An iOS Zero-click Radio Proximity Exploit Odyssey
Ian Beer (Hacker News, MacRumors):
In this demo I remotely trigger an unauthenticated kernel memory corruption vulnerability which causes all iOS devices in radio-proximity to reboot, with no user interaction. Over the next 30’000 words I’ll cover the entire process to go from this basic demo to successfully exploiting this vulnerability in order to run arbitrary code on any nearby iOS device and steal all the user data.
[…]
So what went so wrong that it was possible? Unfortunately, it’s the same old story. A fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers.
[…]
The inevitable question is: But what about the next silver bullet: memory tagging (MTE)? Won’t it stop this from happening?
My answer would be that Pointer Authentication was also pitched as ending memory corruption exploitation. When push came to shove, to actually ship a legacy codebase like the iOS kernel with Pointer Authentication, the primitives built using it and inserted by the compiler had to be watered down to such an extent that any competent attacker should have been able to modify their exploits to work around them.
Epic! Ian Beer has found quite a few amazing bugs.