We’re available from 9 am to 6 pm on weekdays. Contact Us.
iOS Wi-Fi Demon: From iOS Format String to Zero-Click RCE

An article by ICT Experts Luxembourg, the Cyberforce team of POST Luxembourg, about a flaw in the latest version of Apple's iOS.

So, what happened with iOS?

You might have seen the recent bug in iOS 14.0 to 14.4, that crashed the Wi-Fi service by naming an access point a specific way. Apple tagged this bug as a Denial of Service on the Wi-Fi service, but the Zecops Research Team has shown proofs that it could be exploited, causing an RCE, and more precisely a Zero-Click RCE. Although their article explains some of the details of the vulnerability, I wanted to make my own investigations. I have made myself a good idea of what the vulnerability was, and I will share it through this article.

Debug environment setup

This article won’t only explain what the vulnerability is, it will also allow you to make your own research. To make your life easier I will show you what is needed to be done to debug the iOS Wi-Fi service. The only requirements are having an iPhone (or maybe simulating one), and a device that runs MacOS (I used a Mac mini).

Preparing the iPhone

The most important thing here is to flash the iOS version of the iPhone to a vulnerable version. Although the format string bug isn’t fixed in versions going from iOS 14.0 to iOS 14.6, the Zero-Click form only exists in versions 14.0 to 14.4, as explained by the Zecops team. My investigations were carried on iOS v14.0, on an iPhone 7+. Firmware images can be easily found online. After flashing the correct firmware on the iPhone, it must be jailbroken in order to establish an SSH connection between the MacOS device and the iPhone, thus allowing to debug its running processes. The unc0ver jailbreak was used for my investigations, but any jailbreak should do the trick. After this, use Cydia and install the required SSH packages to get SSH running on the iPhone. The connection can be made over the network, but I connected the iPhone to the Mac mini through USB and used iproxy to forward the required ports. If you’re willing to use this technique, you will need one port for the SSH connection and one port for the remote debugging operation. But again, this is not mandatory, and you can just SSH over the network without a cable.

Remote debugging session

Now that I had my SSH connection, I had to setup the debug environment. For this I used lldb on the Mac mini, and debugserver on the iPhone, which can be installed with Cydia. Then, I just had to use debugserver, and attach the correct PID (the process name is wifid) to start the listener. Note that if the wifid service stays idle to long because of the debugging process, the iPhone will reboot by itself which sometimes required me to repeat the jailbreaking process. What was left to do, was to execute the gdb-remote command on lldb to start the debugging session.

Read the full article HERE