cbcvebase.
CVE-2016-4657
published 2016-08-25

CVE-2016-4657: WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

PriorityP194high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
66.79%
99.2th percentile
WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

Affected

3 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os< 9.3.59.3.5
applesafari

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://jbme.qwertyoruiop.com
port8080
url/loader
url/exploit
pathdata/exploits/CVE-2016-4655/loader
pathdata/exploits/CVE-2016-4655/exploit
  • The Metasploit module defaults to serving the exploit on port 8080 with URIPATH '/'; network detection should flag WebKit user-agents fetching binary resources from unexpected HTTP origins on port 8080.
  • The exploit leverages a use-after-free in WebKit's FrameTree unload handlers ('detachSecurity()'), where a frame DOM object is 'attached' to a detached tree; look for anomalous frame detach/unload sequences in WebKit crash telemetry.
  • The exploit uses ROP by overwriting function pointers after achieving UAF; memory forensics on iOS/Switch WebKit processes should look for unexpected function pointer overwrites in heap regions.
  • The Metasploit payload defaults to 'apple_ios/aarch64/meterpreter_reverse_tcp'; detect outbound reverse TCP meterpreter connections from iOS/aarch64 processes following WebKit activity.
  • The exploit is associated with the Trident/Pegasus spyware chain (CVE-2016-4655, CVE-2016-4656, CVE-2016-4657); correlate with Lookout/CitizenLab Pegasus IOC feeds when triaging WebKit memory corruption alerts.
  • ·The Metasploit module's SRVPORT and URIPATH are configurable; attackers may change defaults (port 8080, path '/') so detection rules should not rely solely on these default values.
  • ·The Nintendo Switch exploit delivery relies on captive-portal Wi-Fi redirection (HTTP, not HTTPS) to reach the browser applet; the attack surface is limited to unencrypted Wi-Fi captive portal flows on Switch firmware 2.0.0+.
  • ·The fix for CVE-2016-4657 on Apple platforms was delivered in iOS 9.3.5 and Safari 9.1.3; systems running earlier versions remain vulnerable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.