Google Project Zero hackers disclose details and PoCs for 4 iOS RCE flaws

Security experts at Google disclosed details and proof-of-concept exploit codes for 4 out of 5 security vulnerabilities in Apple iOS.

Researchers at Google disclosed details and proof-of-concept exploit codes for 4 out of 5 security vulnerabilities in Apple iOS that could be exploited by attackers to hack Apple devices by sending a specially-crafted message over iMessage. The vulnerabilities required no user interaction to be exploited.

The flaws were reported by Google Project zero white hat hackers Samuel Groß and Natalie Silvanovich. Below the list of the flaws:

• CVE-2019-8647 is a use-after-free flaw that resides in the Core Data framework that can cause arbitrary code execution due to insecure deserialization when the NSArray initWithCoder method is used. This flaw can be exploited remotely via iMessage and crash Springboard without any user interaction.
  
• CVE-2019-8662 is a use-after-free flaw that resides in the QuickLook component of iOS, this flaw can be exploited remotely via iMessage without any user interaction.
• CVE-2019-8660 is a memory corruption issue that resides in Core Data framework and Siri component. The flaw could be exploited by remote attackers to cause an unexpected application termination or to get arbitrary code execution. “This issue would likely be fairly difficult to exploit due to the uncontrolled nature of these copies.”
• CVE-2019-8646 resides in the Siri and Core Data iOS components, it could be exploited by an attacker to read the content of files stored on iOS devices remotely without user interactions.

Google researchers did not disclose details for one these flaws, tracked as CVE-2019-8641, because the Apple iOS update patch did not completely address the flaw.

Apple addressed the vulnerabilities with the release of the latest iOS 12.4 update.

The other flaw, tracked as CVE-2019-8646, is an out-of-bounds read that can be exploited by a remote attacker to read files stored on the target’s device. The flaw could be exploited by just sending a specially-crafted message via iMessage.

Last week, Silvanovich also released details and a PoC exploit for another out-of-bounds read vulnerability, tracked as CVE-2019-8624, that could be exploited by remote attackers to leak memory and read files from the target devices.

The CVE-2019-8624 flaw resides in Digital Touch component of watchOS and affects Apple Watch Series 1 and later. Apple addressed the flaw with the release of watchOS 5.3.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Apple iOS, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]