[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link)
- To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
- Subject: Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link)
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 7 Mar 2016 09:52:33 +0100
Document Title:
===============
Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link,
Buy Tones Link & Weather Channel Link)
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1778
Video: http://www.vulnerability-lab.com/get_content.php?id=1779
Release Date:
=============
2016-03-07
Vulnerability Laboratory ID (VL-ID):
====================================
1778
Common Vulnerability Scoring System:
====================================
6.4
Product & Service Introduction:
===============================
iOS (previously iPhone OS) is a mobile operating system developed and
distributed by Apple Inc. Originally released in 2007 for the
iPhone and iPod Touch, it has been extended to support other Apple devices such
as the iPad and Apple TV. Unlike Microsoft`s Windows
Phone (Windows CE) and Google`s Android, Apple does not license iOS for
installation on non-Apple hardware. As of September 12, 2012,
Apple`s App Store contained more than 700,000 iOS applications, which have
collectively been downloaded more than 30 billion times.
It had a 14.9% share of the smartphone mobile operating system units shipped in
the third quarter of 2012, behind only Google`s Android.
In June 2012, it accounted for 65% of mobile web data consumption (including
use on both the iPod Touch and the iPad). At the half of
2012, there were 410 million devices activated. According to the special media
event held by Apple on September 12, 2012, 400 million
devices have beensold through June 2012.
( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )
Apple Inc. is an American multinational technology company headquartered in
Cupertino, California, that designs, develops, and sells
consumer electronics, computer software, and online services. Its hardware
products include the iPhone smartphone, the iPad tablet
computer, the Mac personal computer, the iPod portable media player, and the
Apple Watch smartwatch. Apple's consumer software includes
the OS X and iOS operating systems, the iTunes media player, the Safari web
browser, and the iLife and iWork creativity and productivity
suites. Its online services include the iTunes Store, the iOS App Store and Mac
App Store, and iCloud.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Apple_Inc. )
Abstract Advisory Information:
==============================
The vulnerability laboratory research team discovered multiple connected
passcode protection bypass vulnerabilities in the iOS v9.0, v9.1, v9.2.1 for
Apple iPhone (5,5s,6 & 6s) and the iPad (mini,1 & 2).
Vulnerability Disclosure Timeline:
==================================
2016-01-03: Researcher Notification & Coordination (Benjamin Kunz Mejri -
Evolution Security GmbH)
2016-01-04: Vendor Notification (Apple Product Security Team)
2016-**-**: Vendor Response/Feedback (Apple Product Security Team)
2016-**-**: Vendor Fix/Patch (Apple Developer Team)
2016-**-**: Security Acknowledgements (Apple Product Security Team)
2016-03-07: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple
Product: iOS - (Mobile Operating System) 9.1, 9.2 & 9.2.1
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
An auth passcode bypass vulnerability has been discovered in the iOS v9.0,
v9.1, v9.2.1 for Apple iPhone (5,5s,6 & 6s) and the iPad (mini,1 & 2).
The vulnerability typ allows an local attacker with physical device access to
bypass the passcode protection mechanism of the Apple mobile iOS devices.
The vulnerabilities are located in the 'Appstore', 'Buy more Tones' or 'Weather
Channel' links of the Clock, Event Calender & Siri User Interface.
Local attackers can use siri, the event calender or the available clock module
for an internal browser link request to the appstore that is able to
bypass the customers passcode or fingerprint protection mechanism. The attacker
can exploit the issue on several ways with siri, the events calender
or the clock app of the control panel on default settings to gain unauthorized
access to the affected Apple mobile iOS devices.
1.1
In the first scenario the attacker requests for example via siri an non
existing app, after that siri answers with an appstore link to search for it.
Then the attacker opens the link and a restricted browser window is opened and
listing some apps. At that point it is possible to unauthorized switch
back to the internal home screen by interaction with the home button or with
siri again. The link to bypass the controls is visible in the siri
interface only and is called "open App Store". The vulnerability is exploitable
in the Apple iPhone 5 & 6(s) with iOS v9.0, v9.1 & v9.2.1
1.2
In the second scenario the attacker is using the control panel to gain access
to the non restricted clock app. The local attacker opens the app via
siri or via panel and opens then the timer to the end timer or Radar module.
The developers of the app grant apple customers to buy more sounds for
alerts and implemented a link. By pushing the link a restricted appstore
browser window opens. At that point it is possible to unauthorized switch
back to the internal home screen by interaction with the home button or with
siri again. The link to bypass the controls becomes visible in the
Alert - Tone (Wecker - Ton) & Timer (End/Radar) and is called "Buy more Tones".
The vulnerability is exploitable in the Apple iPhone 5 & 6(s)
with iOS v9.0, v9.1 & v9.2.1.
1.3
In the third scenario the attacker opens via panel or by a siri request the
clock app. After that he opens the internal world clock module. In the
buttom right is a link to the weather channel that redirects to the store as
far as its deactivated. By pushing the link a restricted appstore
browser window opens. At that point it is possible to unauthorized switch back
to the internal home screen by interaction with the home button or
with siri again. The link to bypass the controls becomes visible in the World
Clock (Weather Channel) and is an image as link. Thus special case is
limited to the iPad because only in that models use to display the web world
map. In the iPhone version the bug does not exist because the map is
not displayed because of using a limited template. The vulnerability is
exploitable in the Apple iPad2 with iOS v9.0, v9.1 & v9.2.1.
1.4
In the fourth scenario the attacker opens via siri the 'App & Event Calender'
panel. After that the attacker opens under the Tomorrow task the
'Information of Weather' (Informationen zum Wetter - Weather Channel LLC) link
on the left bottom. As far as the weather app is deactivated on the
Apple iOS device, a new browser window opens to the appstore. At that point it
is possible to unauthorized switch back to the internal home screen
by interaction with the home button or with siri again. The link to bypass the
controls becomes visible in the App & Events Calender panel.
The vulnerability is exploitable in the Apple Pad2 with iOS v9.0, v9.1 & v9.2.1.
The security risk of the passcode bypass vulnerability is estimated as high
with a cvss (common vulnerability scoring system) count of 6.4.
Exploitation of the passcode protection mechanism bypass vulnerability requires
no privileged ios device user account or low user interaction.
Physical apple device access is required for successful exploitation.
Successful exploitation of the vulnerability results in unauthorized
device access, mobile apple device compromise and leak of sensitive device data
like the address-book, photos, sms, mms, emails, phone app,
mailbox, phone settings or access to other default/installed mobile apps.
Vulnerable Module(s):
[+] PassCode (Protection Mechanism)
Affected Device(s):
[+] iPhone (Models: 5, 5s, 6 & 6s)
[+] iPad (Models: mini, 1 & 2)
Affected OS Version(s):
[+] iOS v9.0, v9.1 & v9.2.1
Proof of Concept (PoC):
=======================
The passcode protection mechanism bypass vulnerabilities can be exploited by
local attackers with physical device access and without privileged or
restricted device user account.
For Security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
1.1
Manual steps to reproduce the vulnerability ... (Siri Interface - App Store
Link) iPhone (Models: 5, 5s, 6 & 6s)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds)
3. Ask Siri to open a non existing App
Note: "Open App Digital (Öffne App Digital)
4. Siri responds to the non existing app and asks to search in the appstore
5. Now, and "open App store" button becomes visible to push (do it!)
6. A new restricted browser window opens with the appstore buttom menu links
7. Click to updates and open the last app or push twice the home button to let
the task slide preview appear
8. Now choose the active front screen task
9. Successful reproduce of the passcode protection bypass vulnerability!
1.2
Manual steps to reproduce the vulnerability ... (Clock & Timer - Buy more Tones
Link) iPhone (Models: 5, 5s, 6 & 6s)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds)
Note: "Open World Clock" (Öffne App Weltuhr)
3. Push the 'Timer' module button on the buttom
4. Now, push the Radius or End Timer Button in the middle of the screen
Note: A listing opens with the sounds collection and on top is a web link
commercial
5. Push the button and a new restricted browser window opens with the appstore
buttom menu links
6. Click to updates and open the last app or push twice the home button to let
the task slide preview appear
7. Now choose the active front screen task
8. Successful reproduce of the passcode protection bypass vulnerability!
Note: The vulnerability can also be exploited by pushing the same link in the
Alerts Timer (Wecker) next to adding a new one.
1.3
Manual steps to reproduce the vulnerability ... (Clock World - Weather Channel
Image Link) iPad (Models: 1 & 2)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds)
Note: "Open App Clock" (Öffne App Uhr)
3. Switch in the buttom module menu to world clock
Note: on the buttom right is an image of the weather channel llc network
4. Push the image of the weather channel llc company in the world map picture
Note: Weather app needs to be deactivated by default
5. After pushing the button and a new restricted browser window opens with the
appstore buttom menu links
6. Click to updates and open the last app or push twice the home button to let
the task slide preview appear
7. Now choose the active front screen task
8. Successful reproduce of the passcode protection bypass vulnerability!
Note: The issue is limited to the iPad 1 & 2 because of the extended map
template!
1.4
Manual steps to reproduce the vulnerability ... (Events Calender App - Weather
Channel LLC Link) iPad (Models: 1 & 2) & iPhone (Models: 5, 5s, 6 & 6s)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds)
Note: "Open Events/Calender App" (Öffne Events/Kalender App)
3.Now push on the buttom of the screen next to the Tomorrow(Morgen) module the
'Information of Weather Channel' link
Note: Weather app needs to be deactivated by default
4.After pushing the button and a new restricted browser window opens with the
appstore buttom menu links
5. Click to updates and open the last app or push twice the home button to let
the task slide preview appear
6. Now choose the active front screen task
7. Successful reproduce of the passcode protection bypass vulnerability!
Video Demonstration: In the attached video demonstration we show how to bypass
the passcode of the iphone 6s via the siri App Store- & timer Buy more Tones
link.
In the video we activated the passcode and setup to activate the control center
by default to the locked mobile front screen. Siri was activated as well by
default.
Solution - Fix & Patch:
=======================
The vulnerabilities can be temporarily patched by the end user by hardening of
the device settings. Deactivate in the Settings menu the Siri module
permanently.
Deactivate also the Events Calender without passcode to disable the push
function of the Weather Channel LLC link. Deactivate in the next step the
public control
panel with the timer and world clock to disarm exploitation. Aktivate the
weather app settings to prevent the redirect when the module is disabled by
default in
the events calender. Finally apple needs to issue a patch as workaround for the
issue but since this happens a temp solution has bin published as well.
Security Risk:
==============
The security risk of the passcode protection mechanism bypass vulnerabilities
in the apple ipad and iphone mobile devices are estimated as high. (CVSS 6.4)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(research@xxxxxxxxxxxxxxxxxxxxx)
[http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied,
including the warranties of merchantability and capability for a particular
purpose. Vulnerability-Lab or its suppliers are not liable in any case of
damage,
including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised
of the possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the
foregoing
limitation may not apply. We do not approve or encourage anybody to break any
licenses, policies, deface websites, hack into databases or trade with stolen
data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx -
admin@xxxxxxxxxxxxxxxxx
Section: magazine.vulnerability-db.com -
vulnerability-lab.com/contact.php -
evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically
redistribute this alert in its unmodified form is granted. All other rights,
including the use of other media, are reserved by Vulnerability-Lab Research
Team or
its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific
authors or managers. To record, list, modify, use or edit our material contact
(admin@ or research@xxxxxxxxxxxxxxxxxxxxx) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory
- [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx