Zhuowei Zhang4d ago
wen eta KFD for iOS 26.0.1???????

Seriously, any iOS experts looked into if CVE-2025-43520 from the DarkSword vulns could be used for KFD/MacDirtyCow-style file modding?

https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors | Google Cloud Blog

DarkSword is a new iOS exploit chain that leverages multiple zero-day vulnerabilities to fully compromise iOS devices.

Google Cloud Blog
Show threadZhuowei Zhang
Wait, so the DarkSword exploit just injects JavaScript into any process they want? Could... could modders write tweaks in JavaScript?
https://iverify.io/blog/darksword-ios-exploit-kit-explained
Inside DarkSword: A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites

Shortly after our publication on the Coruna exploit kit, a collaborating researcher at Lookout flagged a suspicious-looking URL possibly related to the threat actor from Russia linked with Coruna.

Mar 19 at 1:56amWeb
Show threadZhuowei Zhang4d ago

According to TAG’s analysis, DarkSword “uses CVE-2025-43520, a kernel-mode race condition in XNU’s virtual filesystem (VFS) implementation” I’m guessing it’s https://github.com/apple-oss-distributions/xnu/blob/bbb1b6f9e71b8cdde6e5cd6f4841f207dee3d828/bsd/vfs/vfs_cluster.c#L3700 ? There’s several VFS changes; not sure if this is the right one.

If it is this one, I guess you’d somehow

  • Make a contiguous memory region,
  • start reading a file into it,
  • then switch it to a non-contiguous region after it’s validated the region, but before it actually starts reading the file,
  • so it ends up writing what it thinks is your contiguous area, but actually is the first part of your area followed by some other memory?
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors | Google Cloud Blog

DarkSword is a new iOS exploit chain that leverages multiple zero-day vulnerabilities to fully compromise iOS devices.

Google Cloud Blog
Show threadZhuowei Zhang4d ago
I'm not going to look into this (I don't have an iOS 26.0 device and don't plan to get one); I just want to know how jealous I should be.
Show threadNicolás Alvarez4d ago
@zhuowei Coukd macOS 26.0 work for experimentation? Or is the relevant code different?
Show threadZhuowei Zhang4d ago
@nicolas17 I mean that I don't have any devices that I want tweaks on, so I don't have a reason to study it.

(I would assume macOS would probably work. I don't have the malware samples, so I don't know whether it depends specifically on iOS stuff...)
Show threadartemist4d ago
@zhuowei i think that's called frida
Show threadZhuowei Zhang4d ago
@artemist Frida requires a Frida server (jailbroken) or a FridaGadget (injected into app), though, both in native code, and ships with its own JavaScript interpreter, a choice between Duktape, V8, and QuickJS.
The implant, as described, can't inject native code and only runs JavaScript, using Apple's built-in JavaScriptCore. That should still be enough to hook most code, right?
Show threadopa3344d ago

@zhuowei I assume this would be extremely complicated since you can't replace executable code and even doing something like interposes I would assume is very limited since I don't think it's easy to make native code call into javascript by replacing a pointer.

I assume all they really do is call from JS into native code and of course there might be some stuff you can do with it, but I don't think it's much outside of well… what a malware would want to do 😛

Show threadZhuowei Zhang4d ago

@opa334 Except the malware seems to be able to make native calls in any process by taking them over with just kernel r/w and a userspace PAC bypass. All from JavaScript. (see the code sample from https://iverify.io/blog/darksword-ios-exploit-kit-explained) With their PAC bypass, I’m sure someone could sign fake IMPs and ROP chains to redirect Objective-C methods into JavaScript. Or even start a thread, set it as exception handler, have your JS wait for an exception message, then use the hardware breakpoint handlers and/or cause an intentional segfault where you want your hook to run, so the exception gets delivered to your JS…

And you really can’t underestimate JavaScript: remember when Fugu14 wrote an entire untether with JavaScript embedded in a dyld closure? (https://github.com/LinusHenze/Fugu14/blob/7cba721b6d62555dd0c0b47416ee103ee112576e/arm/iOS/Fugu14App/Fugu14App/setup.js#L270, https://github.com/LinusHenze/Fugu14/blob/7cba721b6d62555dd0c0b47416ee103ee112576e/arm/shared/ClosurePwn/Sources/ClosurePwn/JSFiles/JSUtilsSetup.swift#L615, https://github.com/LinusHenze/Fugu14/blob/7cba721b6d62555dd0c0b47416ee103ee112576e/arm/shared/ClosurePwn/Sources/ClosurePwn/PwnClosure.swift#L509

Inside DarkSword: A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites

Shortly after our publication on the Coruna exploit kit, a collaborating researcher at Lookout flagged a suspicious-looking URL possibly related to the threat actor from Russia linked with Coruna.

Show threadZhuowei Zhang4d ago
@opa334 I'm not going to look into this (I don't have an iOS 26.0 device); I just want to know how jealous I should be...