Security Experts:

Trident iOS Vulnerabilities Fully Dissected

The recently disclosed "Trident" 0-day vulnerabilities that put owners of iOS devices at risk were patched in August, but the full technical details on them have been released only this week.

The three critical flaws that Citizen Lab and Lookout security researchers disclosed in August were being exploited by a piece of high-end surveillance software dubbed Pegasus to silently compromise iOS devices. Sold by NSO Group Technologies Ltd, a Herzelia, Israel-based firm, the software was referred to as “the most sophisticated attack seen on any endpoint.”

The vulnerabilities put owners of iPhone 4s and later, iPad 2 and later, and iPod touch (5th generation) and later at risk.

On August 25, Apple released iOS 9.3.5 to address these vulnerabilities, but revealed only a few details on each of them. More interesting at that time was the Pegasus software, which was being sold to governmental agencies and used against journalists, activists, government opposition, and other targets of interest worldwide.

In fact, soon after the news on Trident broke, Israel's secretive surveillance industry came into spotlight. A British NGO Privacy International report revealed that 27 surveillance firms are headquartered in Israel, all of which should design technology for fighting crime and terrorism through legal means. However, many question whether attention is paid to the potential abuse of this technology.

Tracked as CVE-2016-4655, CVE-2016-4656, and CVE-2016-4657, the three security flaws were patched in OS X and Safari too, soon after the iOS emergency fix was released.

Now, Lookout has decided to publish the full technical details (PDF) on these vulnerabilities and to explain how exactly the exploitation chain (and infection with Pegasus) works: it all starts with a vulnerability in Safari WebKit, continues with a kernel base mapping flaw, and ends with a kernel memory corruption that leads to jailbreak. To these steps, however, Pegasus spyware’s persistence mechanism is added.

Affecting WebKit’s JavaScriptCore library, the first vulnerability (CVE­2016­4657) can be exploited when the user clicks on a spear-phishing link that opens the Safari browser. By running a JavaScript payload in the browser, the attacker can gain arbitrary code execution in the context of the Safari WebContent process, Lookout explains.

The Pegasus spyware exploited the vulnerability by passing a specifically crafted sequence of properties to the defineProperties() method. The software would make multiple attempts (up to a total of 10) to trigger the flaw and check whether a stale reference has been successfully acquired, after which it would set up the tools for arbitrary native code execution and then move to create an executable mapping containing the native code payload.

After the first stage of the attack has been completed, the second stage is triggered in an attempt to exploit a kernel information leak (CVE­2016­4655). This is when the malicious software tries to escalate privileges on the victim’s iPhone and make the necessary preparations for the final stage, which results in jailbreak.

The security researchers discovered that Pegasus uses the stage 2 binary in two different contexts: as a complete iOS kernel exploit or to check for existing jailbreak and install Pegasus specific kernel patches. For that, however, it needs to “determine the location of the kernel in memory, escalate its own privileges, disable safeguards, and then install the necessary tools for jailbreaking a device,” Lookout explains.

The binary was created in both 32­bit and 64­bit versions, which allows it to target no less than 199 iPhone combinations. Lookout has detailed them separately, because they “deviate enough in their approach,” although they pack a lot of similarities.

Finally, the spyware exploits a kernel memory corruption vulnerability (CVE­2016­4656) to jailbreak the compromised device and involves a series of operations that Lookout refers to as “the final steps carried out in Stage 2.” They are meant to gain root access, to disable code signing, and then to drop and activate the jailbreak binary.

“Stage 2 is activated as the result of a bug in Safari that allows for arbitrary code execution. As one of the last activities Stage 2 performs prior to dropping and activating the jailbreak binary, Stage 2 attempts to cover its infection vector by cleaning up the history and cache files from Safari,” the security researchers explain.

Next, the Pegasus software attempts to achieve persistence on the compromised device, and relies on two distinct issues for that: the presence of the rtbuddyd service within a plist and a vulnerability within the JavaScriptCore binary. The first issue allows the spyware to execute code at boot, and leverages the second to execute the jsc binary and run unsigned code to re­exploit the kernel.

Related: Apple Issues Emergency Fix for iOS Zero-Days: What You Need to Know

view counter