iOS Bug Causes Specific Network Name to Disable Wi-Fi on iPhones

[kmann1983]

Hmmm. I wonder if an alternative string could be used to open ports or something.

Eh, this particular bug seems to just cause the wifi to go on and off as fast as it can. Specifically, it likely crashes, restarts, crashes, repeats over and over.

It's not likely going to be able to run arbitrary bad code itself. Not saying it can't... but the SSDI is limited in data, so the odds of you being able to put enough in there to get it to do anything malicious or useful OUTSIDE of the phone would be... difficult if not impossible.

But what do I know.

 

[Morgenland]

Eh, Apple should probably completely restaff the WIFI programming unit in its own interest.
Here was bungled in a highly sensitive area.
Or functionality has been implemented, of which an example has now become public.
I am curious to see how Apple comments here.

 

[I7guy]

The paper I cited explains why these class of exploits are inherently dangerous and gives some examples how the input string can be further constructed to attempt to e.g. read or write from/to arbitrary memory locations.

I don't think you did read said paper: I highly suggest it.

Where’s the zero day associated with this. What is the exploitability? The practical implications are different than the theoretical ones.

Not even mentioning dedicated static code analysis tools, even just your standard C compiler would warn e.g. about unsafe uses of printf if the appropriate flags are enabled.

Furthermore, this is a well known problematic input pattern, which means concern about these kind of inputs should be a standard concern for any possible input source.

Maybe Apple regression tested for injection type vulnerabilities. But this specific pattern didn’t show up in the radar.

 

[I7guy]

This. So much this. People seem to be missing the big point here. It’s not whether anyone would connect to a network starting with special characters. It’s how this got all the way through all the layers of QA without being detected.

And that’s the reason I’d not call this an “edge case.” Network names? Sure, unlikely. Situations where you need to handle garbage data in some way before performing operations on it? Extremely frequent.

We’ll in my opinion it’s an edge case. But you all can have your own interpretation of this.

 

[Morgenland]

The idea that  gives shelter to low cost programmers running around to build in easter eggs is hopefully not an accurate description of their WIFI unit.

 

[lederermc]

Xkcd is ALWAYS relevant! I get the most comments when wearing my xkcd t-shirts.

'What's 'Sodo' mean?' 'So that's what tech support people read to me when I call for help?' 'STOP! Let me read your shirt! You spent how long deciding on what shirt to wear?'

In Seattle: South Downtown.

 

[lederermc]

How about if iOS blocked people from accessing a network called "Free Wifi"?

Now that most people have more than enough data (plan) on their iPhones there is really no needs to use free WiFi.

 

[lederermc]

I love the disconnect between "permanently disable" and "reset network".

So, literally, it's quite easy to correct, and it doesn't "permanently disable" anything

I suppose "bricked" my Wi-Fi is not what it's doing.

 

[JosephAW]

Looks like an exploit for iOS.

 

[Morgenland]

Complex system

 

[Amazing Iceman]

The post's title made it looked like it would be permanently disabled, when in fact a Reset Network Settings (first thing that came to my mind) solves the problem.

 

[cmaier]

Eh, Apple should probably completely restaff the WIFI programming unit in its own interest.
Here was bungled in a highly sensitive area.
Or functionality has been implemented, of which an example has now become public.
I am curious to see how Apple comments here.

I think it’s funny that you think there is a “wifi programming unit.”

 

[bsolar]

Where’s the zero day associated with this. What is the exploitability? The practical implications are different than the theoretical ones.

Sure, but lacking information of the former, one cannot dismiss the latter. Again, there is a reason these class of vulnerabilities are considered dangerous. Furthermore, even assuming the best, it would not be the first time that a vulnerability first thought not to be exploitable in practice it's later found to actually be actively exploited in the wild.

Maybe Apple regression tested for injection type vulnerabilities. But this specific pattern didn’t show up in the radar.

I'm not sure what went wrong with Apple's QA but something went wrong for sure.

 

[iBluetooth]

Can you be more specific?

When we get strings from the user, which he can input himself or as in this case from an external WiFi, the input has to be "sanitised" before it can be stored in an SQL database. The reason for this is that SQL has it's own programming language. So, if I would call me WiFi endpoint: "Robert'); DROP TABLE wifiendpointnames;--", then if I successfully guessed the table's name, then all stored endpoints would be cleared (the actual table name can be found by checking strings in the assembly).
So, my professor told us in class. If you forget to sanitise your input, then you will be fired from you jobs!

SQL injection - Wikipedia

en.wikipedia.org

More about SQL injection

 

[I7guy]

Sure, but lacking information of the former, one cannot dismiss the latter. Again, there is a reason these class of vulnerabilities are considered dangerous. Furthermore, even assuming the best, it would not be the first time that a vulnerability first thought not to be exploitable in practice it's later found to actually be actively exploited in the wild.

Assuming the worst, and taking Apples’ past Group FaceTime bug as an example, you can’t assume it could be anything more than an annoyance. Every vulnerability has to be assessed on its own.

I'm not sure what went wrong with Apple's QA but something went wrong for sure.

And Microsoft and Linux, device makers etc. Nobody gets it right 100%.

 

[now i see it]

Damn! That was favorite network name.

 

[bsolar]

Assuming the worst, and taking Apples’ past Group FaceTime bug as an example, you can’t assume it could be anything more than an annoyance. Every vulnerability has to be assessed on its own.

I also don't think this will be exploitable in practice, but note that assuming the worst is the correct mindset when dealing with potential security vulnerabilities.

And Microsoft and Linux, device makers etc. Nobody gets it right 100%.

That's a straw man. Nobody is claiming Apple should have perfect software, but when a well known class of vulnerabilities is found it's obviously worrying, especially since modern practices should prevent them.

 

[sdz]

sprintf(...) problem he? 😁

newbie programmers @ apple

 

[I7guy]

I also don't think this will be exploitable in practice, but note that assuming the worst is the correct mindset when dealing with potential security vulnerabilities.

It’s a good strawman, but all vulnerabilities are evaluated based on the threat level…not defcon 10 automatically.

That's a straw man. Nobody is claiming Apple should have perfect software, but when a well known class of vulnerabilities is found it's obviously worrying, especially since modern practices should prevent them.

This is not a well known case, this is an edge case. It took someone 14 years to find it…that to me is not a known class of vulnerabilities.

 

[NetMage]

Format string bugs are not uncommon in C/C++. Someone used the wrong API. One more reason to port code to safer languages like Swift.

You are obviously not a programmer or you would realize Swift doesn’t prevent this class of bug - in fact, if it were an improper NSLog call, it would be exactly the same as C/Objective-C.
(Not to say Swift doesn’t offer better facilities that help prevent this.)
tldr; using a safer language isn’t sufficient unless it also requires you to use safer practices.

 

[NetMage]

So, my professor told us in class. If you forget to sanitise your input, then you will be fired from you jobs!

SQL injection - Wikipedia

en.wikipedia.org

More about SQL injection

That might have been true decades ago, but in today’s world, you absolutely shouldn’t sanitize your inputs. You are quite likely to get it wrong, and if you have to, you are using incorrect API’s / methods anyway. In the case of SQL you could use something like LINQ or an equivalent query system that automatically uses parameters or if doing SQL directly, you should be using SQL parameters that prevent all injection attacks.

 

[NetMage]

No, that's precisely not the case. Format specifiers are parsed at run-time. Otherwise this bug wouldn't exist.

Exactly this.
MacRumors (and most other) blog posts that involves programming make me sad as they exhibit such ignorance and propagate it to others.

 

[Rafagon]

"Other users who were able to replicate the issue"

Who would be stupid enough to try?

 

[Rafagon]

A wireless network naming bug has been discovered in iOS that effectively disables an iPhone's ability to connect to Wi-Fi.

Security researcher Carl Schou found that after joining a Wi-Fi network with the name "%p%s%s%s%s%n" his iPhone's Wi-Fi functionality was left "permanently disabled."

Changing a hotspot's SSID did nothing to correct the problem, with even a reboot failing to make a difference, according to BleepingComputer.

Other users who were able to replicate the issue have suggested the bug could be related to the initial use in the network name of the percentage sign, which leads to an input parsing issue whereby iOS mistakenly interprets the letters following the "%" as a string-format specifier.

https://twitter.com/x/status/1405937492642123782

In C and C-style languages, string format specifiers have a special meaning and are parsed by the language compiler as a variable name or a command instead of standard text.

Android phones don't seem to be affected by the same network, but iPhones hit by the problem need to have their network settings reset before a Wi-Fi hotspot can be connected again.

To perform the reset, open the Settings app, tap General -> Reset, then tap Reset Network Settings and confirm the request at the prompt.

Article Link: iOS Bug Causes Specific Network Name to Disable Wi-Fi on iPhones

#%p%s%s%s%s%nGate

 

[bsolar]

It’s a good strawman, but all vulnerabilities are evaluated based on the threat level…not defcon 10 automaticall

I don't see how it would be a strawman... furthermore your statement does not contradict mine: both practical and theoretical considerations play a role in the evaluation of a threat. Ask yourself e.g. why the corresponding Sonar Rule has a severity of Critical.

This is not a well known case, this is an edge case. It took someone 14 years to find it…that to me is not a known class of vulnerabilities.

That's because you don't know the matter at hand. I have given you a paper which explain exactly what this vulnerability is about, but let me try with a more easier article maybe (extra emphasis mine):

Uncontrolled format string is a type of software vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user input as the format string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the call stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write the number of bytes formatted to an address stored on the stack.

That's exactly what's happening in the Apple's case.

Note that the original article has been updated with a quick analysis which confirms the bug being indeed a string format vulnerability:

Looks like it’s a format string bug, which is rarely seen nowadays.

[...]

So it’s really a format string bug!