Adam Donenfeld
@doadam
Followers
11K
Following
4K
Media
47
Statuses
2K
iOS security, politics, tech and traveling.
Joined January 2011
1/N Apple has finally acknowledged my kernel heap overflow and fixed it on 11.2.5 (CVE-2018-4109). While I didn't write an exploit, it's one of the most hidden vulnerabilities I've ever found, and it took me a couple of days to trigger it once I found it!.
25
88
362
iOS 10.3.3 is no longer signed. If you were smart you are on 10.3.1. if you're on 11 good luck waiting till somewhen in 2018.
111
86
312
If someone wants to take the hassle of wrapping it into a jailbreak I’d be happy to help. (2/2).
61
85
298
Some people asked about donations, Thanks! but I'm employed. Go donate to your favorite charity organization :).
34
31
289
I never said anything about jailbreak. I'm releasing an exploit (source code + instructions). (1/2).
40
79
266
Apple bug submissions are also public now, and like I said in the presentation, some of them might still be working on 10.3.2 🙂.
47
67
243
Well, that should help get you started on the latest ones:.iCrypto -f iBoot.d11.RELEASE.im4p -k 53c616cddb7c0ca65b216643d2c35f3a0b5223de14e82af376ee440973d1148e0fc4a46595b88292ee0c4adee3587298 -o iBoot.d11.RELEASE.4513.230.10.
@doadam Sure ! .I can do it if you provide me a bootchain exploit.
15
44
236
I'm not sure if a coincidence or not, but on iOS 10.3.1, my sysctl trick to bypass SMAP was "challenged". Apple switched the order of l1dcache and l1icache. so now the whole exploit is a little bit more messed up. Anyway. ZiVA runs on 10.3.1 :).
34
52
233
This would mean a jailbreak from iPhone 4S till iPhone 8/X for every version forever.
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices. Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).
3
28
194
I must say, this is one of the only few times I feel like my work is actually reviewed based on its content and not based on the amount of money the company I represent pay :).
6
73
191
Would a "new mitigations introduced in iOS 13" presentation be something that people are interested in?.
19
9
170
CVE-2018-4109: Overwriting kernel memory with a few video packets | Zimperium Mobile Security Blog
3
54
143
It will be released during conferences’ season in the summer. You may want to save SHSH blobs :).#ZIMPERIUM #HITBGSEC (2/2).
35
58
134
While iOS 14 introduced a lot of mitigations, it seems like iOS 14.2 is very "recent exploits" oriented (rather than general mitigations like sandboxing, heap isolation, etc). Lots of exciting features! My only question is how come we've had to wait for so long to see this.
5
17
135
3/N if it makes it better in any case, this is accessible from the sandbox (so theoretically if someone plans to write an exploit, @Morpheus______'s jailbreak framework can be used with that).
10
29
126
Woho!!! Looking forward to see you there!.The exploit will be public by then 📱🔓
18
40
114
So in 2017 I managed, among dozens of other things, to switch to a new company, start working on iOS, getting a EU passport and in a 20 days notice emigrate to Europe. It has been the best year of my life, but 2018 is going to be even better!! 🎉🎊🎆.
12
3
114
I usually don't play CTFs but this year #35C3CTF gives so many "real life" challenges and I think that's how CTFs should be done. Kudos to @EatSleepPwnRpt! Best CTF I've seen so far.
4
12
112
Apple finally credited me CVE-2018-4282 I reported back then in May! I'll get a blog post up hopefully this week.
5
10
104
2/N Is there any conference that would be interested in a detailed explanation + review of some tools I wrote to aid in that research?.
9
10
99
@s1guza @Morpheus______ omg u got krnl exploit fr 11.1.2??? WEN ETA PL0X???????????????????.
6
12
100
Here's a video of an unusual behavior I captured on my device Thursday last week. Note the number of "Signal Connection" (=verified) contacts I have never seen before, along with two VoIP call attempts.
10
27
102
iOS 14.5 seems to sign ISA pointers, which is indeed a blow for 0clicks and sandbox escapes. But where there's a will 👀.
2
7
105
@loganpunkt Just landed in Singapore so was a little bit limited with connectivity. I think, if nothing pops up, tomorrow.
5
19
98
TIL: You can reboot the iPhone X using "idevicediagnostics restart" instead of throwing it against the wall.
4
16
97
How symbolic. a year ago I was a speaker at #HITBGSEC, giving a presentation about an Android exploit. Saw then @Morpheus______' iOS preso. .
5
16
94
If people are so obsessed with 1day root exploits, why not just bindiff code mentioned in the security advisory, find the bugs&exploit them?.
17
10
92
The last iOS major update was almost 3 months ago! Since the release of iOS 14, it was usually a month for each major version. Tons of security patches including new mitigations are on 14.5, probably the vastest major update in regards to security since I got into iOS research.
5
18
85
Just been to Singapore and foo() fighters concert. amazing city like always - hope to be there again next year!.
16
7
86
@Morpheus______ started learning. One year later, I'm here again for iOS. Thank you!! His book was definitely a great way to start iOS pwning.
6
10
83
Attending #HITBGSEC? Please vote for our talk! we promise some fun iOS 0days ;).@HITBGSEC @ZIMPERIUM.
3
33
69
So one of my guesses about Apple trying to sue @CorelliumHQ is that their new research devices gonna suck and therefore everyone will try getting a corellium license instead. I still have no idea why somebody would beg for a device from Apple when fused ones are still easy to get.
4
7
74
My presentation was accepted! If you come let me know :)
The final batch of #BHEU Briefings has been announced! See the latest research selected for presentation in London
5
6
74
IMO, iOS kernel exploitation was recently the easiest platform out there. With great spraying, vtables in the kernel and simple memory allocator I couldn't ask for more. PAC makes it however more complicated than any other platform nowadays (or at least until Android gets it).
1
11
69
so iPhone 12's design is just iPhone 4 but with an extra camera.
11
5
70
One of the most prominent XNU source releases in recent times, with "tagged address" hinting, amfi.h and more:.
4
13
74
@Morpheus______ And was super impressed. I decided to start doing iOS thanks to his presentation back then. Read his book on the flight back and. .
3
8
72
Recommendation for a Dutch language course within Amsterdam? (unless you ask for a JB in Dutch, you're blocked on this twit).
21
4
64
@tihmstar If you really wanna take it far, you can always generate an IPA from your website and ask for a device UDID/other identifier, which will be used in the generated IPA so it will only work on a specific device. That's harsh, but nobody will mirror you this way.
6
1
62
At least for now, it seems like the new A14 doesn't have the memory tagging extension for the kernel.
2
11
65
WhatsApp has (present tense) bugs in it, surprise. If you care more about IM security, I would download Signal (despite the existence of exploitable bugs in it as well) or something that doesn't become ads on Facebook later on.
3
7
63
Spotted this on a flight back from Iceland, the Fagradalsfjall volcano (not a typo, I think)
2
3
63
Our house committee lost the certificate for the key in the main entrance. My flatmate Messi connected Arduino to the intercom and now we can remotely open up the door! I'm offering a 0$ bug bounty for the first guy who can open the building's door remotely ;)
2
6
59
First time I experience snow while not in a vacation. It was super fun in the first 2 minutes.
10
4
56
Long live the European Union
We will continue to protect #NetNeutrality in Europe, ensuring that all traffic is treated equally:.→ Every European must be able to have access to the #openinternet .→ No blocking or discrimination of online content, applications and services.
5
8
56
Suddenly saw that in D��sseldorf main station. Secret hiring advertisement by Bundesnachrichtendienst?? 😜
3
5
54
@SparkZheng It has a CVE, just can't share exploit information before my #HITBGSEC's talk. less than 24 hours :).
7
8
56
@toniqyteza @MirzaNabeelACCA @oleschult @Jesse_FTW I'm waiting for the final approval of the blog post then I want to release it. Singapore time is just very harsh when contacting SF.
10
9
55
That moment when you're in Mexico and your credit card pwned the ATM ._.
7
0
53
@benhawkes I think people underestimate the amount of bugs Apple fix which are actively exploited in the wild. These are not the first ones and most certainly not the last ones.
1
7
57
So are we gonna have 13.1 as soon as the new iPhone is out? lol.
5
1
52
Seems like iOS 17 beta 1 puts crash dumps in /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/ instead of the usual /private/var/mobile/Library/Logs/CrashReporter/. As a result, afcd -r won't completely delete the logs after they're.
0
8
55
4
4
54
I'm not affiliated, but that's the only guy who writes tools that manage to work for more than a month without getting insanely unstable.
If you know and like my other free tools - then you totally need to know this one. Not free this time, but indubitably my finest creation yet. Took a *VERY* long time to get this tool be totally rock solid, dynamically object aware, and just plain awesome.
1
1
46
Also by far the most comprehensive security update ever released on iPhone.
iOS 14 is a massive update for privacy:.- limited photo library.- approximate location access.- clipboard access warning.- LAN access permission.- camera indicator.- Safari tracker report.- app data use info & tracking prompt.- encrypted DNS.- random MAC address. I love it ❤️.
1
5
46
Isn't it that time of the year where Apple accidentally releases a symbolicated kernelcache?.
2
4
49
It's like every new XNU release out there, Apple add new stages where compilation fails. (libdispatch, src/shims/atomic.h -> internal/atomic.h, if anyone had the same problem).
2
4
43
When I get home I'll release a PoC source code. According to rumors if your video is cool enough AppleD5500 will still be generous in terms of exploitation 🙄.
0
3
42
Most iOS/Android updates bring pretty much nothing interesting to the table. But I must say, as a frequent traveler, Sidecar is the best feature I've yet to see in the last couple of years. Having 2 monitors while traveling? Apple really nailed it this time.
4
5
45
I predict some cool bugs in that prediction language implementation.
0
11
44
After playing with digital currency for the last couple of weeks, I understand why people get addicted to Casinos.
7
2
46
Or in other words: if you wanna see how you can attack the kernel solely with a video from within the sandbox, you should come.
3
4
43
Good read as always, and also highlights how the recent XNU mitigations greatly required stepping up the game. Such vulns were a 1 week project or less up until 1-2 years ago.
XNU kernel use-after-free in mach_msg
2
8
46
Not the first time someone I've never talked or reacted to from infosec is blocking me. And although I've never pressed follow, ngl - it was amusing watching this bullshit (especially the videos).
5
6
43
Don't fall in love with bugs because they'll break your heart.
If you use 0days and they get burnt, that's the circle of life. Don't whine about it, whether you're a blackhat or government "counterterrorism" operation.
1
6
43
Downgrading an iPhone has progressively become such a pain in the ass. It's like I can't even downgrade normally anymore, and the errors are less and less indicative. Is this a new mitigation?.
3
2
41
For all the fellows coming to PoC and wanna learn Korean during the early morning while Jetlag hits you:.
2
3
36
See you all in BeVX!
Announcing our second talk at our conference, Adam Donenfeld / @doadam on "Viewer discretion is advised: (De)coding an iOS vulnerability" -
1
7
39
Seems like Apple is either replacing or enhancing PPL with a new mitigation called SPTM.
3
1
41