CVE-2020-9844 is an iOS security vulnerability disclosed by Google Project Zero Ian Beer. The now-patched critical wormable bug could enable remote hackers to gain complete control of nearby vulnerable devices over Wi-Fi.
According to the official CVE description, CVE-2020-9844 is a “double free issue” addressed with improved memory management. The bug is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5. A remote attacker could have been able to cause unexpected system termination or corrupt kernel memory.
The vulnerability could enable attackers to view the photos, the emails and copy all the user’s private messages. It could also help monitor everything that happens on the device in real-time, Beer said in his detailed report. It is noteworthy that the researcher needed six months to build a proof-of-concept, all by himself, through manual reverse engineering.
For 6 months of 2020, while locked down in the corner of my bedroom surrounded by my lovely, screaming children, I’ve been working on a magic spell of my own. No, sadly not an incantation to convince the kids to sleep in until 9 am every morning, but instead a wormable radio-proximity exploit which allows me to gain complete control over any iPhone in my vicinity. View all the photos, read all the email, copy all the private messages and monitor everything which happens on there in real-time, his report says.
Beer has no evidence whether the exploit has been used in the wild.
What is causing the CVE-2020-9844 vulnerability?
It is triggered by a “fairly trivial buffer overflow programming error” in a Wi-Fi driver for Apple Wireless Direct Link. AWDL in short is a proprietary mesh networking protocol developed by Apple. Its purpose is to enable easier communications between Apple devices. Long story short, the exploit utilizes an iPhone 11 Pro, Raspberry Pi, and two Wi-Fi adaptors to perform arbitrary kernel memory read and write remotely. It is then leveraged to inject shellcode payloads into kernel memory through a victim process, escaping the process’s sandbox protections to obtain user data.
If you want to get acquainted with the exploit’s more technical details, we advise you to read the very detailed report posted by Ian Beer.
In April 2020, ZecOps researchers discovered two remotely exploitable, iOS zero-day vulnerabilities affecting the Mail app on iPhones and iPads. It is highly likely that both bugs were exploited in the wild by an advanced threat actor since 2018.