An experiment has shown that when an iPhone connects to a Wi-Fi that has a strange SSID name, it disables wireless until network settings reset, according to Threat Post.
A reverse engineer stumbled upon an oddly named personal wireless network and revealed that he had permanently wrecked his iPhone’s Wi-Fi. This finding is causing unease among iPhone owners, as it may lead to exploitation of the bug.
After joining my personal WiFi with the SSID “%p%s%s%s%s%n”, my iPhone permanently disabled it’s WiFi functionality. Neither rebooting nor changing SSID fixes it :~) pic.twitter.com/2eue90JFu3
— Carl Schou (@vm_call) June 18, 2021
The error was not permanent, and the reverse engineer managed to get the network WLAN working again by resetting all settings from iOS Wi-Fi Network Settings. Although this fix does not make the iPhone permanently wireless, it has one drawback: it deletes all Wi-Fi passwords stored in the device.
Since cybercriminals can exploit the flaw, more interest may be generated in researching the Apple stack Wi-Fi.
Dirk Schrader, global vice president at New Net Technologies says, “deeper into the inner workings of Apple’s Wi-Fi stack” to find out “what, exactly, causes the behavior and how to exploit it”.
It appears to be a bug in the format string
For example, malicious users might use the format tokens “% s” and “% x” to publish data from the call stack or possibly other locations. The bug can also be exploited by publishing arbitrary data to arbitrary locations using the “%n” format toke. The latter can instructs “printf()” and related methods to write the number of formatted bytes to an address held on the stack.
According to NNT’s Schrader, format string issues are pretty standard: “In fact they are a major issue in web application development, and string handling is one of the first lessons any developer learns”.
Schrader explained how they can be used for hacking: “A system unable to process a given string correctly ends up in an undefined state,” The result of this kind of state can be benign, forcing a reset of the app, but at other times, these bugs can shoot to the opposite of benign, ending up in “high severity 0day vulnerabilities exploited by APTs,”