Connect with us

Hi, what are you looking for?


Mobile & Wireless

Trident iOS Vulnerabilities Fully Dissected

The recently disclosed “Trident” 0-day vulnerabilities that put owners of iOS devices at risk were patched in August, but the full technical details on them have been released only this week.

The recently disclosed “Trident” 0-day vulnerabilities that put owners of iOS devices at risk were patched in August, but the full technical details on them have been released only this week.

The three critical flaws that Citizen Lab and Lookout security researchers disclosed in August were being exploited by a piece of high-end surveillance software dubbed Pegasus to silently compromise iOS devices. Sold by NSO Group Technologies Ltd, a Herzelia, Israel-based firm, the software was referred to as “the most sophisticated attack seen on any endpoint.”

The vulnerabilities put owners of iPhone 4s and later, iPad 2 and later, and iPod touch (5th generation) and later at risk.

On August 25, Apple released iOS 9.3.5 to address these vulnerabilities, but revealed only a few details on each of them. More interesting at that time was the Pegasus software, which was being sold to governmental agencies and used against journalists, activists, government opposition, and other targets of interest worldwide.

In fact, soon after the news on Trident broke, Israel’s secretive surveillance industry came into spotlight. A British NGO Privacy International report revealed that 27 surveillance firms are headquartered in Israel, all of which should design technology for fighting crime and terrorism through legal means. However, many question whether attention is paid to the potential abuse of this technology.

Tracked as CVE-2016-4655, CVE-2016-4656, and CVE-2016-4657, the three security flaws were patched in OS X and Safari too, soon after the iOS emergency fix was released.

Now, Lookout has decided to publish the full technical details (PDF) on these vulnerabilities and to explain how exactly the exploitation chain (and infection with Pegasus) works: it all starts with a vulnerability in Safari WebKit, continues with a kernel base mapping flaw, and ends with a kernel memory corruption that leads to jailbreak. To these steps, however, Pegasus spyware’s persistence mechanism is added.

Advertisement. Scroll to continue reading.

Affecting WebKit’s JavaScriptCore library, the first vulnerability (CVE­2016­4657) can be exploited when the user clicks on a spear-phishing link that opens the Safari browser. By running a JavaScript payload in the browser, the attacker can gain arbitrary code execution in the context of the Safari WebContent process, Lookout explains.

The Pegasus spyware exploited the vulnerability by passing a specifically crafted sequence of properties to the defineProperties() method. The software would make multiple attempts (up to a total of 10) to trigger the flaw and check whether a stale reference has been successfully acquired, after which it would set up the tools for arbitrary native code execution and then move to create an executable mapping containing the native code payload.

After the first stage of the attack has been completed, the second stage is triggered in an attempt to exploit a kernel information leak (CVE­2016­4655). This is when the malicious software tries to escalate privileges on the victim’s iPhone and make the necessary preparations for the final stage, which results in jailbreak.

The security researchers discovered that Pegasus uses the stage 2 binary in two different contexts: as a complete iOS kernel exploit or to check for existing jailbreak and install Pegasus specific kernel patches. For that, however, it needs to “determine the location of the kernel in memory, escalate its own privileges, disable safeguards, and then install the necessary tools for jailbreaking a device,” Lookout explains.

The binary was created in both 32­bit and 64­bit versions, which allows it to target no less than 199 iPhone combinations. Lookout has detailed them separately, because they “deviate enough in their approach,” although they pack a lot of similarities.

Finally, the spyware exploits a kernel memory corruption vulnerability (CVE­2016­4656) to jailbreak the compromised device and involves a series of operations that Lookout refers to as “the final steps carried out in Stage 2.” They are meant to gain root access, to disable code signing, and then to drop and activate the jailbreak binary.

“Stage 2 is activated as the result of a bug in Safari that allows for arbitrary code execution. As one of the last activities Stage 2 performs prior to dropping and activating the jailbreak binary, Stage 2 attempts to cover its infection vector by cleaning up the history and cache files from Safari,” the security researchers explain.

Next, the Pegasus software attempts to achieve persistence on the compromised device, and relies on two distinct issues for that: the presence of the rtbuddyd service within a plist and a vulnerability within the JavaScriptCore binary. The first issue allows the spyware to execute code at boot, and leverages the second to execute the jsc binary and run unsigned code to re­exploit the kernel.

Related: Apple Issues Emergency Fix for iOS Zero-Days: What You Need to Know

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...