That EVIL TEXT that will CRASH your iPhone: We pop the hood
75-byte character assassination - Apple was so close yet so far
Posted in Cloud, 27th May 2015 19:07 GMT
Analysis Cads and/or bounders can crash and reboot iPhones from afar by sending them specially crafted texts, thanks to a new vulnerability in iOS.
A 75-byte sequence of unicode characters triggers the glitch, and can be smuggled into text messages, causing iThings to crash if they appear in the victim's notification screen. Texting the data to your pals will force their devices to reboot if they try to open it from the notification panel.
The string-of-death crashes applications that use Apple's CoreText library. OS X is vulnerable, too, so sticking the killer sequence in your server's
/etc/motd file will crash Terminal when a Mac user logs in, for example.
The flaw was spotted on Tuesday by a Redditor who received the message shown on the right, which caused their smartphone to crash and reboot to recover. The attack has been replicated on other iOS devices such as Apple's smartwatch.
The problem isn’t with the Arabic characters themselves, but in how the unicode representing them is processed by CoreText, which is a library of software routines to help apps display text on screens.
The bug causes CoreText to access memory that is invalid, which forces the operating system to kill off the currently running program: which could be your text message app, your terminal, or in the case of the notification screen, a core part of the OS.
The crash happens at the instruction at 0x0af42d in CoreText, which is 229 bytes into the
TOpenTypeMorph::ApplyGlyphFeatureTags procedure: glyph feature tags describe how symbols should be displayed. The code, on a 64-bit Intel Mac, looks like this (larger screenshot):
0x0af423 mov rax, qword [ds:rsi+rax+0x8] 0x0af428 test rax, rax 0x0af42b je 0xaf449 0x0af42d mov r12d, dword [ds:rax]
At 0x0af428, CoreText checks whether or not the value in the CPU register rax is zero: if it is, it skips the next part. If not, at 0x0af42d it tries to read a 32-bit value from memory using rax as the memory address.
In other words, it tries using rax as a pointer after checking it is not NULL – this is all well and good, and supposed to trap this sort of crash, except rax ends up with the value 0x04 so the NULL check is useless in this case.
Apple's engineers tried to avoid this sort of meltdown, but the checks were not enough. Typically, nothing is mapped in at that low address; the read triggers a page fault, and the program is blown away by the kernel:
Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000004
There is something about the text sequence that causes rax to end up with a wild low value; it should be rather higher and point into a valid area of data in memory – pop your answers on a postcard to the address below if you find out why before we do.
CoreText is common to iOS and OS X. Previous bugs in its unicode handling have appeared in both operating systems. It appears iOS 8 is affected by this latest flaw, and OS X 10.10; earlier builds may also be vulnerable.
One way around the issue is to turn off lock screen notifications, which if you haven't received the problematic text message should keep you safe, although it is inconvenient.
If some git has sent you the message already you can fix the issue by getting a friend to send you a normal text message to flush it out of the way, although if you reopen the killer message, you're back to square one.
"We are aware of an iMessage issue caused by a specific series of unicode characters and we will make a fix available in a software update," an Apple spokesperson told us via email. ®
CoreText reverse-engineered by Chris Williams.