Jump to content
livebox

Hack iPhone with only one vulnerability

Recommended Posts

Vulnerabilities in software that allow compromising the system without user intervention (for example, without clicking on a malicious link by the victim) are of great interest to security researchers. Experts from Google Project Zero, who have devoted the study of this issue over the past few months, are no exception.

On Thursday, January 9, Google Project Zero security researcher Samuel Gross of Google Project Zero demonstrated how you can remotely hack your iPhone, access passwords, messages, email and activate the camera with a microphone with just one Apple ID in a few minutes.

The researcher described his attack method in three separate articles on the Google Project Zero blog. The first provides technical details about the vulnerability, the second describes how to hack ASLR, and the third explains how to remotely execute code on an attacked device bypassing the sandbox.

During the attack, Gross exploited the only vulnerability in iOS 12.4 (CVE-2019-8641), fixed by Apple in August last year with the release of iOS 12.4.1. With its help, he circumvented ASLR technology, designed to complicate the operation of certain types of vulnerabilities. ASLR provides for changing the location in the process address space of important data structures (executable file images, loaded libraries, heaps and stacks). However, the attack demonstrated by Gross casts doubt on the effectiveness of ASLR.

“The study was mainly motivated by the following question: is it possible to use remote vulnerability for memory corruption to achieve remote code execution on iPhone without using other vulnerabilities and without any user interaction? A series of publications on this blog proves that yes, it is indeed possible, ”Gross said.

 


Source: https://www.securitylab.ru/news/503917.php

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...