Hackers Use iOS Exploit Chains Against iPhone Users

Hackers Use iOS Exploit Chains Against iPhone Users

1 Star2 Stars3 Stars4 Stars5 Stars (2 votos, promedio: 5.00 de 5)
Cargando ...

Several privilege escalation exploit chains were discovered in iOS devices by Google’s Threat Analysis Group (TAG) and Project Zero teams.

The vulnerabilities were actively used by threat actors who also used compromised websites to carry out watering hole attacks against iPhone users. Almost all versions between iOS 10 y iOS 12 fueron afectados. The websites used in these attacks were visited thousands of times on a weekly basis.

"Earlier this year Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day," escribió Ian Beer of Google Project Zero.

Were the attacks targeted? It appears that they were not as simply visiting one of these hacked sites was enough for an attack to be launched. En caso de un ataque exitoso, the attack ended with a piece of spyware dropped on the compromised device.

Google’s Threat Analysis researchers were able to “collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years”.

Artículo relacionado: Casi todos los dispositivos Apple vulnerable a los ataques sobre Protocolo AWDL

iOS Exploit Chains: detalles

The researchers discovered exploits for fourteen vulnerabilities across five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes. One of the privilege escalation chains was considered a zero-day as it was unpatched at the time of discovery (CVE-2019-7287 & CVE-2019-7286).

The researchers suspect that all the exploit chains were written contemporaneously with their supported iOS versions. This means that the exploit techniques which were used suggest that the first exploit, por ejemplo, was created around the time of iOS 10.

The first exploit chain leverages only one kernel vulnerability that was directly reachable from the Safari sandbox.
The second exploit chain targets iOS 10.3 mediante 10.3.3. Ian Beer independently discovered and reported the bug to Apple, and it was patched in iOS 11.2.

The third chain targeted the versions between iOS 11 y 11.4.1, spanning almost 10 meses. This is the first chain the researchers observed having a separate sandbox escape exploit:

The sandbox escape vulnerability was a severe security regression in libxpc, where refactoring lead to a < bounds check becoming a != comparison against the boundary value. The value being checked was read directly from an IPC message, and used to index an array to fetch a function pointer.

The fourth exploit chain was created for versions iOS 12-12.1. It should be mentioned that the two vulnerabilities were unpatched when they were discovered in the wild. "It was these two vulnerabilities which we reported to Apple with a 7-day deadline, leading to the release of iOS 12.1.4,” Beer explained.

The fifth exploit chain is “a three way collision between this attacker group, Brandon Azad from Project Zero, and @S0rryMybad from 360 seguridad":

On November 17th 2018, @S0rryMybad used this vulnerability to win $200,000 USD at the TianFu Cup PWN competition. Brandon Azad independently discovered and reported the same issue to Apple on December 6th, 2018. Apple patched this issue on January 22, 2019, with both @S0rryMyBad and Brandon credited in the release notes for iOS 12.1.4 (CVE-2019-6225). It even won a pwnie at Blackhat 2019 for best privilege escalation bug!

The victims in these attacks were infected shortly after visiting one of the hacked websites, with spyware being dropped and launched on the compromised iPhones.


Milena Dimitrova

Un escritor inspirado y gestor de contenidos que ha estado con SensorsTechForum de 4 año. Disfruta ‘Sr.. Robot’y miedos‘1984’. Centrado en la privacidad de los usuarios y el desarrollo de malware, ella cree firmemente en un mundo donde la seguridad cibernética juega un papel central. Si el sentido común no tiene sentido, ella estará allí para tomar notas. Esas notas pueden convertirse más tarde en artículos!

Más Mensajes

Dejar un comentario

Su dirección de correo electrónico no será publicada. Los campos necesarios están marcados *

Se agotó el tiempo límite. Vuelve a cargar de CAPTCHA.

Compartir en Facebook Compartir
Cargando ...
Compartir en Twitter Pío
Cargando ...
Compartir en Google Plus Compartir
Cargando ...
Compartir en Linkedin Compartir
Cargando ...
Compartir en Digg Compartir
Compartir en Reddit Compartir
Cargando ...
Compartir en Stumbleupon Compartir
Cargando ...