Hackers Use iOS Exploit Chains Against iPhone Users

Hackers Use iOS Exploit Chains Against iPhone Users

1 Star2 Stars3 Stars4 Stars5 Stars (2 stemmer, gennemsnit: 5.00 ud af 5)
Loading ...

Several privilege escalation exploit chains were discovered in iOS devices by Google’s Threat Analysis Group (TAG) and Project Zero teams.

The vulnerabilities were actively used by threat actors who also used compromised websites to carry out watering hole attacks against iPhone users. Almost all versions between iOS 10 og iOS 12 var påvirket. The websites used in these attacks were visited thousands of times on a weekly basis.

"Earlier this year Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day," skrev Ian Beer of Google Project Zero.

Were the attacks targeted? It appears that they were not as simply visiting one of these hacked sites was enough for an attack to be launched. I tilfælde af en vellykket udnytte, the attack ended with a piece of spyware dropped on the compromised device.

Google’s Threat Analysis researchers were able to “collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years”.

relaterede Story: Næsten alle Apple-enheder sårbar over for angreb på AWDL protokollen

iOS Exploit Chains: Detaljer

The researchers discovered exploits for fourteen vulnerabilities across five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes. One of the privilege escalation chains was considered a zero-day as it was unpatched at the time of discovery (CVE-2019-7287 & CVE-2019-7286).

The researchers suspect that all the exploit chains were written contemporaneously with their supported iOS versions. This means that the exploit techniques which were used suggest that the first exploit, for eksempel, was created around the time of iOS 10.

The first exploit chain leverages only one kernel vulnerability that was directly reachable from the Safari sandbox.
The second exploit chain targets iOS 10.3 igennem 10.3.3. Ian Beer independently discovered and reported the bug to Apple, and it was patched in iOS 11.2.

The third chain targeted the versions between iOS 11 og 11.4.1, spanning almost 10 måneder. This is the first chain the researchers observed having a separate sandbox escape exploit:

The sandbox escape vulnerability was a severe security regression in libxpc, where refactoring lead to a < bounds check becoming a != comparison against the boundary value. The value being checked was read directly from an IPC message, and used to index an array to fetch a function pointer.

The fourth exploit chain was created for versions iOS 12-12.1. It should be mentioned that the two vulnerabilities were unpatched when they were discovered in the wild. "It was these two vulnerabilities which we reported to Apple with a 7-day deadline, leading to the release of iOS 12.1.4,” Beer explained.

The fifth exploit chain is “a three way collision between this attacker group, Brandon Azad from Project Zero, and @S0rryMybad from 360 sikkerhed":

On November 17th 2018, @S0rryMybad used this vulnerability to win $200,000 USD at the TianFu Cup PWN competition. Brandon Azad independently discovered and reported the same issue to Apple on December 6th, 2018. Apple patched this issue on January 22, 2019, with both @S0rryMyBad and Brandon credited in the release notes for iOS 12.1.4 (CVE-2019-6225). It even won a pwnie at Blackhat 2019 for best privilege escalation bug!

The victims in these attacks were infected shortly after visiting one of the hacked websites, with spyware being dropped and launched on the compromised iPhones.


Milena Dimitrova

En inspireret forfatter og indhold leder, der har været med SensorsTechForum for 4 år. Nyder ’Mr. Robot’og frygt’1984’. Fokuseret på brugernes privatliv og malware udvikling, hun tror stærkt på en verden, hvor cybersikkerhed spiller en central rolle. Hvis almindelig sund fornuft giver ingen mening, hun vil være der til at tage noter. Disse noter senere kan blive til artikler!

Flere indlæg

Efterlad en kommentar

Din e-mail-adresse vil ikke blive offentliggjort. Krævede felter er markeret *

Frist er opbrugt. Venligst genindlæse CAPTCHA.

Del på Facebook Del
Loading ...
Del på Twitter Tweet
Loading ...
Del på Google Plus Del
Loading ...
Del på Linkedin Del
Loading ...
Del på Digg Del
Del på Reddit Del
Loading ...
Del på Stumbleupon Del
Loading ...