Research Names: Zhi Zhou
Link: https://blog.chichou.me/mistune/
A sandbox escape bug (CVE-2021-1748) must be used before it finally reached this vulnerable WebView. This bug was used on TianfuCup 2020 to get full chain remote code execution on iPhone 11 (iOS 14.2). This is kind of mind-blowing because traditional Webkit exploits have to get code execution within the sandbox, then escape. Obviously, this exploit took a different path.
Along with other Objective-C exploitation techniques, this bug was able to bypass Pointer Authentication Code (PAC) and APRR to get complete shellcode execution in the context of iTunes Store, whose sandbox profile is even less strict than a user-developed app.
TianfuCup 2020 marked the first successful remote pwn on the iOS category since A12 had shipped with PAC. The exploit worked up to A14 (iPhone 12) with iOS 14.3.