These days the Pwn2Own contest is taking place and two hackers managed to use a Safari vulnerability to exploit an iPhone 4S, including with iOS 6 installed. The vulnerability was designed to work on iOS 5, but it could also be used with iOS 6 to extract: photos and videos from the multimedia library, data about contacts and internet browsing history, all these successes bringing hackers a prize of $30.000.
The exploit itself took some jumping around. With the WebKit bug, which was not a use-after-free flaw, the researchers had to trigger a use-after-free scenario and then abuse that to trigger a memory overwrite. Once that was achieved, Pol and Keuper used that memory overwrite to cause a read/write gadget, which provided a means to read/write to the memory of the iPhone. "Once we got that, we created a new function to run in a loop and used JIT to execute the code without signing," Keuper explained.
It took 3 weeks and a lot of work to be able to use the exploit in the way described in Pwn2Own, but the work done by the hackers brought them a substantial prize. Although the exploit used by them is very important, the hackers claim that they have destroyed it and are looking for a new challenge, but only they know the truth.
