Hacker News new | past | comments | ask | show | jobs | submit login
Remotely dump memory with no interaction on iPhone 11 Pro (fixed in iOS 13.3.1) (chromium.org)
100 points by notRobot on March 6, 2020 | hide | past | favorite | 16 comments



> The physical memory dumping is abusing the fact that on iOS the physmap region, which provides direct virtual mappings of large parts of device physical memory is larger than the random ASLR shift which is applied to it. It's almost 4GB in size, but its virtual address only varies by around 1GB, leading to kernel virtual addresses which are always mapped and which provide a window in to device physical memory.

Not the first time Apple has messed up ASLR because the thing that they’re sliding has gotten too large…


This also affected MacBooks and was fixed in MacOS 10.15.3

iOS: https://support.apple.com/en-us/HT210918 MacOS: https://support.apple.com/en-us/HT210919


Does this work if AirDrop is disabled but Bluetooth is on?

How about if just AirDrop is off?


Maybe it would be good to change the title to say `(fixed in iOS 13.3.1)` instead of `(iOS 13.3)`, to make it clear that this is not a zero day.


HN title character limit didn't allow me to.


I've squeezed it in there now at the cost of a little ungrammaticalness.

(Submitted title was "PoC remotely dump memory with no user interaction on iPhone 11 Pro (iOS 13.3)".)


I still see only 13.3, not 13.3.1... could do this:

> Remotely dump memory w/o user interaction on iPhone 11 Pro (fixed iOS 13.3.1)


Thanks, I missed that. I've moved things around a bit.


Good enough :)


It would be nice if they increased the title limit.


Well how would you expect to get any clicks doing that?


Lot of cynicism on HN today :( but I suggest that if someone links to a Project Zero bug about iOS you can pretty much assume it’s been patched, and the OP claims HN title character limit is the true reason for the omission.

If a bug is unpatched I’d actually expect the title to specify that instead...


It's a bug tracker. Is it ad supported? Would they even want superfluous clicks?


OP want clicks.


What would be the point of getting clicks to a bug tracker which he doesn't own?


Why would I?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: