cbcvebase.
CVE-2016-4655
published 2016-08-25

CVE-2016-4655: The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.

PriorityP181medium5.5CVSS 3.1
AVLACLPRNUIRSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
33.35%
98.2th percentile
The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.

Affected

5 ranges
VendorProductVersion rangeFixed in
appleios
appleios
appleiphone_os< 9.3.59.3.5
appleiphone_os
applesecurity_update_2016-001_el_capitan_and_security_update_2016-005_yosemite

Detection & IOCsextracted from sources · hover to see the quote

pathdata/exploits/CVE-2016-4655/loader
pathdata/exploits/CVE-2016-4655/exploit
url/loader
url/exploit
  • Monitor HTTP server requests where the User-Agent is logged and URI paths matching '/loader' or '/exploit' are requested — indicative of the Metasploit webkit_trident exploit module staging payloads for CVE-2016-4655/4656/4657.
  • Detect delivery of binary payloads over HTTP with Content-Type 'application/octet-stream' from a web server responding to '/loader' and '/exploit' URI paths, consistent with Trident/Pegasus exploit chain staging.
  • Look for XHR requests using overrideMimeType('text/plain; charset=x-user-defined') to fetch binary resources — a technique used by the in-browser exploit stage to load the exploit binary.
  • The exploit targets ARCH_AARCH64 on apple_ios platform; default payload is 'apple_ios/aarch64/meterpreter_reverse_tcp'. Detect outbound TCP connections from iOS devices to attacker-controlled LHOST:LPORT following browser exploitation.
  • CVE-2016-4655 is part of the Trident/Pegasus exploit chain (also involving CVE-2016-4656 and CVE-2016-4657). Correlate kernel memory disclosure activity with WebKit UAF and privilege escalation indicators on iOS devices running versions prior to 9.3.5.
  • ·The Metasploit module uses a configurable URIPATH (default '/') and SRVPORT (default 8080); attacker deployments may use any port or URI path, so detections should not rely solely on these defaults.
  • ·The exploit embeds a 'PAYLOAD_URL' string placeholder in the binary payload that is overwritten at runtime with 'tcp://LHOST:LPORT'; scanning for the literal string 'PAYLOAD_URL' in memory or on disk may identify unpatched/staged exploit binaries.

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.07.1HIGHAV:N/AC:M/Au:N/C:C/I:N/A:N
vulncheck5.5MEDIUM
cisa5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.