iOS_memory_exhaustion_writeup
It’s always important to keep up with the accessible IOServices exposed to userspace, specifically those that reachable from the app sandbox. At the time, Brandon Azad triggered a very powerful type confusion vulnerability in H11ANEIn, simply by iterating over IOServices and trying to get userclients by brute-forcing on possible types (blogpost, issue 2004).
I wrote a similar functionality and executed it from the app sandbox on iPhone X iOS14.2 (18B92). This got me a list of all the userclients I can open from inside the app sandbox, and I kept on with my research. However, I noticed a weird phenomenon: when I executed my scanner with a larger range of values for type (brute-forcing on possible type argument to IOServiceOpen), the device stopped responding completely and blacked in and out nonstop. I narrowed it down and built this minimal POC to trigger this behavior:
The only way to get the device back on into a useable state was to do a hard reset. After the device turned back on, I saw crashdumps of many EL0 processes that occurred when the device was in an unstable/not responding state. Among those, there were interesting crashes (actually, a lot of crashes) of privileged processes in EL0 all over the place, and many non-interesting ones, such as NULL derefs, intentional SIGABRTs/kills, etc..
