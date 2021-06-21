



A researcher revealed over the weekend that iOS has a bug that disables Wi-Fi connectivity when a device joins a network that uses a booby trapped name.

When connecting to a Wi-Fi network that uses SSID% p% s% s% s% s% n (quotes not included), iPhone and iPad will not be able to join that network or any other network in the future. I will. Reverse Engineering Carl Schou reported on Twitter.

After joining personal WiFi using SSID% p% s% s% s% s% n, the iPhone has completely disabled the WiFi feature. Neither reboot nor SSID change is fixed: ~) pic.twitter.com/2eue90JFu3

It didn’t take long for the trolls to take advantage of the discovery:

Lack of malice

Schou, the owner of the hacking resource Secret Club, initially didn’t find an easy way to restore Wi-Fi functionality.In the end, he[設定]>[一般]>[リセット]>[ネットワーク設定のリセット]I found that I could reset the network function by opening.

Apple representatives didn’t answer emailed questions about whether they had plans to fix the bug and whether it would affect macOS or other Apple products.

Schou said in an internet message that the bug was due to the internal logging feature of the iOS Wi-Fi daemon. The iOS Wi-Fi daemon uses the SSID inside the format. This condition can, in some cases, insert strings in unauthorized formats into sensitive parts of the highly enhanced Apple OS. However, he and other security experts said that bugs are unlikely to be maliciously exploited.

In my opinion, he explained that the actual threat is minimal, as it is heavily constrained by the length of the SSID and the format itself. It could turn this into logger disclosure, but I don’t think it’s even possible to execute code remotely.

A brief analysis of the bug by an outside researcher agreed that the bug was unlikely to be exploited to execute malicious code. Analysis also revealed that this bug appears to be due to a flaw in the iOS log component that effectively converts the SSID string to a formatted string using the concat function before writing to the log file. It was.

Strings are not echoed to sensitive parts of iOS, so it is unlikely that a hacker will succeed in maliciously exploiting the logging feature. In addition, exploits require active participation in networks that contain suspicious names.

Due to potential exploitation, it does not echo and the remaining parameters do not appear to be controllable, the researchers wrote. Therefore, I don’t think this case can be exploited. After all, to trigger this bug, the SSID needs to connect to the victim’s visible WiFi. The phishing Wi-Fi portal page may be more effective.

But …

Not all researchers have achieved the same rating. For example, researchers at security firm AirEye say that this technique can be used to bypass security appliances at the perimeter of a network and block unauthorized data in and out.

AirEye researcher Amichai Shulman found that while the flaws in the latest iPhone Format String seem to be benign, the impact of this vulnerability goes far beyond joke. If your organization is responsible for security, be aware of this vulnerability as related attacks can affect corporate data while bypassing common security controls such as NAC, firewalls, and DLP solutions. is needed.

Shulman also said that macOS is also affected by the same bug. Ars could not immediately confirm this claim. Schou said he hadn’t tested macOS but reported that he couldn’t reproduce the error on the OS.

true story

Schou told me that every time an iOS device connects to a malicious SSID, it doesn’t cause a network crash. This is non-deterministic and fortunately the Wi-Fi daemon can crash unsustainably. [in] SSID, he explained. This flaw has existed since iOS 14.4.2, released at least in March, and perhaps years earlier.

He said he found a bug when connecting the iPhone to one of the wireless routers. According to Schou, all my devices are named after various injection techniques that ruin older devices that don’t sanitize inputs. And apparently the latest iOS.

The crash is caused by what researchers call an uncontrolled format string bug. This flaw occurs when the corrupted user input is a format string parameter for a particular function written in a C and C style language. Formatting tokens such as% s and% x can be used to output data to memory in some cases. This bug was initially thought to be harmless. Recently, researchers have recognized the possibility of using% n format tokens to create malicious code.

The most amazing thing about this bug is the fact that it exists altogether. Various programming guidelines exist to prevent defects in these types of format strings. Arguably, the fact that the world’s safest consumer operating systems failed to properly implement these techniques in 2021 is the real story here.







