Vulnerabilities in iOS 7 may now be a little easier to exploit.
Tarjei Mandt, a security researcher with Azimuth Security, published a white paper on Wednesday that breaks down exactly how the Early Random PRNG – which protects mobile operating systems, including iOS 7, from kernel exploits – is vulnerable to brute force.
The report is highly technical, so Charlie Miller, a security researcher with Twitter who gained fame for finding notable vulnerabilities in Apple products, broke down the report in a Friday email correspondence to help SCMagazine.com readers better understand the findings.
“The kernel is the basis for all security in [any operating system],” Miller said. “It keeps track of the privileges of apps, sandboxes them, enforces code signing, etc. If an attacker knows a vulnerability in the kernel and can exploit it, it would allow apps to break out of their sandbox, download and install new code, do whatever it wants. It would also give remote attackers this possibility too.”
Apple randomizes the layout of memory and masks certain pointers with random values to make kernel exploitation challenging, or to mitigate kernel exploitation, Miller said, explaining the kernel is able carry out tasks because it is aware of the values.
Attackers, meanwhile, are unable to find code to exploit because they do not know the random values, Miller said. But the white paper by Mandt shows exactly how to find those values using brute force. The attackers are, essentially, mitigating the mitigations, Miller explained.
“This means if an attacker knew a vulnerability in the iOS kernel, writing an exploit to take advantage of this vulnerability would be much easier using these techniques,” Miller said. “Keep in mind, you still need a kernel vulnerability and even then this only brings us back to the security level of iOS 5 (before they introduced these mitigations in the first place), which was still pretty tough, but nonetheless until these issues are fixed, the iOS kernel is easier to attack than it was before.”
In the white paper, Mandt offers suggestions that Apple could use to protect against exploitation of these vulnerabilities and which Miller said are not difficult to implement and should be moved on quickly.
