关联漏洞
描述
Proof-of-concept app to overwrite fonts on iOS using CVE-2022-46689.
介绍
Proof-of-concept app to overwrite fonts on iOS using [CVE-2022-46689](https://support.apple.com/en-us/HT213530).
Works on iOS 16.1.2 and below (tested on iOS 16.1) on unjailbroken devices.
IPA available in the [Releases](https://github.com/ginsudev/WDBFontOverwrite/releases) section.
Fonts included:
- DejaVu Sans Condensed
- DejaVu Serif
- DejaVu Sans Mono
- Go Regular
- Go Mono
- Fira Sans
- Segoe UI
- Comic Sans MS
- Choco Cooky
You can also import custom fonts that were ported for iOS.
## Screenshots
DejaVu Sans Condensed | DejaVu Serif | DejaVu Sans Mono | Choco Cooky
Go Regular | Go Mono | Segoe UI | Comic Sans MS
Hanna Soft + JoyPixels | Bronkoh | Noto Serif SC | Fira Sans
Screenshot credit: [@ev_ynw](https://twitter.com/ev_ynw) for the ported [Hanna Soft](https://app.box.com/s/g4uk1yyqxm36sl9ovbwkpbbpn9isol8h/file/997004671334) and [Bronkoh](https://app.box.com/s/g4uk1yyqxm36sl9ovbwkpbbpn9isol8h/file/915757902297) fonts, [JoyPixels](https://joypixels.com/download) for the emoji font
## Where to find ported fonts
- [@ev_ynw](https://twitter.com/ev_ynw)
- [@PoomSmart](https://github.com/PoomSmart/EmojiFonts/releases)
## Known issues
- The built-in fonts are not properly ported (I don't know how to port fonts). For best results, use a custom font.
- with the built-in fonts:
- Only regular text uses the changed font: thin/medium/bold text falls back to Helvetica instead.
- If the font doesn't show up at all, [disable "Bold Text"](https://twitter.com/m7mdabu7assan/status/1607609484901289985) in accessibility settings.
- File pickers in apps will fail to open with the error "Something went wrong while displaying documents."
- This happens if you replace the emoji font, or install fonts with [multiple weights](https://twitter.com/Gu3hi/status/1607986473198026752)
- Try the experimental .ttc fix by using "Import custom <font> with fix for .ttc"
- iOS 14.x devices which are jailbroken / were jailbroken before will not be able to revert to the original font.
- Workaround: do not use this app if you're on iOS 14.x and have previously jailbroken. Instead, just jailbreak and replace fonts normally.
## Font conversion
The CVE-2022-46689 issue - as far as I know - only lets you overwrite 16383 bytes out of every 16384 bytes: the last byte of the page can't be written.
(I could be wrong)
To work around this, I package the font using the [WOFF2](https://www.w3.org/TR/WOFF2/) webfont format, which is [supported on iOS](https://twitter.com/myunderpants/status/1503745380365877252). WOFF2 uses [Brotli](https://datatracker.ietf.org/doc/html/rfc7932) for compression, which lets me insert padding to skip over the last byte.
See `repackfonts/make_woff2src.sh` for details: this script:
- renames the font to .SFUI-Regular with [TTX](https://github.com/fonttools/fonttools) following [this answer](https://superuser.com/a/694452)
- rebuilds the font to .woff2
- runs `repackfonts/BrotliPadding.swift` to decompress the WOFF2 file and insert padding to skip past the 16384th byte
## Credits
- Ian Beer of [Project Zero](https://googleprojectzero.blogspot.com) for finding CVE-2022-46689.
- Apple for the [test case](https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.61.2/tests/vm/vm_unaligned_copy_switch_race.c) and [patch](https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.61.2/osfmk/vm/vm_map.c#L10150). (I didn't change anything: I only wrapped the test case in a library.)
- Everyone on Twitter who helped out and experimented with CVE-2022-46689, especially [@dedbeddedbed](https://twitter.com/dedbeddedbed), [@AppleDry05](https://twitter.com/AppleDry05), and [@haxi0sm](https://twitter.com/haxi0sm) for exploring what can be done with this issue..
- [WOFF2 compressor](https://github.com/google/woff2) by Google
- [ttcpad](https://github.com/LIJI32/ttcpad) by LIJI32
- [Fontforge stripttc](https://github.com/fontforge/fontforge/blob/master/contrib/fonttools/stripttc.c)
- The [DejaVu fonts](https://dejavu-fonts.github.io) are distributed according to their [license](https://dejavu-fonts.github.io/License.html).
- The [Go fonts](https://go.dev/blog/go-fonts) are distributed according to their license.
- The [Fira Sans](https://mozilla.github.io/Fira/) font is converted by [@jonpalmisc](https://twitter.com/jonpalmisc/status/1607570871421468678) - thanks!
- Segoe UI and Comic Sans MS are the property of Microsoft.
- Choco Cooky is the property of Samsung.
- I don't have any rights to redistribute these, but I'm posting them anyways because #yolo.
文件快照
[4.0K] /data/pocs/93f0e25eeb772fba0d52fccd9952f7d72b5a91c5
├── [ 657] build_woff2.sh
├── [4.8K] README.md
├── [4.0K] repackfonts
│ ├── [7.4K] BrotliPadding.swift
│ ├── [ 917] make_noto_serif_sc.sh
│ └── [1.2K] make_woff2src.sh
├── [4.0K] WDBFontOverwrite
│ ├── [4.0K] Assets.xcassets
│ │ ├── [4.0K] AccentColor.colorset
│ │ │ └── [ 329] Contents.json
│ │ ├── [4.0K] AppIcon.appiconset
│ │ │ ├── [ 59K] 1024 1.png
│ │ │ ├── [ 59K] 1024.png
│ │ │ ├── [3.1K] 114.png
│ │ │ ├── [3.3K] 120 1.png
│ │ │ ├── [3.3K] 120.png
│ │ │ ├── [5.3K] 180.png
│ │ │ ├── [ 665] 29.png
│ │ │ ├── [ 929] 40.png
│ │ │ ├── [1.3K] 57.png
│ │ │ ├── [1.3K] 58.png
│ │ │ ├── [1.4K] 60.png
│ │ │ ├── [2.0K] 80.png
│ │ │ ├── [2.2K] 87.png
│ │ │ └── [1.5K] Contents.json
│ │ └── [ 63] Contents.json
│ ├── [6.6K] BrotliPadding.swift
│ ├── [1.6K] FontMap.swift
│ ├── [ 295] grant_full_disk_access.h
│ ├── [ 17K] grant_full_disk_access.m
│ ├── [ 250] helpers.h
│ ├── [3.8K] helpers.m
│ ├── [1.3K] Info.plist
│ ├── [4.0K] MainInterface
│ │ ├── [ 985] ActionButtons.swift
│ │ ├── [1.2K] ActionButtons.ViewModel.swift
│ │ ├── [ 783] AlignedRowContentView.swift
│ │ ├── [3.6K] CustomFontsScene.swift
│ │ ├── [2.4K] CustomFontsScene.ViewModel.swift
│ │ ├── [1.9K] ExplanationView.swift
│ │ ├── [4.0K] FileEditor
│ │ │ ├── [2.1K] FileEditorView.swift
│ │ │ └── [1.3K] FileEditorView.ViewModel.swift
│ │ ├── [4.0K] FontDiscovery
│ │ │ ├── [2.2K] FontDiscoveryCard.swift
│ │ │ ├── [1.7K] FontDiscoveryCard.ViewModel.swift
│ │ │ ├── [1.2K] FontDiscoveryScene.swift
│ │ │ └── [2.3K] FontDiscoveryScene.ViewModel.swift
│ │ ├── [1.1K] NoticeView.swift
│ │ ├── [2.0K] PresetFontsScene.swift
│ │ └── [2.1K] PresetFontsScene.ViewModel.swift
│ ├── [6.2K] OverwriteFontImpl.swift
│ ├── [4.0K] Preview Content
│ │ └── [4.0K] Preview Assets.xcassets
│ │ └── [ 63] Contents.json
│ ├── [4.0K] PreviewFonts
│ │ ├── [2.1M] Chococooky.ttf
│ │ ├── [132K] Comic Sans MS.ttf
│ │ ├── [664K] DejaVuSansCondensed.ttf
│ │ ├── [333K] DejaVuSansMono.ttf
│ │ ├── [371K] DejaVuSerif.ttf
│ │ ├── [431K] FiraSans-Regular.ttf
│ │ ├── [169K] Go-Mono.ttf
│ │ ├── [145K] Go-Regular.ttf
│ │ └── [933K] segoeui.ttf
│ ├── [4.0K] Progress
│ │ └── [ 990] ProgressManager.swift
│ ├── [4.0K] RepackedFonts
│ │ ├── [1.8M] Chococooky.woff2
│ │ ├── [112K] Comic Sans MS.woff2
│ │ ├── [529K] DejaVuSansCondensed.woff2
│ │ ├── [264K] DejaVuSansMono.woff2
│ │ ├── [311K] DejaVuSerif.woff2
│ │ ├── [377K] FiraSans-Regular.2048.woff2
│ │ ├── [151K] Go-Mono.woff2
│ │ ├── [129K] Go-Regular.woff2
│ │ └── [855K] segoeui.woff2
│ ├── [ 367] _UIKeyboardCache.h
│ ├── [ 545] _UIKeyboardCache.m
│ ├── [ 11K] vm_unaligned_copy_switch_race.c
│ ├── [ 562] vm_unaligned_copy_switch_race.h
│ ├── [1.5K] WDBFontOverwriteApp.swift
│ ├── [ 126] WDBFontOverwrite-Bridging-Header.h
│ └── [4.1K] WDBImportCustomFontPickerViewControllerDelegate.swift
└── [4.0K] WDBFontOverwrite.xcodeproj
├── [ 28K] project.pbxproj
├── [4.0K] project.xcworkspace
│ ├── [ 135] contents.xcworkspacedata
│ └── [4.0K] xcshareddata
│ └── [ 238] IDEWorkspaceChecks.plist
└── [4.0K] xcuserdata
└── [4.0K] zhuowei.xcuserdatad
└── [4.0K] xcschemes
└── [ 351] xcschememanagement.plist
19 directories, 75 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。