The technical details of a critical “wormable” iOS bug that could have let a remote attacker to take over any device in the proximity over Wi-Fi was disclosed by Google Project Zero white-hat hacker Ian Beer.
The flaw that has been dubbed as CVE-2020-3843, is a double free issue that could be exploited to access photos and other sensitive data, including email and private messages.
The bug was discovered by the security expert after 6 months of research and devised a zero-click exploit to trigger it.
Beer stated that the wormable radio-proximity exploit allowed him to gain complete control over any iPhone in his vicinity. He could view all the photos, read all the email, copy all the private messages and monitor everything that happens on there in real-time.
The flaw was addressed by Apple with the release of a series of updates as part of iOS 13.5 and macOS Catalina 10.15.5 in May.
A remote attacker could exploit the flaw to trigger an unexpected system termination or corrupt kernel memory.
The vulnerability is related to a fairly trivial buffer overflow programming error that resides in a Wi-Fi driver associated with Apple Wireless Direct Link (AWDL) protocol. The AWDL is an Apple proprietary mesh networking protocol used to enable easier communications between Apple devices.
The researcher demonstrated the exploit in a test environment composed of an iPhone 11 Pro, a Raspberry Pi, and two different Wi-Fi adaptors.
He managed to remotely achieve arbitrary kernel memory read and write and inject shellcode payloads into the kernel memory bypassing the victims’ defense.
He said that the entire exploit uses just a single memory corruption vulnerability to compromise the flagship iPhone 11 Pro device. Using this issue he could defeat all the mitigations to remotely gain native code execution and kernel memory read and write.
For testing purposes, the experts generated 100 random contacts with 4 contact identifiers (home and work email, home and work phone numbers) using a modified version of the AppleScript in this StackOverflow answer.
The attacker targets the AirDrop BTLE framework to enable the AWDL interface by brute-forcing a contact’s hash value from the list of 100 contacts stored in the device. Then the attacker triggers the buffer overflow to gain access to the device and run a malicious code implant as root achieving full control on the mobile device.
There is no evidence of this vulnerability being exploited in the wild. He found these through manual reverse engineering but the exploit vendors must have noticed these fixes.
In a separate development, the technical details of the CVE-2020-27950 flaw was also published by the security researchers from security firm Synacktiv. The flaw was one of the three actively exploited flaws that were patched by Apple last month following a report from Google Project Zero.
The 3 vulnerabilities include a memory corruption issue in FontParser, a memory leak (“memory initialization issue”) and a type confusion in the kernel.
The researchers also shared a proof-of-concept code exploit for the vulnerability.
Image Credits : gsmarena