Google Project Zero white-hat hacker Ian Beer has disclosed technical details of a critical “wormable” iOS bug that could have allowed a remote attacker to take over any device in the vicinity over Wi-Fi.
Google Project Zero white-hat hacker Ian Beer has disclosed technical details of a critical “wormable” iOS bug that could have allowed a remote attacker to take over any device in the vicinity over Wi-Fi.
The flaw, tracked as CVE-2020-3843, is a double free issue that could be exploited to exploit makes it possible to access photos and other sensitive data, including email and private messages.
The expert discovered the bug after 6 months of research and devised a zero-click exploit to trigger it.
“a wormable radio-proximity exploit which allows me to gain complete control over any iPhone in my vicinity. View all the photos, read all the email, copy all the private messages and monitor everything which happens on there in real-time.” said Beer.
Apple addressed the CVE-2020-3843 vulnerability with the release of a series of updates as part of iOS 13.5 and macOS Catalina 10.15.5 in May.
A remote attacker could exploit the flaw to trigger an unexpected system termination or corrupt kernel memory.
“A remote attacker may be able to cause unexpected system termination or corrupt kernel memory” reads the security advisory published by Apple. “A double free issue was addressed with improved memory management.”
The vulnerability is related to a fairly trivial buffer overflow programming error that resides in a Wi-Fi driver associated with Apple Wireless Direct Link (AWDL) protocol. The AWDL is an Apple proprietary mesh networking protocol used to enable easier communications between Apple devices.
The white-hat hacker demonstrated the exploit in a test environment composed of an iPhone 11 Pro, a Raspberry Pi, and two different Wi-Fi adaptors. Beer was able to remotely achieve arbitrary kernel memory read and write and inject shellcode payloads into the kernel memory bypassing the victims’ defense.
“A fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers.” wrote the expert.
“In fact, this entire exploit uses just a single memory corruption vulnerability to compromise the flagship iPhone 11 Pro device. With just this one issue I was able to defeat all the mitigations in order to remotely gain native code execution and kernel memory read and write.”
For testing purposes, the experts generated 100 random contacts with 4 contact identifiers (home and work email, home and work phone numbers) using a modified version of the AppleScript in this StackOverflow answer.
The attacker targets the AirDrop BTLE framework to enable the AWDL interface by brute-forcing a contact’s hash value from the list of 100 contacts stored in the device. Then the attacker triggers the buffer overflow to gain access to the device and run a malicious code implant as root achieving full control on the mobile device.
The expert explained that it is no aware of attacks in the wild exploiting this vulnerability, but he pointed out that exploit vendors seemed to take notice of these fixes.
“I have no evidence that these issues were exploited in the wild; I found them myself through manual reverse engineering. But we do know that exploit vendors seemed to take notice of these fixes. For example, take this tweet from Mark Dowd, the co-founder of Azimuth Security, an Australian “market-leading information security business” continues the expert.
Researchers from security firm Synacktiv also published technical details about the CVE-2020-27950 flaw explaining that is was chained with other 2 flaws.
“On November 5th, Project Zero announced that Apple has patched in iOS 14.2 a full chain of vulnerabilities that were actively exploited in the wild, composed of 3 vulnerabilities: a userland RCE in FontParser as well as a memory leak (“memory initialization issue”) and a type confusion in the kernel.” reads the analysis published by Synacktiv.
The three vulnerabilities chained in the attack are a memory corruption issue in the FontParser library that was exploited to achieve remote code execution, a memory leak that granted a malicious application kernel privileges to run arbitrary code, and a type confusion issue in the kernel.
The researchers also shared a proof-of-concept code exploit for the the vulnerability.
Resource: Securityaffairs