iOS 7_1 exploit for CVE-2014-4377 critical flaw publicly available

Pierluigi Paganini September 23, 2014

Users which haven’t upgraded their systems to the Apple iOS 8 could be victims of a new iOS 7.1 exploit targeting the CVE-2014-4377 vulnerability.

Security experts at Binamuse firm have discovered the availability online of the exploit kit which targets the vulnerability coded CVE-2014-4377, a memory corruption issue in iOS’s core graphics library. The exploitation of CVE-2014-4377 could allow a threat actor to deliver a malformed PDF through the Safari Browser and get victim to execute an arbitrary code which allow the attacker to gain complete control of the victim’s device.

The list of devices potentially affected by the CVE-2014-4377 flaw is long, iPhone, iPad or iPod Touch that are still running iOS 7.1.x or its jail broken are affected by the vulnerability. The vulnerability also affects Apple TV version below 7.

Unfortunately the exploit for the CVE-2014-4377 vulnerability was publicly disclosed on Github by a user called Feliam recently.  This exploit makes the devices running on iOS 7.1.x vulnerable to potential hackers. Safari browser accepts PDF files as native image format for the < image > html tag, this means that visiting an html page in Safari can load multiple pdf files without the user being aware of it.

CVE-2014-4377 exploit

The problem resides in the CoreGraphics framework  which fails to correctly parse the PDF files.

The Apple Core Graphics framework doesn’t validate correctly the input when parsing the colorspace specification of a PDF XObject. Providing a specifically crafted input, it is possible to cause the overflow of a small heap memory and an attacker could exploit it to run an arbitrary code in the context of Mobile Safari.

“Apple CoreGraphics library fails to validate the input when parsing the colorspace specification of a PDF XObject resulting in a heap overflow condition. A small heap memory allocation can be overflowed with controlled data from the input in any application linked with the affected framework. Using a crafted PDF file as an HTML image and combined with a information leakage vulnerability this issue leads to arbitrary code execution. ” reports a blog post published by Binamuse firm.

Experts at Binamuse have published a complete PoC on their website confirming that a demo will be soon available.

The author of the post claims that the exploit is “completely reliable and portable on iOS 7.1.x”, but other experts have a different opinion.  A poster, Larry Selter said that,

“From the exploit page: “This exploit needs a companion information leakage vulnerability to bypass ASLR, DEP and Code signing iOS exploit mitigations.” Sounds like it’s not functional out of the box.” is the comment of a user on the InfoSec Community Forums.

Apple has immediately confirmed the presence of the flaw and the efficiency of the exploit only for the Apple TV. The company published on the support page of Apple TV 7 a post on the security issued and urged users to upgrade to latest version of the operating system as soon as possible.

Pierluigi Paganini

(Security Affairs – iOS, CVE-2014-4377)

you might also like

leave a comment