
A new CSS-based web attack will crash and restart your iPhone - MrCzar
https://techcrunch.com/2018/09/15/a-new-css-based-web-attack-will-crash-and-restart-your-iphone/
======
Eric_WVGG
This reminds me of how I was unemployed for a good chunk of the year 2001.

I was making a fresh start in a new city, and shopping my resumé to various
graphics design firms. There was a prominent link to my portfolio site up top.
After months of looking I didn’t get a single call-back.

Eventually I got a job in another industry, and noticed a bunch of Macs in the
corner that they used for testing. One day I decided to load my portfolio site
for fun... turned out there was a glitch in CSS support in Internet Explorer
that would crash the browser, and since this was Mac OS “Classic”, that took
down the entire machine.

Graphic design firms were all still on Macs with the old OS back in those
days; I had been walking around crashing computers and destroying people’s
work for months.

~~~
tomxor
In my first commercial attempt at web development I utilised a png
transparency fix for IE6 (written in that IE6 specific filter thing). A few
months later the client passed on a complaint from one of his customers whom's
machine crashed whenever he visited the website... I removed the IE6 fix and
all was well in the world - You can have nice things or MS, you can't have
both.

~~~
brennebeck
I think MS is doing a pretty decent job of trying to repair that. Especially
with developers.

------
matthberg
The tweet announcing it:
[https://twitter.com/pwnsdx/status/1040944750973595649](https://twitter.com/pwnsdx/status/1040944750973595649)

The code that causes the crash (safe to open):
[https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33...](https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea)

The demo itself (causes crash):
[https://cdn.rawgit.com/pwnsdx/ce64de2760996a6c432f06d612e33a...](https://cdn.rawgit.com/pwnsdx/ce64de2760996a6c432f06d612e33aea/raw/23f2faa0aadb4babbfd228c8bb32a26a8c51c741/safari-
ripper.html)

~~~
avip
It works!

~~~
joering2
DO NOT CLICK THE LINK! Hour later I am still unable to restart my phone. It
hangs on logo!! This may be a permanent fuck ;( unsure exact version but I
have iOS 7 that hasnt been updated in about six months.

~~~
tannhaeuser
Seems like on restart Safari wants to revisit previously opened pages and
crashes again ad infinitum. Isn't there a way to cold-restart iOS devices or
some such (like the magic "Zap NVRAM and repair permissions" procedure back in
PowerMac times)?

~~~
Crontab
"Seems like on restart Safari wants to revisit previously opened pages"

I've always found that behavior annoying. If I want to revisit the last page,
I can find it in history.

~~~
matkins
I'm sure you're in the absolute minority. Most people want all apps, including
the browser, to stay the way they were when they closed them, even after a
reboot

~~~
sethammons
I sure as heck want my tabs back. But I'd settle for "restore tabs" as I have
to do that a lot in chrome on my MacBook Pro. On my Android, the tabs are just
there and I really appreciate it. I have over a dozen tabs open on my phone
and two dozen on my laptop.

~~~
LoSboccacc
It’s very convenient, but isn’t that scenario better covered by hibernating
the os? That covers all app and doesn’t require any app to have special
behaviour coded in

~~~
sethammons
If I never had to restart, sure. I have to restart my laptop weekly at least.
Heck, it locked up twice last week opening Diablo 3 forcing a hard power
cycle. My phone gets restarted less often but still gets into odd states where
a reboot is needed.

~~~
LoSboccacc
tangential, but check out that your power supply is ok, that's the second most
common source of random lockups during load (I assume drivers are up to date,
that'd be the first)

------
sebazzz
I have always wondered why Safari crashes can reboot the entire telephone.
Doesn't iOS have multiple protection rings or is Safari running at ring 0? Or
is it a precaution that inhibits jailbreak research?

~~~
fulafel
It's prudent to reboot when a privileged component crashes, since the
integrity of the code execution has been compromised. A lot of the time a DoS
bug in native code is synonymous with "nobody bothered to craft a RCE".

It's unintuitive to many people how many scenarios eventually allow a RCE
exploit to be crafted. Check out some null pointer deref RCE's to convince
yourself.

~~~
jstanley
But why is Safari a privileged component?

~~~
comex
Just to clarify the situation:

fulafel’s comment (parent^4 of this comment) is incorrect. iOS does not
automatically reboot when Safari or WebProcess crashes, and Safari is not
generally treated as a ‘privileged component’ overall – to the contrary, last
I checked it had a _tighter_ sandbox than most apps.

As people have noted, Safari does have special privileges to run a JIT, which
is otherwise restricted. This is not because running a JIT can compromise the
security of the system as a whole, but simply because having a JIT in your
process makes it easier to exploit that process, making it best to avoid
except where absolutely necessary.

By the way, I haven’t looked into this crash myself, but my guess is that it’s
an unexploitable out-of-memory situation. This would still involve some sort
of bug in the kernel, since it shouldn’t be possible for a process to take
down the whole system (especially not ‘by accident’). But in general it’s
relatively common to have bugs where you can make a more privileged piece of
code run out of memory, and most of the time there’s no way to turn them into
code execution. Of course, “most of the time” != always, and there’s no way to
know for sure without tracking down the root cause :)

~~~
swingline-747
To explain to other readers: JIT processes usually have to violate the
standard W^X protection rule for memory pages by either simultaneously mapping
them to both data and code virtual pages, or remapping them before&after JIT
compilation. I'd hope it's the latter. JITs are basically compiler-linkers
directly to memory, so need to have their output transformed from data pages
into code page in order for it to be executable.

~~~
saagarjha
Safari does MAP_JIT, I believe, so it keeps around RWX pages (edit: I think
just one page). The best third-party apps can do (on non-jailbroken devices)
is W^X–that is, map memory as RW, put code on it, then remap it as RX–because
they cannot gain the dynamic-codesigning entitlement. Even this requires
jumping through hoops, such as its own set of entitlements and specific setup
dance, which makes it not available to App Store apps.

------
KenanSulayman
I tried it on my iPhone X and it triggers a kernel panic (agxk_mmu.cpp) when
trying to allocate memory for WebKit.

It seems it exhausts the memory so fast that it triggers an assertion error
somewhere?

Screenshot: [https://i.imgur.com/6tDr44q.png](https://i.imgur.com/6tDr44q.png)

Full serial console log of the device:
[https://gist.githubusercontent.com/KenanSulayman/867cc399e97...](https://gist.githubusercontent.com/KenanSulayman/867cc399e9762189b3a52b2cf91781ca/raw/ded0b82a24464e969d2f84cd8edd25ac000f2a87/kern.log)

~~~
amaccuish
Does iOS not enforce reasonable memory limits on apps to prevent a panic?

~~~
MBCook
It does. Your app will get killed. The OS will be fine.

My understanding is this bug uses up GPU memory/contexts, not normal system
RAM, and that’s why it becomes an issue.

~~~
swingline-747
Ohh.. sneaky: a GPU DoS.

~~~
MBCook
Yeah. Of course it shouldn’t be possible, but I guess no one had thought of it
before or they thought the risk was too low because they figured you’d have to
make an app to do it not some random HTML on a webpage.

------
jeroenhd
This isn't just an iOS bug. The affected CSS property is just not available on
most platforms.

Sinfe I do not have access to any apple hardware, I tried turning on the
experimental web features in Chrome Canary on my phone and it managed to
freeze Android as well. The Chrome browser crashed on Windows with this
setting on. Microsoft Edge, the only browser other than Safari to have support
this property without messing with config, just showed a generic "this page
can not be displayed" message.

I think this problem affects the entire WebKit/Blink code base, the only
reason the crashes are not being detected on other platforms is that most
browsers just don't support this feature yet.

------
exikyut
This is basically 3,485 nested <div>s (balanced; same number of </div>s) with
width and height both set to 10,000px.

I have no idea is this is an internal DOM overflow or it's because of the
tiled background-image. (I don't have an iPhone to test against.)

EDIT: I actually read the article properly :) all 3,485 the <divs> have a 10px
backdrop-filter set on them.

> _He explained that nesting a ton of elements — such as <div> tags — inside a
> backdrop filter property in CSS, you can use up all of the device’s
> resources and cause a kernel panic_

Fun trivia: ^F for <div> on the GitHub gist page, and Chrome will inch...
forward... so... very... slowly... finding... matches. You have to search the
raw file if you want it to complete this century.

~~~
endless1234
It's because of the nested backdrop-filters being applied. I would've thought
the css parser / rendering engine stops this from happening, but apparently
not.

~~~
rangibaby
I guess it is because backdrop-filter is a new property. AFAIK backdrop-filter
affects everything everything below it, so maybe a sanity check for the number
of times the effect applies is missing.

~~~
burlesona
Yeah it looks like its trying to compute thousands of filters stacked on top
of each other. Photoshop would take a while to do that too. But safari
shouldn’t be able to out of memory so hard it takes down the device.

------
Ducki
It also gets my Macbook Pro in an unresponsive state (using Safari).

~~~
wumms
Copy that. I had to hard reset. (No crash while using Firefox, Chrome &
Vivaldi).

~~~
burlesona
Those browsers don’t support those CSS filters yet, you’d have to do chrome
canary for example. Another poster tested with the features enabled and got
the same crash.

------
kyrra
Don't most security researchers wait until it is patched before posting the
details of something like this?

~~~
kyrra
Why the downvotes? The guy is a security research, and published a bug that
can crash the app or OS (reports in this thread have reported mixed results,
and others are saying it may impact OSX as well). The guy goes to Twitter the
announce the bug.

Most people that call themselves security researchers will notify the vendor
and give them some amount of time before publishing it. He waited 1 day.

My best guess is that since it's just a OS crash, he felt he could release it.
But for something that is easy for any website to do, seems like he should
have given them some more time.

------
bluesign
I am guessing from the log posted [0] this can be some kernel memory leak.

can be related to AppleJPEGDriver-memleak [1]

[0]
[https://news.ycombinator.com/item?id=17998178](https://news.ycombinator.com/item?id=17998178)
[1] [https://github.com/bazad/AppleJPEGDriver-
memleak](https://github.com/bazad/AppleJPEGDriver-memleak)

------
myfonj
Dug through WebKit Bugzilla and Trac and the only recent visible "crash
backdrop" issue seems to be "Fix crash when reflections and backdrop filter
are combined" [1], which references bug that requires authorization [2].

[1]
[https://trac.webkit.org/changeset/235475/webkit](https://trac.webkit.org/changeset/235475/webkit)
[2]
[https://bugs.webkit.org/show_bug.cgi?id=188504](https://bugs.webkit.org/show_bug.cgi?id=188504)

------
XCSme
Reminds me of a Safari memory leak issue I stumbled upon two years ago:
[https://stackoverflow.com/questions/35782231/why-is-a-
safari...](https://stackoverflow.com/questions/35782231/why-is-a-safari-page-
breaking-ios-rendering)

I guess that restarting is less important than modifying memory it shouldn't.

------
ccnafr
More details about the attack in this interview with the researcher:
[https://www.zdnet.com/article/nasty-piece-of-css-code-
crashe...](https://www.zdnet.com/article/nasty-piece-of-css-code-crashes-and-
restarts-iphones/)

Safari on MacOS is also affected, and you can make it persist with a little
bit of JS.

------
nereid666
I sent to a colleague, and the iPhone didn't reboot.... It got crashed, and
she had to use itunes to recover. Be careful....

------
floatingatoll
It’s cruel of them to make this discovery public without a fix.

Thousands upon thousands of normal, non-tech, non-fanatic people are going to
be sent a link to this page by someone mean who wants to crash their phone and
laugh at their pain as they’re locked out of their life by a crash bug.

This is irresponsible disclosure.

~~~
codedokode
Rebooting phone doesn't look like a tragedy.

~~~
floatingatoll
[https://news.ycombinator.com/item?id=17997958](https://news.ycombinator.com/item?id=17997958)

> DO NOT CLICK THE LINK! Hour later I am still unable to restart my phone. It
> hangs on logo!! This may be a permanent fuck ;(

------
seddin
I have tried it on a iPad Mini with iOS 8.4 (jailbroken) and it does nothing.

~~~
MrKristopher
It doesn't crash for me either on iPhone 5 / iOS 8.4.1. It just renders a long
webpage.

------
novaRom
I've stopped accepting iOS/OSX seriously after those iCloud celebs leaks and
especially after 'empty string' root prompt bug. How anyone can still trust
this black box concept.

~~~
qrbLPHiKpiux
Weren't those phishing compromises?

~~~
watermans
They were. OP seems to have bought into the fake story that someone
legitimately hacked iCloud and only made it out with photographs.

------
jorblumesea
How is it that browserland always seems to impact the OS? Is it the browser's
need for graphics drivers? Or are these browsers embedded at a different level
compared to a traditional OS?

~~~
hn_throwaway_99
What other apps do you have on your phone that are executing what is
essentially an enormous amount of untrusted code?

There is nothing different about browsers than other apps, but given how they
work people are far more likely to discover these kinds of bugs in browsers.

------
runeks
Can anyone confirm if this is a denial-of-service attack (through memory
exhaustion)?

I’m no security researcher but, as I understand, it shouldn’t be exploitable
if this is the case.

~~~
nothrabannosir
DoS of safari or the kernel? It's a kernel panic, which is not a safari dos;
no user space app should be allowed to crash the kernel. Memory exhaustion
should just trigger an OOM kill at worst.

------
zitterbewegung
Can't wait for the supplemental update for this (I doubt they have time to
revise the GM releases for watchOS and iOS but maybe they can fix Mojave.).

------
exikyut
From the twitter thread

\- This is a full kernel panic; I wonder if it's exploitable (...probably not)

\- Someone's iPhone didn't ask for their PIN on reboot?

\- It apparently crashes watchOS 5 too

~~~
saagarjha
> Someone's iPhone didn't ask for their PIN on reboot?

That's because the iPhone didn't reboot fully. This doesn't deterministically
cause a panic, sometimes it just takes down parts of the system.

------
amaccuish
Is this due to memory exhaustion? If so, does Safari not have limits applied
that cause it to be killed for running into OOM?

~~~
gsnedders
> If so, does Safari not have limits applied that cause it to be killed for
> running into OOM?

It does. The memory allocation that causes the crash doesn't come from Safari,
though: it's a memory allocation in the kernel (likely somewhere graphics
related), and that counts towards XNU's memory consumption and not Safari's.

~~~
amaccuish
Ahh thank you!

------
ilumanty
It also stalled my iMac on Safari 11.1.2, macOS 10.13.6. Had to force reboot.

------
feketegy
Tested in on my Macbook in Safari, it crashed spectacularly

~~~
systoll
Chrome performs similarly, if the flag enabling 'backdrop-filter' support is
set.

------
marcellus777
Works on Safari either on the iPhone or iMac/Macbook.

------
Froyoh
Here's a JS-based attack that will freeze Chrome/ChromeOS, by the same person:
[https://twitter.com/pwnsdx/status/1038821975089664001](https://twitter.com/pwnsdx/status/1038821975089664001)

------
swingline-747
I take it some Apple engineers were/will be called in on a Sunday in order to
push a WebKit / Mobile Safari "11.4.2" security update. Thoughts, prayers and
coffee.

