cbcvebase.
CVE-2016-4656
published 2016-08-25

CVE-2016-4656: The kernel in Apple iOS before 9.3.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a…

PriorityP185high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
23.63%
97.5th percentile
The kernel in Apple iOS before 9.3.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

Affected

3 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os< 9.3.59.3.5
applesecurity_update_2016-001_el_capitan_and_security_update_2016-005_yosemite

Detection & IOCsextracted from sources · hover to see the quote

pathdata/exploits/CVE-2016-4655/loader
pathdata/exploits/CVE-2016-4655/exploit
  • Monitor for HTTP servers on port 8080 serving paths /loader and /exploit with Content-Type: application/octet-stream to iOS devices (AArch64 architecture), indicative of the Trident/Pegasus exploit chain delivery.
  • Detect HTTP responses with Content-Type: application/octet-stream served from /loader or /exploit URI paths to Apple iOS user-agents, which is the binary payload delivery mechanism for this exploit.
  • Look for XMLHttpRequest fetching binary resources with overrideMimeType 'text/plain; charset=x-user-defined' combined with Uint32Array manipulation in JavaScript, characteristic of the WebKit UAF exploit stage.
  • The exploit embeds a PAYLOAD_URL string in the binary exploit blob using the pattern 'tcp://<LHOST>:<LPORT>'; scan memory or network captures for this pattern to identify active Meterpreter reverse-TCP staging.
  • The default Metasploit payload for this module is apple_ios/aarch64/meterpreter_reverse_tcp; alert on outbound TCP connections from iOS devices to unexpected hosts following browser activity.
  • ·This CVE is part of the three-vulnerability Trident/Pegasus chain (CVE-2016-4655, CVE-2016-4656, CVE-2016-4657); detection and remediation should address all three together.
  • ·The vulnerability is fixed in iOS 9.3.5; devices running earlier versions remain exploitable via a crafted app or browser-based delivery.
  • ·The same kernel memory corruption vulnerability also affects macOS (El Capitan and Yosemite), patched in Security Update 2016-001 / 2016-005 respectively.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.