Zero-day vulnerability in Apple iOS

Information disclosure
CVE-2016-4655

The Citizen Lab discovery exposed three zero-day exploits ((CVE-2016-4655, CVE-2016-4656, CVE-2016-4657)) used by “Pegasus”, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies (UAE Human Rights Defender (Ahmed Mansoor)).

Known malware:

Trident exploit.

Vulnerability details

Advisory: SB2016082402 - Multiple vulnerabilities in Apple iOS

Vulnerable component: Apple iOS

CVE-ID: CVE-2016-4655

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:H/RL:O/RC:C

CWE-ID: CWE-200 - Information exposure

Description:

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper input validation. A remote attacker can run a specially crafted application, bypass security restrictions and obtain portions of kernel memory.

Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.

Note: the vulnerability was being actively exploited.


Known APT campaigns:

UAE Human Rights Defender Ahmed Mansoor breach

Trident was used to install “Pegasus”, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies.

Public Exploits:

- WebKit - not_number defineProperties UAF (Metasploit) [Exploit-DB]

External links:

https://support.apple.com/en-us/HT207107
http://www.securityweek.com/apple-issues-emergency-fix-ios-zero-days-what-you-need-know
https://www.symantec.com/connect/blogs/trident-trio-ios-zero-days-being-exploited-wild
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://jndok.github.io/2016/10/04/pegasus-writeup/
https://blog.lookout.com/blog/2016/08/25/trident-pegasus/
http://securityaffairs.co/wordpress/50788/mobile-2/ios-9-3-4-trident-exploit.html
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://en.wikipedia.org/wiki/Pegasus_(spyware)
http://indianexpress.com/article/technology/tech-news-technology/apple-ios-trident-exploit-all-you-n...
http://www.technewsworld.com/story/83845.html
http://www.eweek.com/security/apple-rushes-out-patch-for-new-ios-zero-day-flaws.html
http://www.darkreading.com/vulnerabilities---threats/apple-releases-patch-for-trident-a-trio-of-ios-...

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.