Apple iOS 10.1 – Multiple Access Permission Vulnerabilities

fulldisclosure logo
Full Disclosure
mailing list archives

Apple iOS 10.1 – Multiple Access Permission Vulnerabilities


From: Vulnerability Lab <research () vulnerability-lab com>

Date: Mon, 28 Nov 2016 12:17:06 +0100


Document Title:
===============
Apple iOS 10.1 - Multiple Access Permission Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2012

Apple Security ID: 648680301

Video1: https://www.youtube.com/watch?v=fY2Obtxk_Dg
Video2: https://www.youtube.com/watch?v=46CHjQxkKxk


Release Date:
=============
2016-11-17


Vulnerability Laboratory ID (VL-ID):
====================================
2012


Common Vulnerability Scoring System:
====================================
6.3


Product & Service Introduction:
===============================
iOS is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating 
system that presently powers many of the company's mobile devices, including the iPhone, iPad, and iPod touch.

(Copy of the Homepage: https://en.wikipedia.org/wiki/IOS )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local passcode bypass via access permission vulnerability 
in the official Apple iOS v10.1 for iphones and ipads.


Vulnerability Disclosure Timeline:
==================================
1.1
2016-09-23: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2016-10-01: Vendor Notification (Apple Prodct Security Team)
2016-11-15: Vendor Response/Feedback (Apple Prodct Security Team)
2016-**-**: Vendor Fix/Patch (Apple Prodct Security Team)
2016-**-**: Security Acknowledgements (Apple Prodct Security Team)
2016-11-16: Public Disclosure (Vulnerability Laboratory)

1.2
2016-09-23: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2016-10-01: Vendor Notification (Apple Prodct Security Team)
2016-11-15: Vendor Response/Feedback (Apple Prodct Security Team)
2016-**-**: Vendor Fix/Patch (Apple Prodct Security Team)
2016-**-**: Security Acknowledgements (Apple Prodct Security Team)
2016-11-16: Public Disclosure (Vulnerability Laboratory)


1.3
2016-09-01: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2016-09-07: Vendor Notification (Apple Prodct Security Team)
2016-11-15: Vendor Response/Feedback (Apple Prodct Security Team)
2016-**-**: Vendor Fix/Patch (Apple Prodct Security Team)
2016-**-**: Security Acknowledgements (Apple Prodct Security Team)
2016-11-16: Public Disclosure (Vulnerability Laboratory)

1.4
2016-09-23: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2016-10-01: Vendor Notification (Apple Prodct Security Team)
2016-11-15: Vendor Response/Feedback (Apple Prodct Security Team)
2016-**-**: Vendor Fix/Patch (Apple Prodct Security Team)
2016-**-**: Security Acknowledgements (Apple Prodct Security Team)
2016-11-16: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Apple
Product: iOS 10.0 & 10.1


Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Technical Details & Description:
================================
A local passcode bypass via access permission vulnerability in the official Apple iOS v10.1 for iphones and ipads.
The ios access permision vulnerability allows a local attacker to unauthorized access the internal device data.

The same type of issue has been detected multiple times within the new update version 10.0 and the followup 10.1.
To explain the different type of issues we splitted the information into 3 different parts.

1. Dictation to Share Access Permission via incompatible Device
The vulnerability is located after installtion of the ios 10.x version to the incompatible apple ipad2 device.
The website of the apple site showed us that imcompatible devices can cause on usage in unexpected behavoir, 
so we decided to install the version to one of our test environment devices. After the installation we have 
noticed that the dictionary function became available ahead to the desk. In our testings we used the function 
to trigger a glitch on accessing the more information button in the locked device mode. After processing the 
interaction manually in a loop, we was able to get ahead the passcode screen area a push magnifying glass preview.
Watching the bug displayed information of a restricted area that is located in `Device - Siri - About Sir & 
Data Security to Privacy`. Now i moved to the link by searching blind the location and pushed twice to receive 
the input menu bar like when marking a text. People that are aware of ios know that these function allows 
several options depending on the input and connected function. Now an attacker can use the share function that 
became visible ahead during the passcode lock screen via glitch and pushs the share button. Now the email 
opens. Then the attacker marks the email of the contact and pushs twice the contact plus a keyboard letter of 
an exisiting contact. Now the contact comes ahead, click the info button and move to the profil location. 
Add the information to a new contact, then press the image button and now the attacker is able to access 
the photo album of the device without any restrictions. Attackers can use an incompatible device to a 
specific version that runs on the hardware to bypass. After that they can process a backup to move the 
data back to the compatible device. It is very important to say that the location of the site module is 
behind the protected layer of the passcode. All abilities are granted at that point to move to different 
important device functions or locations.

The security risk of the issue is estimated as high with a cvss (common vulnerability scoring system) count of 6.1.
Exploitation of the local device vulnerability requires physical device access without privileged device user account.
Successful exploitation of the local access permission vulnerability results in information leaking and apple device 
compromise by malicious interaction.


2. Voice Over Call to Contact Access Permission Vulnerability - Access Permission via compatible Device
In the second test reported to he issue within august to september, we noticed another access permission issue 
that came across because of the voice over function and another unrecognized issue by the apple developer team.
Our story starts when we was processing to bypass again the passcode screen for the apple product security team 
to discover a new vulnerability in the bug bounty program. After using the function in combination with siri there
was an ability to trigger a glitch, that allows to freeze the contact list. During the investigation the the glitch 
made information of contacts available. Normally thus is not an evil behavoir, when having siri activated. You ever 
have the ability as user to call or write a specific contact a message as far as you know the same and contact. 
In some cases the siri also shows some small information about the call number but all so far okey. So we added to 
one of our contact another information, then the phone number plus address and identified that when we reproduce the 
glitch that like in the normal search listing of the phone app, the information becomes visible. The difference 
between was that ago there was no information button next to the account listed after saving for example an 
email or skype. We reproduced the the contact issue by activating and deactivating the voice over function via 
siri and pushed directly in the visible list the information button. Now, the contact of the letter you press 
opens and the attacker can move to edit. By pushing the picture the attacker is able to access unauthorized the 
album of the device without restriction. By pushing the contact button or email, the attacker is able to write 
or interaction to compromise. On both issues all abilities are granted at that point to move to different 
important device functions or locations. We figured out that when you process to push the cloud button on share 
that the mobile will move to a black screen mode, for luck we was not able like in 2012/2013 accessing the data 
via usb connection.

The security risk of the issue is estimated as high with a cvss (common vulnerability scoring system) count of 6.3.
Exploitation of the local device vulnerability requires physical device access without privileged device user account.
Successful exploitation of the local access permission vulnerability results in information leaking and apple device 
compromise by malicious interaction.


3. Facetime Call to non-exisiting Contact Acces Permission Vulnerability via compatible Device
Due to the last updates to ios 10.0 and 10.1 there are some new features. When you process to say to siri
`Hi Siri call George via Facetime` ... Siri will answer `I can't call the user`. Now you say again `call 
George via Facetime`. Next to that push and hold the middle of the display ... now a second button under 
the first siri call becomes visible with the already well known `Others` function. Push the button and the 
contact list opens. In that modus it is not possible to move inside the contacts because they are grey, 
but you can preview all the names and use the search as well. A full escalte is at that point not possible.

The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 4.2.
Exploitation of the local device vulnerability requires physical device access without privileged device user account.
Successful exploitation of the local access permission vulnerability results in information leaking and apple device 
compromise by malicious interaction.


4. Voice Over to Contacts & Characters Memory Issue - Access Permission Vulnerability
On investigation with the 2. vulnerability we identified another very strange vulnerability. When processing to request 
via Voice Over permanently the contact list by usage of a glitch, it can happen that the device is that irritated that 
is shows you some really private information. Within the last year i deleted several of my old contacts because of they 
did switch to another numbers, during the investigate my employee was all time seeing me reproduce the issue and asked 
me one time ... have you not deleted those accounts about 1 year ago permanently. I was watching into the sim contacts, 
the phone contacts and checked as well the icloud sync. At that moment we came to that point, were we was reading 
sensitive device information that stores in the cloud as well all the deleted entries. The problem occurs mainly when 
process to push `.` or `space`button with a contact list glitch on voice over. In the most cases the information shows 
you the context that is illegal requested in the formular search entry but in case of our issue the device shows 
permanently 
deleted account information of the cloud that should not be stored anymore at all. So even if you remove the data of 
icloud, your deviceand the sim. However it is not clear why the information is accessable on usage of the glitch.

The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 5.8.
Exploitation of the local device vulnerability requires physical device access without privileged device user account.
Successful exploitation of the local access permission vulnerability results in information leaking of permanently 
deleted contact information.


Proof of Concept (PoC):
=======================
1.1
The local vulnerability can be exploited by attackers with physical device access and without user interaction.
For security demonstration or to reproduce the issue follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Install the new iOS update to version 10 of apple
2. Push the home button to get light on the screen
3. Push the dictation function on top next to the search
4. Then a message box appears with 3 different options
5. Click the middle option to receive more information (Mehr Infos)
Note: Basically the data security police is only available after include
of the active passcode or fingerprint
6. Do the procedure twice again by pushing option 2
7. Push the home button and then push after it by leaving the home
button the power button
Note: The light goes off you are ahead to the locked home screen
8. In the next step the local attacker pushs the home button twice to
receive ahead to the visible slides the passcode layer
9. Now you can push anywhere inside the passcode form to watch the
document thats behind the passcode of the dictation module in the
keyboard settings
Note: You can now mark the text with an iphone plus or an iphone 7 and
get the text highlighting options
10. Push the and hold to get the menu inside of the text
11. Now the attacker uses the Copy, Lookup (Nachschlagen) or Shares
(Freigaben) functions to shimmy through the layer function
12. Successful reproduce of the local issue!

Note: The mask behind the dictation function becomes normally only visible by an auth because of the protected layer. 
The menu functions like, copy, share and lookup are normally as well not available at thus layer without 
authentication. 
The glitch affects as well the passcode layer in the home screen in case of collision handling.


1.2
The local vulnerability can be exploited by attackers with physical device access and without user interaction.
For security demonstration or to reproduce the issue follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Install the new iOS update to version 10 of apple
2. Lock the device
3. Now make a call to your test device within the locked mode
4. Select on arrival of the call the customized answer via message button
5. Push the home button and say "Activate Voice Over"
Note: Now the voice over function uses the ui to perform to open on push
6. Push with one button on top twice the name of the contact to message and then press directly after it a character 
like A
7. A glitch happens and the contact list becomes available. Now process that again since you find a visit card contact 
with email or skype
Note: Behind the contact is an Information button to the profile of the old iOS version 9.x
9. Push that button
Note: Now the profile opens
10. Push to edit and then push the picture of the profile to set
11. Now you are inside the album and can move to share for further compromise via email or apps
12. Successful reproduce of the second local access permission vulnerability!


1.3
The local vulnerability can be exploited by attackers with physical device access and without user interaction.
For security demonstration or to reproduce the issue follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Install the new iOS update to version 10 of apple
2. Lock the device
3. Now push and hold the home button for siri
4. "Call George via Facetime"
5. "George does not exisit"  
Note: Now a button appears with <Others> as option
6. Push the button and process the same twice again
7. After the thrid time push the button "Others" that appears twice at least and hold the siri button
Note: A glitch appears that moves the button to a grey template
8. Push the button again with the grey element and the contact list opens without access permission
9. Successful reproduce of the third local access permission vulnerability!


1.4
The local vulnerability can be exploited by attackers with physical device access and without user interaction.
For security demonstration or to reproduce the issue follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Install the new iOS update to version 10 of apple
2. Lock the device
3. Now make a call to your test device within the locked mode
4. Select on arrival of the call the customized answer via message button
5. Push the home button and say "Activate Voice Over"
Note: Now the voice over function uses the ui to perform to open on push
6. Push with one button on top twice the name of the contact to message and then press directly after it a character . 
with Siri via Home
7. Now a smart green contact list appears with blue tags showing all permanently deleted accounts sorted
Note: The data displayed comes of the internal memory storage without authentication
9. Successful reproduce of the fourth local vulnerability!


Solution - Fix & Patch:
=======================
The following steps are a temp solution to resolve the vulnerabilities manually. 
1. Deactivate siri application
2. Deactivate the dictation application
3. Disable the app access in the locked device mode
4. Deactivate the voice over function in the device settings
5. Deactivate facetime calls within the locked mode
6. Deactivate the message arrival answer
6. Now, wait for the next updates of ios that  resolve the issues permanently!


Security Risk:
==============
1.1
The security risk of the first access permission vulnerability in the apple ios device is estimated as high. (cvss 6.3)

1.2
The security risk of the second access permission vulnerability in the apple ios device is estimated as high. (cvss 6.1)

1.3
The security risk of the third access permission vulnerability in the apple ios device is estimated as medium. (cvss 
4.2)

1.4
The security risk of the fourth vulnerability in the apple ios device is estimated as high. (cvss 5.8)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or 
its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special 
damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody 
to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                              - 
www.evolution-sec.com
Section:    magazine.vulnerability-lab.com      - vulnerability-lab.com/contact.php                             - 
evolution-sec.com/contact
Social:     twitter.com/vuln_lab                - facebook.com/VulnerabilityLab                                 - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php                    - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php         - 
vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires 
authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact 
(admin@) to get a ask permission.

                                    Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

  By Date  
     
  By Thread  

Current thread:

Source: Full Disclosure @ November 28, 2016 at 04:36AM

0
Share