iOS - CVE-2025-31201 (обход PAC)

[weaver]

Технический анализ недавно (18.04.2025) исправленной уязвимости в iOS, которая позволяла обойти PAC

Assuming someone has read and write primitives, and assuming that libRPAC.dylib is loaded, they can run this substitution attack we described here to call dlsym in place of for instance -[NSData initWithContentsOfFile:options:error:].

When the attacker calls -[NSData initWithContentsOfFile:options:error:] it will actually call dlsym which is a PAC bypass as the attacker would now be able to craft signed pointers with diversifier zero to exported symbols from any library.

https://blog.epsilon-sec.com/cve-2025-31201-rpac.html