hngopher.com

       [HN Gopher] WiFiDemon - iOS WiFi RCE 0-Day Vuln, and a Zero-Clic...
       ___________________________________________________________________
        
       WiFiDemon - iOS WiFi RCE 0-Day Vuln, and a Zero-Click Vuln That Was
       Patched
        
       Author : tech234a
       Score  : 24 points
       Date   : 2021-07-17 20:18 UTC (2 hours ago)
        
 (HTM) web link (blog.zecops.com)
 (TXT) w3m dump (blog.zecops.com)
        
       | cesarb wrote:
       | There's one question which must always be asked whenever a new
       | remote code execution vulnerability like this one is found:
       | 
       | Is it wormable? That is, could a worm use it as a vector for
       | spreading?
       | 
       | If I understood this article correctly, the answer in this case
       | is probably _YES_. A worm could use this vulnerability to inject
       | itself into a phone without any user intervention, and once there
       | use the same vulnerability to attack other phones of the same
       | model around it, recursively. Since the reach of a WiFi beacon is
       | not short (it always uses the lowest speed, and IIRC can easily
       | reach a hundred meters), on a dense metropolitan area with enough
       | of the vulnerable device models, it could spread very quickly.
       | 
       | In other words, this vulnerability is of the "patch immediately,
       | and if you can't, completely disconnect the device until it's
       | patched" kind. I don't know much about iOS, but if this were
       | Android, just disabling WiFi (without disabling a couple of hard-
       | to-find settings related to location) wouldn't be enough;
       | airplane mode might be enough, but for this class of device,
       | would severely limit its main functionality.
        
       | trav4225 wrote:
       | This website is constantly shifting around with my browser... :-/
        
       | NavinF wrote:
       | Neat. Maybe we'll get an iOS 14.6 jailbreak out of this.
       | 
       | Can anyone read the decompiled code in the screenshot? It seems
       | like it does this:                 x =
       | stringWithFormat(const_string, attacker_string);       y =
       | stringWithFormat(const_string2, x);       log(y);
       | 
       | Is that really exploitable or am I reading it wrong?
        
       ___________________________________________________________________
       (page generated 2021-07-17 23:01 UTC)