WHW0x455

Bypass PAC in JIT

The code snippets and conceptual analysis presented in this document are based on iOS 16.2.

The bug was disclosed and patched after Pwn2Own 2024 and was assigned CVE-2024-27834. Details of the patch can be found in the WebKit repository.

• https://support.apple.com/en-us/120905
• https://github.com/WebKit/WebKit/commit/3e3d0883c84955472ece1b2f2e63f31522c5440d

WHW0x455

2023 predator sample

Thanks to Google for sharing the sample.

VersionDispatcher

The int uname(struct utsname *); function retrieves the current device information, containing info such as iPhone13,2\x00 to identify the device model.

VersionDispatcher::OffsetsVersionByDeviceInit