Full Disclosure mailing list archives

Re: [GSEC-TZO-45-2009] iPhone remote code execution

From: Rob Fuller <jd.mubix () gmail com>
Date: Thu, 23 Jul 2009 09:14:25 -0400

Are there memory protections in 3.x to stop this or is it purely a lack of
time/testing to find the exploit vector?

--
Rob Fuller | Mubix
Room362.com | Hak5.org | TheAcademyPro.com


2009/7/23 Thierry Zoller <Thierry () zoller lu>


Fell quite behind on this one, here it is.
___________________________________________________________________

     Phone &iPod Touch - Remote arbritary code execution
___________________________________________________________________


Reference : [GSEC-TZO-45-2009] - iPhone remote arbritary code execution
WWW       : http://www.g-sec.lu/iphone-remote-code-exec.html
CVE       : CVE-2009-1698
BID       : 35318
Credit    : http://support.apple.com/kb/HT3639
Discovered by : Thierry Zoller

Affected products :
- iPhone OS 1.x through 2.2.1
- iPhone OS for iPod touch 1.x through 2.2.1

I. Background
¨¨¨¨¨¨¨¨¨¨¨¨¨¨
Wikipedia quote: "Apple Inc. (NASDAQ: AAPL) is an American multinational
corporation which designs and manufactures consumer electronics and software
products. The company's best-known hardware products include "

II. Description
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
Calling the CSS attr() attribute with a large number leads to memory
corruption, heap spraying allows execution of code.

III. Impact
¨¨¨¨¨¨¨¨¨¨¨
Arbitrary remote code execution can be achieved by creating a special
website and entice
the victim into visiting that site.

IV. Proof of concept
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
None will be released


VI. About
¨¨¨¨¨¨¨¨¨¨
G-SEC ltd. is an independent security consultancy group, founded to
address the growing need for allround (effective) security consultancy
in Luxembourg.

By providing extensive security auditing, rigid policy design, and
implementation of cutting-edge defensive/offensive systems, G-SEC
ensures robust, thorough, and  uncompromising protection for
organizations seeking enterprise wide data security.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

[GSEC-TZO-45-2009] iPhone remote code execution Thierry Zoller (Jul 23)
- Re: [GSEC-TZO-45-2009] iPhone remote code execution Rob Fuller (Jul 23)