Google Project Zero expert Ian Beer on Tuesday disclosed a critical “wormable” iOS flaw that could have allowed to hack iPhone devices.
Google Project Zero white-hat hacker Ian Beer has disclosed technical details of a critical “wormable” iOS bug that could have allowed a remote attacker to take over any device in the vicinity over Wi-Fi.
Google Project Zero white-hat hacker Ian Beer has disclosed technical details of a critical “wormable” iOS bug that could have allowed a remote attacker to take over any device in the vicinity over Wi-Fi.
The flaw, tracked as CVE-2020-3843, is a double free issue that could be exploited to exploit makes it possible to access photos and other sensitive data, including email and private messages.
The expert discovered the bug after 6 months of research and devised a zero-click exploit to trigger it.
“a wormable radio-proximity exploit which allows me to gain complete control over any iPhone in my vicinity. View all the photos, read all the email, copy all the private messages and monitor everything which happens on there in real-time.” said Beer.
Apple addressed the CVE-2020-3843 vulnerability with the release of a series of updates as part of iOS 13.5 and macOS Catalina 10.15.5 in May.
A remote attacker could exploit the flaw to trigger an unexpected system termination or corrupt kernel memory.
“A remote attacker may be able to cause unexpected system termination or corrupt kernel memory” reads the security advisory published by Apple. “A double free issue was addressed with improved memory management.”
The vulnerability is related to a fairly trivial buffer overflow programming error that resides in a Wi-Fi driver associated with Apple Wireless Direct Link (AWDL) protocol. The AWDL is an Apple proprietary mesh networking protocol used to enable easier communications between Apple devices.
The white-hat hacker demonstrated the exploit in a test environment composed of an iPhone 11 Pro, a Raspberry Pi, and two different Wi-Fi adaptors. Beer was able to remotely achieve arbitrary kernel memory read and write and inject shellcode payloads into the kernel memory bypassing the victims’ defense.
“A fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers.” wrote the expert.
“In fact, this entire exploit uses just a single memory corruption vulnerability to compromise the flagship iPhone 11 Pro device. With just this one issue I was able to defeat all the mitigations in order to remotely gain native code execution and kernel memory read and write.”[…]
To read the original article:
https://securityaffairs.co/wordpress/111788/mobile-2/iphone-devices-hack.html