CVE-2016-4656
published 2016-08-25CVE-2016-4656: The kernel in Apple iOS before 9.3.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a…
PriorityP185high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
23.63%
97.5th percentile
The kernel in Apple iOS before 9.3.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | < 9.3.5 | 9.3.5 |
| apple | security_update_2016-001_el_capitan_and_security_update_2016-005_yosemite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP servers on port 8080 serving paths /loader and /exploit with Content-Type: application/octet-stream to iOS devices (AArch64 architecture), indicative of the Trident/Pegasus exploit chain delivery. ↗
- →Detect HTTP responses with Content-Type: application/octet-stream served from /loader or /exploit URI paths to Apple iOS user-agents, which is the binary payload delivery mechanism for this exploit. ↗
- →Look for XMLHttpRequest fetching binary resources with overrideMimeType 'text/plain; charset=x-user-defined' combined with Uint32Array manipulation in JavaScript, characteristic of the WebKit UAF exploit stage. ↗
- →The exploit embeds a PAYLOAD_URL string in the binary exploit blob using the pattern 'tcp://<LHOST>:<LPORT>'; scan memory or network captures for this pattern to identify active Meterpreter reverse-TCP staging. ↗
- →The default Metasploit payload for this module is apple_ios/aarch64/meterpreter_reverse_tcp; alert on outbound TCP connections from iOS devices to unexpected hosts following browser activity. ↗
- ·This CVE is part of the three-vulnerability Trident/Pegasus chain (CVE-2016-4655, CVE-2016-4656, CVE-2016-4657); detection and remediation should address all three together. ↗
- ·The vulnerability is fixed in iOS 9.3.5; devices running earlier versions remain exploitable via a crafted app or browser-based delivery. ↗
- ·The same kernel memory corruption vulnerability also affects macOS (El Capitan and Yosemite), patched in Security Update 2016-001 / 2016-005 respectively. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Apple iOS Memory Corruption Vulnerability
cisa·2022-05-24·CVSS 7.8
CVE-2016-4656 [HIGH] CWE-264 Apple iOS Memory Corruption Vulnerability
Vulnerability: Apple iOS Memory Corruption Vulnerability
Affected: Apple iOS
A memory corruption vulnerability in Apple iOS kernel allows attackers to execute code in a privileged context or cause a denial-of-service (DoS) via a crafted application.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-4656
Remediation Due Date: 2022-06-14
Apple
CVE-2016-4656: Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite
vendor_apple·2016-09-01·CVSS 7.8
CVE-2016-4656 [HIGH] CVE-2016-4656: Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite
Apple Security Update: About the security content of Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite
Product: Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite
CVE: CVE-2016-4656
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
Apple
CVE-2016-4656: iOS 9.3.5
vendor_apple·2016-08-25·CVSS 7.8
CVE-2016-4656 [HIGH] CVE-2016-4656: iOS 9.3.5
Apple Security Update: About the security content of iOS 9.3.5
Product: iOS
Version: 9.3.5
CVE: CVE-2016-4656
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
GHSA
GHSA-6x59-8x45-xrp8: The kernel in Apple iOS before 9
ghsa_unreviewed·2022-05-14
CVE-2016-4656 [HIGH] CWE-787 GHSA-6x59-8x45-xrp8: The kernel in Apple iOS before 9
The kernel in Apple iOS before 9.3.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
VulnCheck
Apple iOS Memory Corruption Vulnerability
vulncheck·2016·CVSS 7.8
CVE-2016-4656 [HIGH] CWE-264 Apple iOS Memory Corruption Vulnerability
Apple iOS Memory Corruption Vulnerability
A memory corruption vulnerability in Apple iOS kernel allows attackers to execute code in a privileged context or cause a denial-of-service (DoS) via a crafted application.
Affected: Apple iOS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://info.securin.io/hubfs/Securin%20Ransomware%20Report%202023.pdf; https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-_Insights_into_Commercial_
No detection rules found.
Exploit-DB
WebKit - not_number defineProperties UAF (Metasploit)
exploitdb·2018-06-05
CVE-2016-4657 WebKit - not_number defineProperties UAF (Metasploit)
WebKit - not_number defineProperties UAF (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'WebKit not_number defineProperties UAF',
'Description' => %q{
This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.
},
'License' => MSF_LICENSE,
'Author' => [
'qwertyoruiop', # jbme.qwertyoruiop.com
'siguza', # PhoenixNonce
'tihmstar', # PhoenixNonce
'timwr', # metasploit integration
],
'References' => [
['CVE', '2016-4655'],
['CVE', '2016-4656'],
['CVE', '2016-4657'],
['BID', '92651'],
['BID', '92652'],
['BID', '92653'],
['URL', 'https://blog.lookout.com/trident-pegasus'],
['URL', 'https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero
Metasploit
WebKit not_number defineProperties UAF
metasploit
WebKit not_number defineProperties UAF
WebKit not_number defineProperties UAF
This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2016/Aug/msg00000.htmlhttp://www.securityfocus.com/bid/92652http://www.securitytracker.com/id/1036694https://blog.lookout.com/blog/2016/08/25/trident-pegasus/https://support.apple.com/HT207107https://www.exploit-db.com/exploits/44836/http://lists.apple.com/archives/security-announce/2016/Aug/msg00000.htmlhttp://www.securityfocus.com/bid/92652http://www.securitytracker.com/id/1036694https://blog.lookout.com/blog/2016/08/25/trident-pegasus/https://support.apple.com/HT207107https://www.exploit-db.com/exploits/44836/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4656
2016-08-25
Published
2022-05-24
Added to CISA KEV
Exploited in the wild