Google Researchers Disclose PoCs for 4 Remotely Exploitable iOS Flaws

Two members of Project Zero, Google's elite bug-hunting team, have published details and demo proof-of-concept code for five of six "interactionless" security bugs that impact the iOS operating system and can be exploited via the iMessage client

Google's cybersecurity researchers have finally disclosed details and proof-of-concept exploits for 4 out of 5 security vulnerabilities that could allow remote attackers to target Apple iOS devices just by sending a maliciously-crafted message over iMessage.

All the vulnerabilities, which required no user interaction, were responsibly reported to Apple by Samuel Groß and Natalie Silvanovich of Google Project Zero, which the company patched just last week with the release of the latest iOS 12.4 update.

Four of these vulnerabilities are "interactionless" use-after-free and memory corruption issues that could let remote attackers achieve arbitrary code execution on affected iOS devices

Details about one of the "interactionless" vulnerabilities have been kept private because Apple's iOS 12.4 patch did not completely resolve the bug, according to Natalie Silvanovich, one of the two Google Project Zero researchers who found and reported the bugs.


According to the researcher, four of the six security bugs can lead to the execution of malicious code on a remote iOS device, with no user interaction needed. All an attacker needs to do is to send a malformed message to a victim's phone, and the malicious code will execute once the user opens and views the received item

The four bugs are CVE-2019-8641 (details kept private), CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662. The linked bug reports contain technical details about each bug, but also proof-of-concept code that can be used to craft exploits.

The fifth and sixth bugs, CVE-2019-8624 and CVE-2019-8646, can allow an attacker to leak data from a device's memory and read files off a remote device --also with no user interaction.

While it is always a good idea to install security updates as soon as they become available, the availability of proof-of-concept code means users should install the iOS 12.4 release with no further delay.


The bugs were discovered by Silvanovich and fellow Google Project Zero security researcher Samuel Groß.

Silvanovich will be holding a presentation about remote and interactionless iPhone vulnerabilities at the Black Hat security conference that will be held in Las Vegas next week.

"There have been rumors of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices," reads an abstract of Silvanovich's talk.

"This presentation explores the remote, interaction-less attack surface of iOS. It discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components. It also includes two examples of vulnerabilities discovered using these methods."

Silvanovich's talk is set to garner a lot of attention next week. Until today, no-user-interaction iOS bugs were usually found in the arsenal of exploit vendors and makers of legal intercept tools and surveillance software. Such vulnerabilities are the holy grail of any attacker, allowing them to hack into victims' devices undetected.

When sold on the exploit market, vulnerabilities like these can bring a bug hunter well over $1 million, according to a price chart published by Zerodium. It wouldn't be an exaggeration to say that Silvanovich just published details about exploits worth well over $5 million, and most likely valued at around $10 million.

Another exploit vendor, Crowdfense, told ZDNet that considering the no-click attack chain and the fact that the vulnerabilities worked on recent versions of iOS exploits like these could easily be valued between $2 million and $4 million each, for a total value of between $20 million and $24 million.

Here below, you can find brief details, links to the security advisory, and PoC exploits for all four vulnerabilities:

CVE-2019-8647 (RCE via iMessage) — This is a use-after-free vulnerability that resides in the Core Data framework of iOS that can cause arbitrary code execution due to insecure deserialization when NSArray initWithCoder method is used.

CVE-2019-8662 (RCE via iMessage) — This flaw is also similar to the above use-after-free vulnerability and resides in the QuickLook component of iOS, which can also be triggered remotely via iMessage.

CVE-2019-8660 (RCE via iMessage) — This is a memory corruption issue resides in Core Data framework and Siri component, which if exploited successfully, could allow remote attackers to cause unexpected application termination or arbitrary code execution.

CVE-2019-8646 (File Read via iMessage) — This flaw, which also resides in the Siri and Core Data iOS components, could allow an attacker to read the content of files stored on iOS devices remotely without user interactions, as user mobile with no-sandbox.

The vulnerability, assigned as CVE-2019-8624, resides in Digital Touch component of watchOS and affects Apple Watch Series 1 and later. The issue has been patched by Apple this month with the release of watchOS 5.3.

Since proof-of-concept exploits for all these six security vulnerabilities are now available to the public, users are highly recommended to upgrade their Apple devices to the latest version of the software as soon as possible.

Besides security vulnerabilities, the long-awaited iOS 12.4 updates for iPhone, iPad, and iPod touch also came up with some new features, including the ability to wirelessly transfer data and migrate directly from an old iPhone to a new iPhone during setup.

For more depth analysis visit SOURCE : 1 2

An Ethical hacker should know the penalties of unauthorized hacking into a system. Read more at: Legality and Ethics

#iOS #iostocnmarc #iosonodiversa #IoStoConLaFelice #iosonolucano #iosdevice #ioslogs #iosbaby #ioscattoemozioni #iosart #iosinspiration #iostudio #Iosangles #iosonosocial #iosonobella #iospalace #iosda #iostoconsarri #ioscontrolcenter #iosonoilveggente #IoShirai #iosonogeco #iosnotbad #Iossantos #iosonobalaguer #ios812 #iostoconlabelva #ioscrittrice #iosonounrunner #ioscyclades


For more tricks and update over hacking stay tuned to our site: Note 4 Tech


Recent Posts

See All