iMessage suffers from an issue where decoding NSSharedKeyDictionary can lead to out-of-bounds reads.
a2b5e05c79091ab5459b0ba4514324d3
iMessage suffers from an issue where decoding NSSharedKeyDictionary can read an ObjC object at attacker controlled address.
44b9493651f02f67170dee4980389e1a
JSC suffers from a type confusion vulnerability during bailout when reconstructing arguments objects.
6a4caa0c9a9e7558705c23bf516ebff4
JavaScriptCore (JSC) GetterSetter suffers from a type confusion vulnerability during DFG compilation.
63f1952a7a692ab451a162d31ee902ed
V8 map migration does not respect element kind, leading to a type confusion vulnerability.
f6ab8a5e41409debf546a94e0e445037
This repository contains several tools Project Zero uses to test iPhone messaging. It includes SmsSimulator: an SMS simulator for iPhone, iMessage: tools for sending and dumping iMessage messages, and imapiness: a fuzzer for IMAP clients. See the directory for each tool for further instructions and contact information. This is not an officially supported Google product. These tools were released and presented at BlackHat USA 2019.
2e9ddb1606e5ec0f3068837fa5919c6c
NSKeyedUnarchiver suffers from a use-after-free vulnerability with ObjC objects when unarchiving OITSUIntDictionary instances even if secureCoding is required.
70ef6bfcfed7ece0d7495dba139227e2
JavaScriptCore suffers from an issue where there's a JSValue use-after-free vulnerability in ValueProfiles.
1ab75d03880956f7d5252f34b059120a
JavaScriptCore DFG loop-invariant code motion (LICM) has an issue where it leaves object property access unguarded.
f7edad8829fb8a634c008e209dbf7127
In Spidermonkey, definite properties are incorrectly computed in some cases, leading to uninitialized memory access when unboxed objects are enabled.
79fc5823bfa08cae2fcfd2ee4bbcd32c
Spidermonkey IonMonkey incorrectly predicts return type of Array.prototype.pop, leading to type confusion vulnerabilities.
b9cfb835c09f9ff2359a0ac43fb9d908
This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.
394148cda471deeb3abbfdccf622fa46
Spidermonkey IonMonkey can, during a bailout, leak an internal JS_OPTIMIZED_OUT magic value to the running script. This magic value can then be used to achieve memory corruption.
f548194e2e5ce1c18bacbf389f666b48
JavaScript V8 Turbofan may read a Map pointer out-of-bounds when optimizing Reflect.construct.
36998fe03e21e2360e63455dcd1824ed
Spidermonkey IonMonkey suffers from an issue where an unexpected ObjectGroup in the ObjectGroupDispatch operation might lead to potentially unsafe code being executed.
9fd40f0341879df02a9860af01e711aa
JSC DFG's doesGC() is incorrect about the HasIndexedProperty operation's behavior on StringObjects.
447815ba563e6a4e43af5179de5f3476
JavaScriptCore loop-invariant code motion (LICM) in DFG JIT leaves a stack variable uninitialized.
e3d6af3254ffc8f7e66b61e4895a6d8a
JavaScriptCore AIR optimization incorrectly removes assignment to register.
fbb7e0f88cf0da1880e1e46b1ff5975a
Chrome V8 has an issue where JSCallReducer::ReduceArrayIndexOfIncludes in turbofan fails to insert Map checks.
c3cedb648ac563ef9c4a151be439bf86
JavaScriptCore suffer from an out-of-bounds access vulnerability in FTL JIT due to LICM moving array access before the bounds check.
666ca0b0b1f37dcfd1113b475c267cad
JavaScriptCore suffers from CodeBlock use-after-free vulnerabilities due to dangling Watchpoints.
44941500a9bd200e3ded8e6050b94b65
XNU has an issue where pidversion increment during execve is unsafe.
98cad986f696210bc1f2b23ff3589ba7
JavaScriptCore has an issue where createRegExpMatchesArray does not respect inferred types.
890d106035374c388ef370b205c1ca00
A bug in IonMonkey leaves type inference information inconsistent, which in turn allows the compilation of JITed functions that cause type confusions between arbitrary objects.
cdcb535655303de5282b8e9ce3804be5
A bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement (OSR) allows the compilation of JITed functions that cause type confusions between arbitrary objects.
2d9234f04f13771cc4ba74f08b736649