I've audited the Android kernel in late 2023, and reported 10+ kernel bugs to Google, along with 2 exploits. Today, I'm releasing the first exploit, targeting the Mali GPU on Pixel devices, accessible from an untrusted_app context.
github.com/0x36/Pixel_GPU…
I'm sharing two other iOS kernel vulnerabilities reachable from the default app sandbox that don’t require you to open a UserClient:
0x36.github.io/CVE-2022-32898/
CVE-2022-32932 is another vulnerability I discovered in the ANE kernel interface; this is a double fetch issue that resulted in an interesting OOB write.
0x36.github.io/CVE-2022-32932/
My #POC2022 slides + the iOS kernel r/w exploit can be found here :)
github.com/0x36/weightBuf…
Thanks @POC_Crew for a fantastic conference and truly honored to have been part of it.
+16 kernel bugs I reported to Apple have been fixed in iOS 16/16.1. I'll give a talk on how I chained some bugs to achieve kernel r/w at #POC2022 next month, and the kernel exploit for iOS 15 will be released along with a some other high impact vulns after the conference.
In iOS 15.5 beta 3, Apple removed IOMallocAligned(KHEAP_DEFAULT,...) from IOSharedDataQueue/IODataQueue::initWithCapacity() ( now uses kernel_memory_allocate() with KMA_DATA flag). It was an elegant technique to groom the kernel default heap with user controlled data. RIP
I've updated oob_events exploit and it should work fine in on A12+ devices (with 60 % of success rate) and ~95% in devices with lower ram size i.e A10.
Tested on iPhone 11 and iPhone 7.
43K Followers 1K Followingقطرة الماء تثقب الحجر ليس بالعنف. لكن بتكرار المحاولة interested | iOS | MacOS | Linux | Windows | https://t.co/MTkC6OqnYu | المفضلة تختصر لك محتوى حسابي :
765 Followers 705 FollowingAdvance-sec platform: is one of the top leaders in research and acquisition of vulnerabilities and 0day exploits.
Email: [email protected]
Wire: @advance_sec
141 Followers 1K FollowingNew account the other one well I can’t say so I’m able to keep this one 🤦♂️ *Gambler🎲 *AZ🏜 Videographotographer/Engineer Final ✂️~Pro🛠️~Logic *YT:Kmack_soe
57 Followers 282 FollowingAndroid kernel vuln researcher @ Pangu Team
Speaker @ Poc2024 / Offensivecon2025
Former ctfer @ Blue Water / Water Paddler / 0x401 / Vidar Team
12K Followers 1K FollowingConsole hacker, former Kaspersky Team Lead of Exploits & Network Threat Detection, security researcher. For tips (thx!): https://t.co/VxJMiawFpP
670 Followers 284 FollowingIn kernel space no one can hear you scream! The Android kernel guy at SAFA Team, proud @SpamAndHex dropout.
We are hiring: https://t.co/UPcIOeusrM
61K Followers 804 FollowingSecurity Researcher. Previously Google Project Zero and TAG | 0days all day. Love all things bytes, assembly, and glitter. she/her.
1K Followers 3 FollowingStay up-to-date with security fixes to Apple's ecosystem! 📲 💻 - Not affiliated with Apple Inc. 🍎 - @[email protected] 🐘 - @applsec.bsky.social 🦋
2K Followers 590 FollowingCurious guy with a long-time passion for zero-days. CTO @prdgmshift, *OS security research. Prev: research director @■, co-founder and researcher @truel_it.
8K Followers 132 FollowingWe are a hi-tech company focusing on binary software analysis. Our main products are IDA Pro and the Hex-Rays Decompiler.
Discourse: https://community.hex-rays
No recent Favorites. New Favorites will appear here.