Apple iOS code signing hole found
Security expert Charlie Miller, who has found many holes in iOS and Mac OS X, has discovered a new way to bypass the mandatory code signing in Apple's mobile operating system. Miller has found a way to exploit an unspecified hole in Apple's Nitro JavaScript engine. Nitro has special permissions, when run by Safari, that allow it to perform just-in-time compilation of JavaScript code to native instructions and then execute them.
Miller looked at how that was implemented and investigated a theory that the browser was putting that unapproved code in a specific area of memory where an exception to the code signing requirement applied. Miller says that Apple applies a number of checks to prevent the use of this memory but that he found "this one weird little corner case" which he was able to exploit. Nitro was introduced in iOS 4.3 and the flaw is currently exploitable on any device running 4.3 or later.
To demonstrate the problem, Miller created an innocent-looking stock ticker app and submitted it to Apple's App Store review process, which it passed. The program phones home when its starts up for the first time and asks Miller's server for an unsigned payload which it downloads and then executes. In a YouTube video, Miller demonstrates launching a video, opening a shell for remote access to the device, making the iPhone vibrate and viewing files stored on the device.
Miller's exploit in action
The vulnerability offers attackers a way around the mandatory code signing of iOS applications. The code signing is designed to only allow applications reviewed by Apple to be downloaded from the Apple App Store and run. It is regarded as key to how Apple have kept malware off iPhones and iPads. Miller told Forbes Magazine that "With this bug, you can’t be assured of anything you download from the App Store behaving nicely" adding that "Android has been like the Wild West and this bug basically reduces the security of iOS to that of Android".
Miller says he informed Apple of the bug on 14 October. He went public with information about the flaw on 7 November in the Forbes interview. Apple's response to Miller's exploit was two-fold: The demonstration application was removed from the App Store and Miller's iOS developer licence was withdrawn. Miller told Forbes that the latter move was "heavy handed", noting "I report bugs to them all the time. Being part of the developer program helps me do that. They’re hurting themselves, and making my life harder." Stefan Esser, another iOS security researcher, pointed out on Twitter that he knew all his research would violate Apple's rules and "That is also a reason why I don't have a dev account".
Miller is planning to present more information about the flaw at the SyScan Conference in Taiwan next week.
(djwm)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
