The other day one of the guys in the Kalmarunionen CTF team chat shared that he found a way to mess up his IPhone wifi.

What he did was simply to rename his wifi access point to %p%s%s%s%e – basically a format string – and connected to it from his IPhone.

Normally this would not give any problems, but for IPhone (and probably IPads as well) it makes the wifi settings menu unaccessible. It will simply crash the menu window over and over again until you reset the settings.

Under the hood

So after looking a bit further into the problem it looks like this problem actually is a good ol’ format string bug.

the IPhone is so friendly that it gives a small crash log, which shows this:

Thread 2 name:  Dispatch queue:
Thread 2 Crashed:
0   libsystem_platform.dylib      	0x00000001ebcb9724 _platform_strlen + 4
1   CoreFoundation                	0x00000001a381d84c __CFStringAppendFormatCore + 8812
2   CoreFoundation                	0x00000001a381efa8 _CFStringCreateWithFormatAndArgumentsReturningMetadata + 160
3   WiFiPolicy                    	0x00000001d0895f8c -[WFLogger WFLog:message:] + 192
4   ???                           	0x000000010692c00c 0 + 4405248012
5   wifid                         	0x0000000100f58a74 0x100e40000 + 1149556
6   wifid                         	0x0000000100f58c74 0x100e40000 + 1150068

So the error is in CFStringCreateWithFormatAndArguments and by decompiling the function -[WFLogger WFLog:message:] (I really hate the naming convention in Apple software) and running it against backtrace, it reveals the location of the error:

v27 = sub_1000A25D4(v21);
v28 = objc_msgSend(
        CFSTR("Attempting Apple80211AssociateAsync to %@"),
v29 = objc_msgSend(&OBJC_CLASS___NSString, "stringWithFormat:", CFSTR("{ %@+} %@"), CFSTR("ASSOC"), v28);
v30 = objc_autoreleasePoolPush();
v31 = (void *)qword_100251888;
if ( qword_100251888 )
    v32 = objc_msgSend(v29, "UTF8String");
    objc_msgSend(v31, "WFLog:message:", 3LL, v32);

In line 12+13 in above disassembly it shows that it basically takes the BSSID and concatenates it with another format string and then sends it off the the function WFLog:message. So now it suddenly has a new and longer format string, which it tries to fill and then write to the logs. Since the format string is not matching the expected it starts to crash.

See Also: Who shares private social security number online?!?!

Having a bit of fun

Ok so the bug is non-lethal for the Iphone and can be reverted by resetting the connection settings (Settings->General->Reset->Reset Network Settings) I thought this we could aways have a bit of fun out of this :-)

What about putting up a sticker in the local café or similar with the following QR code and the text “Free wifi” + have a local hotspot with the format string as name:

QR Code that will give all IPhone users free world wide wifi

I am sure that a few iphone users will try it and you can have a bit of a laugh about it.

(For the curious, I simply use to generate a QR code with the SSID mentioned )