Another one bites the Apple! / (ramses)Junho Jang === South Korea Line 研究團隊 GrayHash https://linecorp.com/en/pr/news/global/2018/31 CTF team: PLUS 興趣在haunting apple app: safari app store facetime poc source code https://github.com/binspecta/hitcon2019 Target: Web browser: Safari safari: how to exploit with browswer 2 vuln, need: information leac + PC control 1.Arbitrary read/write by Javascript memory structure 2.Arbitrary code execution leak from ios 12.2 RegExp analysis - 起因: Safari 在處理 RegExp 的 back reference (`\<num>`)的實作有 bug find the bugs from fuzzing 3 個因素： - 環境Environment - 用工具 Verda，可以一直開 VM。 - 400 CPUs for fuzzing - 使用docker 做大規模佈署 - 目標Target - JavaScriptCore with ASan - 框架framework - fuzzManger - fuzzzing Safari 工具 crash analysis kernel bug -demo cve-2019-8576 (Heap buffer overflow in Kernel memory) XNU(X is not in Unix) **jsfunfuzz** **Fuzz manager** ###### tags: `HITCONCMT2019`,`HITCONCMT`,`HITCON`