Beer's solutions were clever:
- The bug only happens when the read/write addresses are unaligned.
I can't move the write address to the last byte because it would become aligned.
Ian Beer's solution: never move the write address; move the READ address instead
- Code signing prevents overwriting an executable's code
Ian Beer's solution: overwrite an executable's LINKEDIT data instead
This is why Ian Beer is a 大神 and I'm a script kiddie: he not only found the bug but built novel ways to exploit it; I couldn't even adapt existing code.
Ian's code should make MacDirtyCow apps more powerful. They're no longer restricted to writing at most 16KB: they can write whatever they want, without special padding tricks.
Unfortunately, Ian Beer's proof-of-concept doesn't do kernel read/write, so I doubt this would lead to a full jailbreak.
Ian Beer is trying to exploit "amfid or trustd", which may give apps more power but probably no tweaks, like TrollStore or Ian Beer's previous triple_fetch.
For other variant (bugs.chromium.org/p/project-zero…):
- someone copies memory
- you change memory
- their copy magically changes too
@Muirey03 notes (infosec.exchange/@Muirey03/1096…) in theory this can exploit kernel (keenlab.tencent.com/en/2017/01/09/…). In practice I doubt you can win two race conditions.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Zhuowei Zhang

Zhuowei Zhang Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zhuowei

Zhuowei Zhang Profile picture
Dec 26, 2022
Made an app that overwrites the iOS system font using CVE-2022-46689.
github.com/zhuowei/WDBFon…
It works on iOS 16.1.2 and below on unjailbroken devices.
Four fonts are included: DejaVu Sans Condensed, Serif, Mono, and Choco Cooky (because Samsung). Four screenshots of the iOS...
Replacing the system font temporarily with CVE-2022-46689 should be safe: all changes are reverted after a reboot. Still, back up your device before using.
(And this only affects some text in iOS - the rest use different fonts, and I'm only replacing SFUI.ttf)
I added more fonts to my app that overwrites the iOS system font using CVE-2022-46689 on unjailbroken iOS 16.1.2 and below.
github.com/zhuowei/WDBFon…
Go Regular, Go Mono, Segoe UI, and Comic Sans MS. Screenshots of iOS's: Music...
Read 5 tweets
Zhuowei Zhang Profile picture
Dec 11, 2022
Transcript:
Flynn (labelled as "Implementation detail"): [takes a look at the satchel of Private API when suddenly...]
Rapunzel: [knocks Flynn out with the frying pan of Terrible hack]
--
Rapunzel: [drags Flynn (Implementation Detail) to the cabinet of Public API]
[tries to push Flynn into the cabinet: fails]
[tries to swing Flynn into the cabinet with her hair of Dependency Injection: the hair gets stuck]
[thinks]
[shoves Flynn into the cabinet and closes it: Rapunzel turns around; the cabinet suddenly opens and Flynn falls on top of her]
Read 5 tweets
Zhuowei Zhang Profile picture
Aug 3, 2022
Simulating an overhead projector in VR:
You, an Intellectual: computes a projection of the 2D plane on arbitrary 3D polygons using vector math
Me: render lightmap from projector's PoV, texture target with lightmap
Experienced dev: only support projecting on flat (virtual) walls
Actual metaverse: ... don't let people show PowerPoints with a projector: just put a virtual 100-inch flat screen TV in the virtual conference room
I had an AR idea that required projecting virtual images onto walls last year.
I didn't look into it since ARKit didn't scan walls very well.
iOS 16 just added the RoomPlan API that perfectly scans a room, so now I have no excuse to avoid learning math...
Read 5 tweets
Zhuowei Zhang Profile picture
Aug 2, 2022
Transcript:
Rainbow Dash: I'm not burnt out! (blows on burning thing)
Sunset: Let me see your calendar. These are unused PTO days!
Twilight: Hurry! This code moved too fast and broke all our things!
Sunset: Take a day off. Just trust me!
Rainbow Dash: OK. (Sunset shoves her into
a pool of Time Off)
Twilight: but the build!
Sunset: Close your laptop. Log out of chat! (grabs Twilight and both fall into the pool of Time Off)
(darkness)
Sunset: (lights horn)
Everybody: (is now ponies)
Twilight: AAAAAAAAAAA!
(later)
Twilight: (looks at self in pond) AAAA!
Read 4 tweets
Zhuowei Zhang Profile picture
Jul 26, 2022
Transcript:
Rainbow Dash: Meta's Q2 earnings... are down!
[$META collapses]
Applejack: [lets go of Hiring Plans] Pivot to VR!
Twilight: Are you crazy?
Applejack: I'm Wеb3! What's our biggest challenge?
Twilight: iOS and TikTok?
Applejack: It's people who shouldn't be here.
So prioritize ruthlessly and turn up the heat!
Twilight: [lets go, falls]
[... but is caught by Instagram Reels and Quest 2 Price Hike]
[... who also plummet]

----
I reserve the right to delete this tweet if Facebook performs above expectations tomorrow.
Read 4 tweets
Zhuowei Zhang Profile picture
Jul 23, 2022
Learning Linus Henze's CVE-2022-26764 macOS 12.3.1 PPL bypass:
github.com/apple-oss-dist…
I hit this new panic on a patched macOS if I call
pmap_enter_options_addr on a dyld shared region virtual address.
So I just need to slot this into Bazad's googleprojectzero.blogspot.com/2020/07/the-co… TLB bypass?
I'm wrong:
If I pmap_enter_options_addr with a shared cache addr, the mapping reverts to shared cache after ~2 seconds:
before remap 36000639f9000bf5
pmap_enter_options_addr returned 0
wrote 4141414141414141
again 4141414141414141
again 4141414141414141
again 36000639f9000bf5
I guess the shared cache's global TLB entry is not flushed on context switch, so after a few seconds I get the shared cache again instead of the mapped page.
However, pmap_remove_options does flush the TLB: github.com/apple-oss-dist…
After remove, access immediately gives SIGBUS
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(