Proof-of-concept app to overwrite fonts on iOS using CVE-2022-46689

Proof-of-concept app to overwrite fonts on iOS using CVE-2022-46689.

Works on iOS 16.1.2 and below (tested on iOS 16.1) on unjailbroken devices.

Fonts included:

  • DejaVu Sans Condensed
  • DejaVu Serif
  • DejaVu Sans Mono
  • Choco Cooky

Choice of fonts

I don’t know how to port fonts for iOS properly: I did look for guides, but they were too difficult.

The included fonts were the only fonts I found that worked without porting. Other fonts I tested all displayed in a really squished way.

Font conversion

The CVE-2022-46689 issue – as far as I know – only lets you overwrite 16383 bytes out of every 16384 bytes: the last byte of the page can’t be written.

(I could be wrong)

To work around this, I package the font using the WOFF2 webfont format, which is supported on iOS. WOFF2 uses Brotli for compression, which lets me insert padding to skip over the last byte.

See repackfonts/make_woff2src.sh for details: this script:

  • renames the font to .SFUI-Regular with TTX following this answer
  • rebuilds the font to .woff2
  • runs repackfonts/BrotliPadding.swift to decompress the WOFF2 file and insert padding to skip past the 16384th byte

Credits

  • Ian Beer of Project Zero for finding CVE-2022-46689.
  • Apple for the test case and patch. (I didn’t change anything: I only wrapped the test case in a library.)
  • Everyone on Twitter who helped out and experimented with CVE-2022-46689, especially @dedbeddedbed, @AppleDry05, and @haxi0sm for exploring what can be done with this issue..
  • The DejaVu fonts are distributed according to their license.
  • Choco Cooky is the property of Samsung: I don’t have any rights to redistribute it, but I’m posting it anyways because #yolo.

GitHub

View Github