CVE-2016-4657
published 2016-08-25CVE-2016-4657: WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
PriorityP194high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
66.79%
99.2th percentile
WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | < 9.3.5 | 9.3.5 |
| apple | safari | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The Metasploit module defaults to serving the exploit on port 8080 with URIPATH '/'; network detection should flag WebKit user-agents fetching binary resources from unexpected HTTP origins on port 8080. ↗
- →The exploit leverages a use-after-free in WebKit's FrameTree unload handlers ('detachSecurity()'), where a frame DOM object is 'attached' to a detached tree; look for anomalous frame detach/unload sequences in WebKit crash telemetry. ↗
- →The exploit uses ROP by overwriting function pointers after achieving UAF; memory forensics on iOS/Switch WebKit processes should look for unexpected function pointer overwrites in heap regions. ↗
- →The Metasploit payload defaults to 'apple_ios/aarch64/meterpreter_reverse_tcp'; detect outbound reverse TCP meterpreter connections from iOS/aarch64 processes following WebKit activity. ↗
- →The exploit is associated with the Trident/Pegasus spyware chain (CVE-2016-4655, CVE-2016-4656, CVE-2016-4657); correlate with Lookout/CitizenLab Pegasus IOC feeds when triaging WebKit memory corruption alerts. ↗
- ·The Metasploit module's SRVPORT and URIPATH are configurable; attackers may change defaults (port 8080, path '/') so detection rules should not rely solely on these default values. ↗
- ·The Nintendo Switch exploit delivery relies on captive-portal Wi-Fi redirection (HTTP, not HTTPS) to reach the browser applet; the attack surface is limited to unencrypted Wi-Fi captive portal flows on Switch firmware 2.0.0+. ↗
- ·The fix for CVE-2016-4657 on Apple platforms was delivered in iOS 9.3.5 and Safari 9.1.3; systems running earlier versions remain vulnerable. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-99xm-29ff-vvqm: WebKit in Apple iOS before 9
ghsa_unreviewed·2022-05-14
CVE-2016-4657 [HIGH] CWE-119 GHSA-99xm-29ff-vvqm: WebKit in Apple iOS before 9
WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
OSV
CVE-2016-4657: WebKit in Apple iOS before 9
osv·2016-08-25·CVSS 8.8
CVE-2016-4657 [HIGH] CVE-2016-4657: WebKit in Apple iOS before 9
WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
VulnCheck
Apple iOS Webkit Memory Corruption Vulnerability
vulncheck·2016·CVSS 8.8
CVE-2016-4657 [HIGH] CWE-119 Apple iOS Webkit Memory Corruption Vulnerability
Apple iOS Webkit Memory Corruption Vulnerability
Apple iOS WebKit contains a memory corruption vulnerability that allows attackers to execute remote code or cause a denial-of-service (DoS) via a crafted web site. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.
Affected: Apple iOS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://info.
CISA
Apple iOS Webkit Memory Corruption Vulnerability
cisa·2022-05-24·CVSS 8.8
CVE-2016-4657 [HIGH] CWE-119 Apple iOS Webkit Memory Corruption Vulnerability
Vulnerability: Apple iOS Webkit Memory Corruption Vulnerability
Affected: Apple iOS
Apple iOS WebKit contains a memory corruption vulnerability that allows attackers to execute remote code or cause a denial-of-service (DoS) via a crafted web site. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-4657
Remediation Due Date: 2022-06-14
Ubuntu
WebKitGTK+ vulnerabilities
vendor_ubuntu·2017-01-10
CVE-2016-4613 WebKitGTK+ vulnerabilities
Title: WebKitGTK+ vulnerabilities
Summary: Several security issues were fixed in WebKitGTK+.
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
Instructions: This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.
Apple
CVE-2016-4657: Safari 9.1.3
vendor_apple·2016-09-01·CVSS 8.8
CVE-2016-4657 [HIGH] CVE-2016-4657: Safari 9.1.3
Apple Security Update: About the security content of Safari 9.1.3
Product: Safari
Version: 9.1.3
CVE: CVE-2016-4657
Component: WebKit
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
Apple
CVE-2016-4657: iOS 9.3.5
vendor_apple·2016-08-25·CVSS 8.8
CVE-2016-4657 [HIGH] CVE-2016-4657: iOS 9.3.5
Apple Security Update: About the security content of iOS 9.3.5
Product: iOS
Version: 9.3.5
CVE: CVE-2016-4657
Component: WebKit
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
Suricata
ET EXPLOIT Possible iOS Pegasus Safari Exploit (CVE-2016-4657)
suricata·2016-11-07·CVSS 8.8
CVE-2016-4657 [HIGH] ET EXPLOIT Possible iOS Pegasus Safari Exploit (CVE-2016-4657)
ET EXPLOIT Possible iOS Pegasus Safari Exploit (CVE-2016-4657)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS Pegasus Safari Exploit (CVE-2016-4657)"; flow:established,to_client; file.data; content:"+="; pcre:"/^\s*?\x27try\s*?{}\s*?catch\x28e\x29\s*?{}\x3b/Rsi"; content:"Object"; pcre:"/^(?:\.|\[\s*?[\x22\x27])defineProperties\s*?\x28/Rsi"; content:"defineProperties"; fast_pattern; reference:cve,2016-4657; reference:url,blog.lookout.com/blog/2016/11/02/trident-pegasus-technical-details/; classtype:attempted-admin; sid:2023484; rev:4; metadata:affected_product iOS, affected_product Safari, attack_target Mobile_Client, created_at 2016_11_07, cve CVE_2016_4657, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag C
Exploit-DB
WebKit - not_number defineProperties UAF (Metasploit)
exploitdb·2018-06-05
CVE-2016-4657 WebKit - not_number defineProperties UAF (Metasploit)
WebKit - not_number defineProperties UAF (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'WebKit not_number defineProperties UAF',
'Description' => %q{
This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.
},
'License' => MSF_LICENSE,
'Author' => [
'qwertyoruiop', # jbme.qwertyoruiop.com
'siguza', # PhoenixNonce
'tihmstar', # PhoenixNonce
'timwr', # metasploit integration
],
'References' => [
['CVE', '2016-4655'],
['CVE', '2016-4656'],
['CVE', '2016-4657'],
['BID', '92651'],
['BID', '92652'],
['BID', '92653'],
['URL', 'https://blog.lookout.com/trident-pegasus'],
['URL', 'https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero
Exploit-DB
Nintendo Switch - WebKit Code Execution (PoC)
exploitdb·2017-03-12·CVSS 8.8
CVE-2016-4657 [HIGH] Nintendo Switch - WebKit Code Execution (PoC)
Nintendo Switch - WebKit Code Execution (PoC)
---
CVE-2016-4657 Switch PoC
body {font-size: 2em;}
a {text-decoration: none; color: #000;}
a:hover {color: #f00; font-weight: bold;}
CVE-2016-4657 Nintendo Switch PoC
go!
reload
waiting... click go.
// display JS errors as alerts. Helps debugging.
window.onerror = function(error, url, line) {
alert(error+\' URL:\'+url+\' L:\'+line);
};
// based on jbme.qwertyoruiop.com
// Thanks to:
// + qwertyoruiop
// + Retr0id
// + Ando
//
// saelo\'s phrack article is invaluable: http://www.phrack.org/papers/attacking_javascript_engines.html
// garbage collection stuff
var pressure = new Array(100);
// do garbage collect
dgc = function() {
for (var i = 0; i -1) {
document.getElementById(\'status\').innerText = \'Found Nintendo Switch! \';
s
Metasploit
WebKit not_number defineProperties UAF
metasploit
WebKit not_number defineProperties UAF
WebKit not_number defineProperties UAF
This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.
http://lists.apple.com/archives/security-announce/2016/Aug/msg00000.htmlhttp://www.securityfocus.com/bid/92653http://www.securitytracker.com/id/1036694https://blog.lookout.com/blog/2016/08/25/trident-pegasus/https://support.apple.com/HT207107https://www.exploit-db.com/exploits/44836/https://www.youtube.com/watch?v=xkdPjbaLngEhttp://lists.apple.com/archives/security-announce/2016/Aug/msg00000.htmlhttp://www.securityfocus.com/bid/92653http://www.securitytracker.com/id/1036694https://blog.lookout.com/blog/2016/08/25/trident-pegasus/https://support.apple.com/HT207107https://www.exploit-db.com/exploits/44836/https://www.youtube.com/watch?v=xkdPjbaLngEhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4657
2016-08-25
Published
2022-05-24
Added to CISA KEV
Exploited in the wild