It's 2021 and a printf format string in a wireless network's name can break iPhone Wi-Fi
Hope no one's created guest networks called '%Free %Coffee at %Starbucks'
Joining a Wi-Fi network with a specific sequence of characters in its SSID name will break wireless connectivity for iOS devices. Thankfully the bug looks to be little more than an embarrassment and inconvenience.
On Friday, Carl Schou, a security researcher in Denmark, reported that his iPhone lost its Wi-Fi capability after attempting to connect to a Wi-Fi network named "%p%s%s%s%s%n".
The offending name is made up of good old C language
printf()-style string format specifiers. On iOS, they are handled by Apple's open source CFString framework, available to those writing Objective-C or Swift applications. CF stands for Core Foundation; CFString is a C API in macOS and iOS.
Security researcher Alex Skalozub told The Register that the disruptive series of characters can be shorter still. The string "%s%s%s" is sufficient to trigger the bug, he said, noting that it appears to be the third "%s" that takes down the Wi-Fi connection.
The "%s" tells the software to use a referenced string, which likely doesn't actually exist, causing the code to crash. Indeed, it appears to cause a
strlen() function call to trigger a memory access fault. Apple's software should not be directly obeying these user-provided format strings as it's a classic security vulnerability.
"Yesterday I showed how [an Access Point] named "%Free %Coffee at %Starbucks" does the same thing," he said.
Fortunately, the damage appears not to be permanent. Apple iOS devices that lose Wi-Fi capability after being bitten by this bug can be restored via the General -> Reset -> Reset Network Settings menu option, which reverts network settings to their factory default.
Security flaw? Technically possible but...
Amichai Shulman, co-founder and CTO of enterprise network security firm AirEye, contends the bug could lead to remote code execution.
"While it is easy to use the vulnerability to simply disable the Wi-Fi capabilities of an attacked machine, the nature of format string vulnerabilities is that when carefully crafted they can be used to write arbitrary code into random, or chosen, parts of a machine’s memory – and even eventually inject and execute code," he wrote in a blog post. "Since the device is on the corporate network, this code can eventually be used for lateral movement."
But absent any proof-of-concept exploit code, that remains a speculative assessment. Other security researchers don't see much to worry about.
- Latest phones are great at thwarting Wi-Fi tracking. Other devices, not so much – study
- Cisco’s 'intuitive security' tool can’t handle MAC address randomization out-of-the-box
- Microsoft pulls plug on IPv6-only Wi-Fi network over borked VPN fears
- Some Things just aren't meant to be (on Internet of Things networks). But we can work around that
The Wi-Fi failure, according to a writeup by China-based security researcher Zhi Zhou (ChiChou), follows from a format string bug. He says he doesn't believe the bug is exploitable to achieve code execution.
Schou, who spotted the issue, similarly expressed doubt that the bug would be useful for further exploitation.
"This bug would be quite complicated to fully exploit, as you are limited by the length of the SSID and the functionality of the format string," he wrote in an email to The Register. "You could potentially turn this into an information disclosure, but to use it for anything remotely useful (besides crashing the Wi-Fi daemon) you would need another exploit."
Security researcher Alex Skalozub also dismissed the bug.
"I don’t believe it is exploitable," he told The Register in a message. "The CFString format string syntax doesn’t have %n format modifier, so writing into memory at the pointer on stack is impossible. Also the attacker doesn’t have control of the pointers on stack, because the format string is located on the heap."
As for remote code execution, Skalozub said that would only be possible using the %@ modifier, which prints a description of the Objective-C object. But that would require crafting a pointer to the appropriate object on the stack somehow, he said, which isn't likely for the reasons outlined above.
Apple did not respond to a request for comment. We haven't heard from anyone there in a while. We hope everyone in the company's uncommunicative communications group is okay.
Until this gets fixed (and even afterwards), you may want to steer clear of unusually named Wi-Fi networks. ®