Proof-of-concept app to overwrite fonts on iOS using CVE-2022-46689.
Works on iOS 16.1.2 and below (tested on iOS 16.1) on unjailbroken devices.
- DejaVu Sans Condensed
- DejaVu Serif
- DejaVu Sans Mono
- Choco Cooky
Choice of fonts
I don’t know how to port fonts for iOS properly: I did look for guides, but they were too difficult.
The included fonts were the only fonts I found that worked without porting. Other fonts I tested all displayed in a really squished way.
The CVE-2022-46689 issue – as far as I know – only lets you overwrite 16383 bytes out of every 16384 bytes: the last byte of the page can’t be written.
(I could be wrong)
repackfonts/make_woff2src.sh for details: this script:
- renames the font to .SFUI-Regular with TTX following this answer
- rebuilds the font to .woff2
repackfonts/BrotliPadding.swiftto decompress the WOFF2 file and insert padding to skip past the 16384th byte
- Ian Beer of Project Zero for finding CVE-2022-46689.
- Apple for the test case and patch. (I didn’t change anything: I only wrapped the test case in a library.)
- Everyone on Twitter who helped out and experimented with CVE-2022-46689, especially @dedbeddedbed, @AppleDry05, and @haxi0sm for exploring what can be done with this issue..
- The DejaVu fonts are distributed according to their license.
- Choco Cooky is the property of Samsung: I don’t have any rights to redistribute it, but I’m posting it anyways because #yolo.