Old exploit for Sony's PSP works on Apple's iPhone
In the hacker community, Apple's iPhone obviously continues to be the most interesting object for investigation. Unphased by its supposed security, a hacker group has apparently managed to smuggle their own code into Safari's current firmware and execute it via a buffer overflow that occurs while processing TIFF images. A sample "Hello world" is claimed to have been successfully tested several times. Interestingly, the exploit is reported to have originated in a PSP hacker source that was able more than a year ago to execute its own software and so install somewhat modified firmware on to the PSP via a TIFF hole.
Some additional adjustments must have been needed, however, because the iPhone has an ARM core while the PSP uses a MIPS processor. And the stack in the iPhone is supposed to be marked as non-executable, which ought to prevent the execution of code smuggled into it. The PSP hacker Niacin, who has evidently now turned his attention to the iPhone, says that the exploit writes the code to the heap, which has no special protection.
Instructions also exist on how to get access to the complete file structure of the iPhone under firmware version 1.1.1 and manipulate it. All that's required to do this is to create certain symbolic links before an upgrade to 1.1.1.
Finally, another vulnerability has been found in Mobile Safari, the iPhone's browser. McAfee says that Web sites can download files to the device without requiring confirmation. But they only tested the iPhone firmware 1.0.2. The hole is said also to exist in the beta version 3.0.3 of Safari for Windows. Other browsers, such as Internet Explorer, warn users if Web sites try to store potentially executable files on their system.
The beta version of Safari also allows Web sites or JavaScripts running in the local context to access external domains. That would give a script access to local data, for example, and enable it to send it to the internet. The flaw has been found in Safari 3.0.2 for Windows. According to its discoverer, the exploit also works on iPhones with version 1.0.2. The current version has not yet been tested.
- Confirmed! We have exploited both Itouch / Iphone 1.1.1, message from Niacin
- TIFF exploit, Wiki entry at touchdev.net
- Liveblogging the big iPhone 1.1.1 hack, blog entry by Erica Sadun
- Zero-day Flaw in Safari 3.0.03 Web Browser for Windows, blog entry by McAfee
- iPhone Safari zero day, blog entry by Gareth Heyes
(mba)