CVE-2016-4655
published 2016-08-25CVE-2016-4655: The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.
PriorityP181medium5.5CVSS 3.1
AVLACLPRNUIRSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
33.35%
98.2th percentile
The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | ios | — | — |
| apple | iphone_os | < 9.3.5 | 9.3.5 |
| apple | iphone_os | — | — |
| apple | security_update_2016-001_el_capitan_and_security_update_2016-005_yosemite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP server requests where the User-Agent is logged and URI paths matching '/loader' or '/exploit' are requested — indicative of the Metasploit webkit_trident exploit module staging payloads for CVE-2016-4655/4656/4657. ↗
- →Detect delivery of binary payloads over HTTP with Content-Type 'application/octet-stream' from a web server responding to '/loader' and '/exploit' URI paths, consistent with Trident/Pegasus exploit chain staging. ↗
- →Look for XHR requests using overrideMimeType('text/plain; charset=x-user-defined') to fetch binary resources — a technique used by the in-browser exploit stage to load the exploit binary. ↗
- →The exploit targets ARCH_AARCH64 on apple_ios platform; default payload is 'apple_ios/aarch64/meterpreter_reverse_tcp'. Detect outbound TCP connections from iOS devices to attacker-controlled LHOST:LPORT following browser exploitation. ↗
- →CVE-2016-4655 is part of the Trident/Pegasus exploit chain (also involving CVE-2016-4656 and CVE-2016-4657). Correlate kernel memory disclosure activity with WebKit UAF and privilege escalation indicators on iOS devices running versions prior to 9.3.5. ↗
- ·The Metasploit module uses a configurable URIPATH (default '/') and SRVPORT (default 8080); attacker deployments may use any port or URI path, so detections should not rely solely on these defaults. ↗
- ·The exploit embeds a 'PAYLOAD_URL' string placeholder in the binary payload that is overwritten at runtime with 'tcp://LHOST:LPORT'; scanning for the literal string 'PAYLOAD_URL' in memory or on disk may identify unpatched/staged exploit binaries. ↗
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.07.1HIGHAV:N/AC:M/Au:N/C:C/I:N/A:N
vulncheck5.5MEDIUM
cisa5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Apple iOS Information Disclosure Vulnerability
cisa·2022-05-24·CVSS 5.5
CVE-2016-4655 [MEDIUM] CWE-200 Apple iOS Information Disclosure Vulnerability
Vulnerability: Apple iOS Information Disclosure Vulnerability
Affected: Apple iOS
The Apple iOS kernel allows attackers to obtain sensitive information from memory via a crafted application.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-4655
Remediation Due Date: 2022-06-14
Apple
CVE-2016-4655: iOS 10.0.1
vendor_apple·2016-09-13·CVSS 5.5
CVE-2016-4655 [MEDIUM] CVE-2016-4655: iOS 10.0.1
Apple Security Update: About the security content of iOS 10.0.1
Product: iOS
Version: 10.0.1
CVE: CVE-2016-4655
Component: Kernel
Impact: An application may be able to disclose kernel memory
Description: A validation issue was addressed through improved input sanitization.
Apple
CVE-2016-4655: Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite
vendor_apple·2016-09-01·CVSS 5.5
CVE-2016-4655 [MEDIUM] CVE-2016-4655: Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite
Apple Security Update: About the security content of Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite
Product: Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite
CVE: CVE-2016-4655
Component: Kernel
Impact: An application may be able to disclose kernel memory
Description: A validation issue was addressed through improved input sanitization.
Apple
CVE-2016-4655: iOS 9.3.5
vendor_apple·2016-08-25·CVSS 5.5
CVE-2016-4655 [MEDIUM] CVE-2016-4655: iOS 9.3.5
Apple Security Update: About the security content of iOS 9.3.5
Product: iOS
Version: 9.3.5
CVE: CVE-2016-4655
Component: Kernel
Impact: An application may be able to disclose kernel memory
Description: A validation issue was addressed through improved input sanitization.
GHSA
GHSA-32m2-83j8-f3hg: The kernel in Apple iOS before 9
ghsa_unreviewed·2022-05-14
CVE-2016-4655 [HIGH] CWE-200 GHSA-32m2-83j8-f3hg: The kernel in Apple iOS before 9
The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.
VulnCheck
Apple iOS Information Disclosure Vulnerability
vulncheck·2016·CVSS 5.5
CVE-2016-4655 [MEDIUM] CWE-200 Apple iOS Information Disclosure Vulnerability
Apple iOS Information Disclosure Vulnerability
The Apple iOS kernel allows attackers to obtain sensitive information from memory via a crafted application.
Affected: Apple iOS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://info.securin.io/hubfs/Securin%20Ransomware%20Report%202023.pdf; https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-_Insights_into_Commercial_Surveillance_Vendors.pdf
Exploit PoC: https://vulncheck.co
No detection rules found.
Exploit-DB
WebKit - not_number defineProperties UAF (Metasploit)
exploitdb·2018-06-05
CVE-2016-4657 WebKit - not_number defineProperties UAF (Metasploit)
WebKit - not_number defineProperties UAF (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'WebKit not_number defineProperties UAF',
'Description' => %q{
This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.
},
'License' => MSF_LICENSE,
'Author' => [
'qwertyoruiop', # jbme.qwertyoruiop.com
'siguza', # PhoenixNonce
'tihmstar', # PhoenixNonce
'timwr', # metasploit integration
],
'References' => [
['CVE', '2016-4655'],
['CVE', '2016-4656'],
['CVE', '2016-4657'],
['BID', '92651'],
['BID', '92652'],
['BID', '92653'],
['URL', 'https://blog.lookout.com/trident-pegasus'],
['URL', 'https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero
Metasploit
WebKit not_number defineProperties UAF
metasploit
WebKit not_number defineProperties UAF
WebKit not_number defineProperties UAF
This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2016/Aug/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2016/Sep/msg00005.htmlhttp://www.securityfocus.com/bid/92651http://www.securityfocus.com/bid/92965http://www.securitytracker.com/id/1036694https://blog.lookout.com/blog/2016/08/25/trident-pegasus/https://support.apple.com/HT207107https://support.apple.com/HT207145https://www.exploit-db.com/exploits/44836/http://lists.apple.com/archives/security-announce/2016/Aug/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2016/Sep/msg00005.htmlhttp://www.securityfocus.com/bid/92651http://www.securityfocus.com/bid/92965http://www.securitytracker.com/id/1036694https://blog.lookout.com/blog/2016/08/25/trident-pegasus/https://support.apple.com/HT207107https://support.apple.com/HT207145https://www.exploit-db.com/exploits/44836/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4655
2016-08-25
Published
2022-05-24
Added to CISA KEV
Exploited in the wild