dlsym Considered Harmful on iOS 18.4

Fabien Perigaud (tweet):

This time, we will dynamically resolve and use strcmp().

[…]

Instead of a nice log indicating that the two strings are not the same, our application crashed...

[…]

What just happened? Why is the pointer incorrectly signed? Why do I have a kernel pointer in PC?

[…]

A XPACI instruction is clearly missing here, we can see the return value (X0) from the BLRAAZ being directly converted to an offset by the SUB instruction. In iOS 18.3.2, the XPACI instruction is present.

[…]

Repeated tests showed that in contrast to the specification, the pointer was considered as a kernel one (during a signature operation) if the bit 63 is set!

Previously:

• iOS 18.4 and iPadOS 18.4
• Zero-Click Exploits Against iOS 16
• Project Zero Remote iPhone Exploitation

Assembly Language Bug dyld iOS iOS 18 Programming

Comments RSS · Twitter · Mastodon

Leave a Comment