Quote:A vulnerability in Apple iOS opens the door to remote code execution (RCE), researchers found. The assessment is a revision from a previous understanding of the flaw that viewed it as a low-risk (and somewhat wacky) denial-of-service (DoS) problem affecting iPhone’s Wi-Fi feature.
Apple fixed the original DoS issue with iOS 14.6, without issuing a CVE. But when ZecOps analyzed the bug, researchers found that it could be used for RCE without little interaction with the victim – and that the attack worked on fully patched iPhones.
A successful exploit of the bug, which ZecOps dubbed “WiFiDemon,” would allow an attacker to take over the phone, install malware and steal data. It’s expected to be patched in the next week or so, according to some sources.
The original DoS issue is a string-format bug discovered by researcher Carl Schou, who found that connecting to an access point with the SSID “%p%s%s%s%s%n” would disable a device’s Wi-Fi.
String-format problems occur when operating systems mistakenly read certain characters as commands: In this case, the “%” combined with various letters.
“My iPhone permanently disabled it’s [sic] Wi-Fi functionality,” Schou wrote in his writeup, in June. “Neither rebooting nor changing SSID fixes it :~)”
It can, however, be fixed by resetting the Wi-Fi feature in settings – something that wipes out all saved passwords, but which will restore Wi-Fi connections.
ZecOps said that a user would need to connect to a malicious access point for the bug to be exploited. But for earlier iPhone releases, there’s no need to lure a victim in: The Auto Join feature is turned on by default on iPhones, allowing them to automatically connect to available Wi-Fi networks in the background. Thus, an attacker would only need to set up an open, non-password-required malicious SSID within range of the target, and then sit back and wait.
An anonymous researcher was credited with finding the zero-click aspect of the bug, a fix for which occurred in iOS 14.4.
Read more: Unpatched iPhone Bug Allows Code Execution | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
