Zhuowei Zhang4d ago
wen eta KFD for iOS 26.0.1???????

Seriously, any iOS experts looked into if CVE-2025-43520 from the DarkSword vulns could be used for KFD/MacDirtyCow-style file modding?

https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors | Google Cloud Blog

DarkSword is a new iOS exploit chain that leverages multiple zero-day vulnerabilities to fully compromise iOS devices.

Google Cloud Blog
Show threadZhuowei Zhang4d ago
Wait, so the DarkSword exploit just injects JavaScript into any process they want? Could... could modders write tweaks in JavaScript?
https://iverify.io/blog/darksword-ios-exploit-kit-explained
Inside DarkSword: A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites

Shortly after our publication on the Coruna exploit kit, a collaborating researcher at Lookout flagged a suspicious-looking URL possibly related to the threat actor from Russia linked with Coruna.

Show threadZhuowei Zhang4d ago

According to TAG’s analysis, DarkSword “uses CVE-2025-43520, a kernel-mode race condition in XNU’s virtual filesystem (VFS) implementation” I’m guessing it’s https://github.com/apple-oss-distributions/xnu/blob/bbb1b6f9e71b8cdde6e5cd6f4841f207dee3d828/bsd/vfs/vfs_cluster.c#L3700 ? There’s several VFS changes; not sure if this is the right one.

If it is this one, I guess you’d somehow

  • Make a contiguous memory region,
  • start reading a file into it,
  • then switch it to a non-contiguous region after it’s validated the region, but before it actually starts reading the file,
  • so it ends up writing what it thinks is your contiguous area, but actually is the first part of your area followed by some other memory?
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors | Google Cloud Blog

DarkSword is a new iOS exploit chain that leverages multiple zero-day vulnerabilities to fully compromise iOS devices.

Google Cloud Blog
Show threadZhuowei Zhang
I'm not going to look into this (I don't have an iOS 26.0 device and don't plan to get one); I just want to know how jealous I should be.
Mar 19 at 2:47amWeb
Show threadNicolás Alvarez4d ago
@zhuowei Coukd macOS 26.0 work for experimentation? Or is the relevant code different?
Show threadZhuowei Zhang4d ago
@nicolas17 I mean that I don't have any devices that I want tweaks on, so I don't have a reason to study it.

(I would assume macOS would probably work. I don't have the malware samples, so I don't know whether it depends specifically on iOS stuff...)