Muirey03

CVE-2025-43520 - DarkSword

1. cluster_read_ext and cluster_write_ext call cluster_io_type to determine what IO operation to perform
2. cluster_io_type calls vm_map_get_upl with UPL_QUERY_OBJECT_TYPE to query type of the vm_object that backs the user-supplied virtual address range
3. If this object is physically contiguous it returns IO_CONTIG, otherwise it returns IO_DIRECT or IO_COPY
4. If cluster_io_type returns IO_CONTIG, cluster_[read|write]_ext will call the "contig" variant, cluster_[read|write]_contig
5. cluster_[read|write]_contig then calls vm_map_get_upl a second time to get the UPL from the uio
6. It then grabs the first physical page from the UPL using upl_phys_page and performs a physical copy
7. This is a TOCTOU. An attacker can remap the virtual address range so that the region is no longer physically contiguous after the first call to vm_map_get_upl, causing an OOBR/OOBW to physmem

WHW0x455

Bypass PAC in JIT

The code snippets and conceptual analysis presented in this document are based on iOS 16.2.

The bug was disclosed and patched after Pwn2Own 2024 and was assigned CVE-2024-27834. Details of the patch can be found in the WebKit repository.

• https://support.apple.com/en-us/120905
• https://github.com/WebKit/WebKit/commit/3e3d0883c84955472ece1b2f2e63f31522c5440d

hde-moff

#!/bin/sh
set -eu

# Mirror IP addresses for updates.cdn-apple.com
MIRRORS="
17.253.53.35
17.253.53.203
17.253.53.202
37.143.84.100
37.143.84.113

WHW0x455

2023 predator sample

Thanks to Google for sharing the sample.

VersionDispatcher

The int uname(struct utsname *); function retrieves the current device information, containing info such as iPhone13,2\x00 to identify the device model.

VersionDispatcher::OffsetsVersionByDeviceInit

justtryingthingsout

[
    {
        "name": "DSPSR",
        "enc": [3, 3, 4, 5, 0],
        "minel": 0,
        "width": 32,
        "fields": [
            {
                "name": "N",
                "lsb": 31,

justtryingthingsout

[
    {
        "name": "DSPSR",
        "enc": [3, 3, 4, 5, 0],
        "minel": 0,
        "width": 32,
        "fields": [
            {
                "name": "N",

wh1te4ever

//
//  ViewController.m
//  JBDetectTest
//
//  Created by seo on 3/27/25.
//

#import "ViewController.h"
#import <dlfcn.h>

JJTech0130

#import <Foundation/Foundation.h>
#import <mach/mach.h>
#import <stdio.h>
#import <stdlib.h>
#import <string.h>
#include <libkern/OSCacheControl.h>

const int REGION_SIZE = 0x4000*1;

void write_instructions(void* page)

justtryingthingsout

The `chkdatecc` field was set during Operation Triangulation.

0x206140008:
b[63]:	rsvd_63			Reserved
b[62]:	cfgerren		Enable error register locking and asynchronous reporting when CfgErrESV is set.

b[61]:	chksnphit 		Deprecated
				(If set, check that snoops hit in L2C tag, and if they miss, log an error.
				If clear, trust the way info from AF and do not read the tags for snoops.)

justtryingthingsout

The `ready` and `enablesize` fields were set during Operation Triangulation.

0x206140108:
b[63]:	  ready		RAM available for use
b[62:30]: rsvd_62_30	Reserved
b[29:24]: regionbase	Base region within LLC (starting way).
			Base address does not change.
			(EnableSize+RegionBase) must be less than or equal to (RegionNum+1) and
			EnableSize must be less than or equal to RegionNum.
b[23:22]: rsvd_23_22	Reserved