It is hard to imagine that hacker can jailbreaks Apple iphone device over the air! Oh, a national level of action task can do anything! No need to mention this news too much. You can find out the details when you do a google search, right? OK, we discuss those vulnerabilities into a little bit details. There are total no. of three vulnerabilities found by security experts (CVE details shown as below):

CVE 2016-4657: WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

CVE 2016-4656: The kernel in Apple iOS before 9.3.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

CVE 2016-4655: The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.

Surprise, it jailbreak the iPhone over the air!

Step 1. Hacker lure the victim execute a click on SMS, a automatic redirect action engaged and forward iPhone to web site (sms.webadv.co) and download the payload immediately.The objective is going to delivery WebKit applications vulnerability.

Attacking WebKit Applications by exploiting memory corruption bugs:

Design weakness:

Every WebKit object is RefCountedBase object

Mobile Safari and most of WebKit Apps leak address – Fill in another object and use the JS pointer of the old object to read information of the new object

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/Pegasus-memory-corrupt_zpsscfav0a4.jpg

 

 

Step 2.1:  CVE-2016-4656 (Kernel Information Leak Circumvents KASLR)

It is the most difficult part because Kernel Address Space Layout Randomization
(KASLR) mapping the kernel into different and unpredictable locations in memory. The attacker has found a way to locate the kernel by using a function call leaks the kernel’s actual memory location to be mapped. For instance, it is possible to leak information about memory layout using format string vulnerabilities.

Remark: format string exploits can be used to crash a program or to execute harmful code

Step 2.2: CVE 2016-4657 (Memory Corruption in Kernel leads to Jailbreak)

The JavaScript core of WebKit uses JIT, to do this it require an area of memory which is both writable and executable. With the reverse engineer software like malware. A function so called “allocateJIT” is the perpetrator. If a syscall instruction is executed from within JIT shared memory. The malicious software  can execute privilege escalation.  The last stage is deploys a number of files deployed in a standard unix tarball.

Observation – Why was apple only release the patch can fix this design bug?

Predict that Apple added their own privilege checks in the kernel; only processes which pass these checks are allowed to use JIT.

Is that mean the national security agency can export the data from iphone? There is no need to request escrow key from Apple?

Since above flaws let mobile phone compromised. Hacker can remote control the phone for recording voice call, take photo shot send to their end. The personal data inside iphone is available to export. From technical point of view, there is no need to request escrow key! See how important of the overall design? Although the crypto mechanism  integrate to hardware mitigate the risk, however a flaw such a way crack down the Apple protection wall!

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/Apple-A8_zpskwb6hxx4.jpg