ginsudev/WDBFontOverwrite

Proof-of-concept app to overwrite fonts on iOS using CVE-2022-46689.

Works on iOS 16.1.2 and below (tested on iOS 16.1) on unjailbroken devices.

IPA available in the Releases section.

Fonts included:

• DejaVu Sans Condensed
• DejaVu Serif
• DejaVu Sans Mono
• Go Regular
• Go Mono
• Fira Sans
• Segoe UI
• Comic Sans MS
• Choco Cooky

You can also import custom fonts that were ported for iOS.

Screenshots

DejaVu Sans Condensed | DejaVu Serif | DejaVu Sans Mono | Choco Cooky

Go Regular | Go Mono | Segoe UI | Comic Sans MS

Hanna Soft + JoyPixels | Bronkoh | Noto Serif SC | Fira Sans

Screenshot credit: @ev_ynw for the ported Hanna Soft and Bronkoh fonts, JoyPixels for the emoji font

Where to find ported fonts

• @ev_ynw
• @PoomSmart

Known issues

• The built-in fonts are not properly ported (I don't know how to port fonts). For best results, use a custom font.
  • with the built-in fonts:
  • Only regular text uses the changed font: thin/medium/bold text falls back to Helvetica instead.
  • If the font doesn't show up at all, disable "Bold Text" in accessibility settings.
• File pickers in apps will fail to open with the error "Something went wrong while displaying documents."
  • This happens if you replace the emoji font, or install fonts with multiple weights
  • Try the experimental .ttc fix by using "Import custom with fix for .ttc"
• iOS 14.x devices which are jailbroken / were jailbroken before will not be able to revert to the original font.
  • Workaround: do not use this app if you're on iOS 14.x and have previously jailbroken. Instead, just jailbreak and replace fonts normally.

Font conversion

The CVE-2022-46689 issue - as far as I know - only lets you overwrite 16383 bytes out of every 16384 bytes: the last byte of the page can't be written.

(I could be wrong)

To work around this, I package the font using the WOFF2 webfont format, which is supported on iOS. WOFF2 uses Brotli for compression, which lets me insert padding to skip over the last byte.

See repackfonts/make_woff2src.sh for details: this script:

• renames the font to .SFUI-Regular with TTX following this answer
• rebuilds the font to .woff2
• runs repackfonts/BrotliPadding.swift to decompress the WOFF2 file and insert padding to skip past the 16384th byte

Credits

• Ian Beer of Project Zero for finding CVE-2022-46689.
• Apple for the test case and patch. (I didn't change anything: I only wrapped the test case in a library.)
• Everyone on Twitter who helped out and experimented with CVE-2022-46689, especially @dedbeddedbed, @AppleDry05, and @haxi0sm for exploring what can be done with this issue..
• WOFF2 compressor by Google
• ttcpad by LIJI32
• Fontforge stripttc
• The DejaVu fonts are distributed according to their license.
• The Go fonts are distributed according to their license.
• The Fira Sans font is converted by @jonpalmisc - thanks!
• Segoe UI and Comic Sans MS are the property of Microsoft.
• Choco Cooky is the property of Samsung.
• I don't have any rights to redistribute these, but I'm posting them anyways because #yolo.