Home

Awesome

WeightBufs:

WeightBufs is a kernel r/w exploit for all Apple devices with Neural Engine support. Bugs and Exploit by @simo36, you can read my presentation slides at POC for more details about the vulnerabilities and the exploitation techniques.

The exploit doesn't rely on any hardcoded address or offset, and it should work AS IS on macOS12 up to 12.4 and *OS 15 up to 15.5.

The kernel vulerabilties affect all iOS 15 versions (up to 16.0), however the sandbox escape has been fixed on iOS 15.6. As a result, breaking the exploit chain and another sandbox escape is required to get things working again on iOS 15.6/15.7. Although I have another sandbox escape that works up to iOS 16.1, I'm not sure if the kernel exploit techniques are still usable on iOS 15.6+.

Vulnerabilities:

The exploit chains 4 vulnerabilities which I independently discovered and reported to Apple:

Tested devices:

Notes:

There are some situations where the exploit may fail:

Credit

WeightBufs includes AppleNeuralEngine framework header files generated by Elias Limneos via classdump-dyld 1.0.

License

WeightBufs is released under the MIT license.