Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

A format string vulnerability was discovered within the WiFi daemon. However, it was determined to be unexploitable besides for a DoS. The authors of this article decided to dive a little further into this bug.

To me, format string vulnerabilities are incredibly serious because of the capabilities that format strings have. From arbitrary reads to arbitrary writes, it's an extremely serious bug!

Within WiFi daemon, while processing SSID names, is where the vulnerability was at. The same bug was found in a log file printer as well. This is where things hit the fan...

This new format string bug only required seeing the WiFi in the vicinity; it did not even have to be connected to! To make matters worse, iPhones automatically scan to every 3 seconds for different WiFi names when the phone is off! This is a 0-click attack, as long as the attacker is around.

%n in traditional format string exploitation is used to write to arbitrary locations. Apple did not implement this functionality for security reasons. But, the %@, in Objective-C, can be used to print the contents of an object.

By using the %@ format string, we may be able to use another object on the stack in the format string. This attack could be used as a use after free for something on the stack or many other objects on stack for a write.

By spraying a substantial amount of objects to be on the stack with a Beacon Flooding attack, they found potential values that were being put onto the stack that are controllable!

By deferencing these values, pointers and potentially function pointers, could be written in order to pop a shell. With control over the RIP, a ROP chain will do in order to compromise the device.

This exploit would likely require a memory leak of some kind in order to exploit. But itself, this bug is enough to get code execution but an attacker would have no idea where to jump to or where to reference pointers. Awesome and bug and research!