About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch

'How I Hacked the iPhone'

As promised former NSA security researcher Charlie Miller revealed all at Black Hat.

The offending flaw behind his much talked about iPhone exploit, said Charlie Miller at the Black Hat briefings, was in the Safari web browser - more specifically in its supporting WebKit. And more specifically still in its use of an old Perl regular expression library.

Get It

Try It

The flawed version 6.2 of the library, since fixed and updated to version 7.2, was still in use by Apple.

The recent Apple security update fixes the flaw.

Further Details

Miller said he may post further - but not all - details at the ISE website.

Hacking OS X is Easy!

Charlie Miller claims hacking OS X is easy and cites the following reasons.

  • OS X has over fifty SUID root programs to increase 'user friendliness'. These include obscure titles such as Locum, NetCfgTool, afpLoad, TimeZoneSettingTool, and securityFixerTool as well as better known titles such as netstat, top, and ps.

  • Safari's 'friendly'. Safari launches a lot of separate applications on behalf of the user - such as Address Book, Finder, iChat, Script Editor, iTunes, Dictionary, Help Viewer, iCal, Keynote, Mail, iPhoto, QuickTime Player, Sherlock, Terminal, BOMArchiveHelper, Preview, and DiskImageMounter. And a bug in any of these titles can become an exploit leveraged through the web browser for a client side attack.

  • OS X monitors your programs. CrashReporter logs application crashes - it's your free fuzzing monitor. All the data you need is there for the taking in the system log (/var/log/system.log).

  • Source code readily available. The WebKit HTML parsing engine used in Dashboard, Mail, and Safari can be built by anyone. It can be built with debugging symbols - anything you want - to further aid study of crash reports.

  • Apple make exploitation fun. OS X doesn't randomise anything: not program load addresses, not stack or heap addresses, not library mapping addresses. Worse still the heap is executable - all of which makes writing exploits super-easy like it's not elsewhere been since before the New Millennium.

  • No forced updates. Apple largely use 'open source software' with a catch: due to their willful branching their versions are often behind the rest of the industry. Apple's OpenSSH, OpenSSL, Apache, Samba, and CUPS are all behind their 'open source' counterparts. As of 30 July Apple still had an exploitable root vulnerability in their Samba - which hasn't been updated since February 2005.

How to Find an OS X 'Zero Day'

This is easy too, says Charlie Miller.

  1. Check what open source modules Apple use.
  2. Compare version numbers with the rest of the open source community.
  3. Read the change logs for Apple's out of date open source modules.
  4. See if there are bug fixes in the change logs.

Seriously: it doesn't get easier than that. From the PCRE change log one year ago.

18. A valid (though odd) pattern that looked like a POSIX character class but used an invalid character after [ (for example [[,abc,]]) caused pcre_compile() to give the error 'Failed: internal error: code overflow' or in some cases to crash with a glibc free() error. This could even happen if the pattern terminated after [[ but there just happened to be a sequence of letters, a binary zero, and a closing ] in the memory that followed.

<script language='JavaScript'><!-- var re = new RegExp("[[**]] [[**]] [[**]] [[**]]... [[**]]");</script>

The above causes a heap overflow which overflows two bytes for each malformed expression. Up to 3970 bytes can be overflown.

This vulnerability existed in both Safari 2, Safari 3, and Safari for the iPhone.

Again from the change log.

26. If a subpattern containing a named recursion or subroutine reference such as (?P>B) was quantified, for example (xxx(?P>B)){3}, the calculation of the space required for the compiled pattern went wrong and gave too small a value. Depending on the environment, this could lead to 'Failed: internal error: code overflow at offset 49' or 'glibc detected double free or corruption' errors.

<script language='JavaScript'><!-- var re = new RegExp("(?P<a>)(?P>a){3}(?P<b>)(?P>b){3}");</script>

Miller and his team fuzzed the iPhone with a number of JavaScript regular expressions using the '[**]' sequence. They sorted through their crash reports - and eventually found a 'good one'.

See Also
Alpine Dottie
Effective UID: 0
iPhone iPatched
iPhone Ramdisk
iPhone and Security
iPhone and the Media
iPhone and Full Disclosure
iPhone Hack to be Patched
iPhone OS X System Architecture

Thanks to Devon at Pixel Groovy for the excellent artwork.

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.