iOS 7.1 exploit for memory corruption issue in core graphics library leads to arbitrary code execution

Haven’t upgraded to iOS 8 yet, this is must know news for you.

If you haven’t upgraded your iPhone, iPad or iPod Touch to Apple’s iOS 8 operating system chances are that you are either running your iOS device on iOS 7.1.x or its jail broken. Ditto the case, if you are using Apple TV version below 7. If you are still on running your iPhone, iPad or iPod Touch iOS 7.1.x and Apple TV on versions prior to 7, chances are that someone will use a vulnerability called CVE-2014-4377, a memory corruption issue in iOS’s core graphics library.

Whats with this CVE-2014-4377

CVE-2014-4377, in layman’s language,  is a memory corruption issue in iOS’s core graphics library which enables a potential hacker to deliver a malformed PDF through the Safari Browser and get you to execute a arbitrary code which will then turn over your device to the hacker.  Though owning your iPhone is a long way off but the basic idea of arbitrary code execution is that it is used to describe an attacker’s ability to execute any commands of the attacker’s choice on a target machine or in a target process.

Why is it dangerous now?

The vulnerability called CVE-2014-4377 and the exploit for the same has been made public on Github by a user called Feliam two days ago.  This exploit makes the devices running on iOS 7.1.x vulnerable to potential hackers.  As per the Binamuse, Safari accepts PDF files as native image format for the < image > html tag. Thus browsing an html page in Safari can transparently load multiple pdf files without any further user interaction. CoreGraphics is the responsible of parsing the PDF files.

Apple Core Graphics framework fails to validate the input when parsing the colorspace specification of a PDF XObject. A small heap memory allocation can be overflowed with controlled data from the input enabling arbitrary code execution in the context of Mobile Safari (A memory layout information leak is needed).

The entire PoC can be read on Binamuse website and the author is saying that he will present a demo soon. The author claims that the exploit is “completely reliable and portable on iOS 7.1.x”.   However some experts beg to differ.  A poster, Larry Selter said that,

“From the exploit page: “This exploit needs a companion information leakage vulnerability to bypass ASLR, DEP and Code signing iOS exploit mitigations.” Sounds like it’s not functional out of the box.”

Apple has acknowledged the vulnerability and the exploit on its support page of Apple TV 7 and urged users to upgrade to latest version of the operating system as soon as possible.  Apple support page however does not mention the effects of the exploit on iOS 7.1.x and earlier versions.

LEAVE A REPLY

Please enter your comment!
Please enter your name here