[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link)
- To: Edsel Adap <edsel@xxxxxxxx>
- Subject: Re: Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link)
- From: Michael Lima <mickael.m.lima@xxxxxxxxx>
- Date: Tue, 8 Mar 2016 10:03:02 +0100
Yes Tested it to on several devices jailbreaked and official firmware from
9.0.1 until 9.3 beta and this bypass doesn't work .
I think the user is unlocking with Touch ID as Edsel stated before .
Sent from my Secure device
> On 07 Mar 2016, at 15:26, Edsel Adap <edsel@xxxxxxxx> wrote:
>
> This is not reproducible. I tried it on several iPhones. I believe the user
> in the video is unlocking the phone via touch ID, hence “bypassing” the lock
> screen. In my tests, Siri responds with “You must unlock your iPhone first”.
>
>
>> On 03-07-2016, at 3:52 AM, Vulnerability Lab
>> <research@xxxxxxxxxxxxxxxxxxxxx> wrote:
>>
>> Document Title:
>> ===============
>> Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link,
>> Buy Tones Link & Weather Channel Link)
>>
>>
>> References (Source):
>> ====================
>> http://www.vulnerability-lab.com/get_content.php?id=1778
>>
>> Video: http://www.vulnerability-lab.com/get_content.php?id=1779
>>
>>
>>
>> Release Date:
>> =============
>> 2016-03-07
>>
>>
>> Vulnerability Laboratory ID (VL-ID):
>> ====================================
>> 1778
>>
>>
>> Common Vulnerability Scoring System:
>> ====================================
>> 6.4
>>
>>
>> Product & Service Introduction:
>> ===============================
>> iOS (previously iPhone OS) is a mobile operating system developed and
>> distributed by Apple Inc. Originally released in 2007 for the
>> iPhone and iPod Touch, it has been extended to support other Apple devices
>> such as the iPad and Apple TV. Unlike Microsoft`s Windows
>> Phone (Windows CE) and Google`s Android, Apple does not license iOS for
>> installation on non-Apple hardware. As of September 12, 2012,
>> Apple`s App Store contained more than 700,000 iOS applications, which have
>> collectively been downloaded more than 30 billion times.
>> It had a 14.9% share of the smartphone mobile operating system units shipped
>> in the third quarter of 2012, behind only Google`s Android.
>>
>> In June 2012, it accounted for 65% of mobile web data consumption (including
>> use on both the iPod Touch and the iPad). At the half of
>> 2012, there were 410 million devices activated. According to the special
>> media event held by Apple on September 12, 2012, 400 million
>> devices have beensold through June 2012.
>>
>> ( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )
>>
>>
>> Apple Inc. is an American multinational technology company headquartered in
>> Cupertino, California, that designs, develops, and sells
>> consumer electronics, computer software, and online services. Its hardware
>> products include the iPhone smartphone, the iPad tablet
>> computer, the Mac personal computer, the iPod portable media player, and the
>> Apple Watch smartwatch. Apple's consumer software includes
>> the OS X and iOS operating systems, the iTunes media player, the Safari web
>> browser, and the iLife and iWork creativity and productivity
>> suites. Its online services include the iTunes Store, the iOS App Store and
>> Mac App Store, and iCloud.
>>
>> (Copy of the Homepage: https://en.wikipedia.org/wiki/Apple_Inc. )
>>
>>
>> Abstract Advisory Information:
>> ==============================
>> The vulnerability laboratory research team discovered multiple connected
>> passcode protection bypass vulnerabilities in the iOS v9.0, v9.1, v9.2.1 for
>> Apple iPhone (5,5s,6 & 6s) and the iPad (mini,1 & 2).
>>
>>
>> Vulnerability Disclosure Timeline:
>> ==================================
>> 2016-01-03: Researcher Notification & Coordination (Benjamin Kunz Mejri -
>> Evolution Security GmbH)
>> 2016-01-04: Vendor Notification (Apple Product Security Team)
>> 2016-**-**: Vendor Response/Feedback (Apple Product Security Team)
>> 2016-**-**: Vendor Fix/Patch (Apple Developer Team)
>> 2016-**-**: Security Acknowledgements (Apple Product Security Team)
>> 2016-03-07: Public Disclosure (Vulnerability Laboratory)
>>
>>
>> Discovery Status:
>> =================
>> Published
>>
>>
>> Affected Product(s):
>> ====================
>> Apple
>> Product: iOS - (Mobile Operating System) 9.1, 9.2 & 9.2.1
>>
>>
>> Exploitation Technique:
>> =======================
>> Local
>>
>>
>> Severity Level:
>> ===============
>> High
>>
>>
>> Technical Details & Description:
>> ================================
>> An auth passcode bypass vulnerability has been discovered in the iOS v9.0,
>> v9.1, v9.2.1 for Apple iPhone (5,5s,6 & 6s) and the iPad (mini,1 & 2).
>> The vulnerability typ allows an local attacker with physical device access
>> to bypass the passcode protection mechanism of the Apple mobile iOS devices.
>>
>> The vulnerabilities are located in the 'Appstore', 'Buy more Tones' or
>> 'Weather Channel' links of the Clock, Event Calender & Siri User Interface.
>> Local attackers can use siri, the event calender or the available clock
>> module for an internal browser link request to the appstore that is able to
>> bypass the customers passcode or fingerprint protection mechanism. The
>> attacker can exploit the issue on several ways with siri, the events
>> calender
>> or the clock app of the control panel on default settings to gain
>> unauthorized access to the affected Apple mobile iOS devices.
>>
>> 1.1
>> In the first scenario the attacker requests for example via siri an non
>> existing app, after that siri answers with an appstore link to search for
>> it.
>> Then the attacker opens the link and a restricted browser window is opened
>> and listing some apps. At that point it is possible to unauthorized switch
>> back to the internal home screen by interaction with the home button or with
>> siri again. The link to bypass the controls is visible in the siri
>> interface only and is called "open App Store". The vulnerability is
>> exploitable in the Apple iPhone 5 & 6(s) with iOS v9.0, v9.1 & v9.2.1
>>
>> 1.2
>> In the second scenario the attacker is using the control panel to gain
>> access to the non restricted clock app. The local attacker opens the app via
>> siri or via panel and opens then the timer to the end timer or Radar module.
>> The developers of the app grant apple customers to buy more sounds for
>> alerts and implemented a link. By pushing the link a restricted appstore
>> browser window opens. At that point it is possible to unauthorized switch
>> back to the internal home screen by interaction with the home button or with
>> siri again. The link to bypass the controls becomes visible in the
>> Alert - Tone (Wecker - Ton) & Timer (End/Radar) and is called "Buy more
>> Tones". The vulnerability is exploitable in the Apple iPhone 5 & 6(s)
>> with iOS v9.0, v9.1 & v9.2.1.
>>
>> 1.3
>> In the third scenario the attacker opens via panel or by a siri request the
>> clock app. After that he opens the internal world clock module. In the
>> buttom right is a link to the weather channel that redirects to the store as
>> far as its deactivated. By pushing the link a restricted appstore
>> browser window opens. At that point it is possible to unauthorized switch
>> back to the internal home screen by interaction with the home button or
>> with siri again. The link to bypass the controls becomes visible in the
>> World Clock (Weather Channel) and is an image as link. Thus special case is
>> limited to the iPad because only in that models use to display the web world
>> map. In the iPhone version the bug does not exist because the map is
>> not displayed because of using a limited template. The vulnerability is
>> exploitable in the Apple iPad2 with iOS v9.0, v9.1 & v9.2.1.
>>
>> 1.4
>> In the fourth scenario the attacker opens via siri the 'App & Event
>> Calender' panel. After that the attacker opens under the Tomorrow task the
>> 'Information of Weather' (Informationen zum Wetter - Weather Channel LLC)
>> link on the left bottom. As far as the weather app is deactivated on the
>> Apple iOS device, a new browser window opens to the appstore. At that point
>> it is possible to unauthorized switch back to the internal home screen
>> by interaction with the home button or with siri again. The link to bypass
>> the controls becomes visible in the App & Events Calender panel.
>> The vulnerability is exploitable in the Apple Pad2 with iOS v9.0, v9.1 &
>> v9.2.1.
>>
>> The security risk of the passcode bypass vulnerability is estimated as high
>> with a cvss (common vulnerability scoring system) count of 6.4.
>> Exploitation of the passcode protection mechanism bypass vulnerability
>> requires no privileged ios device user account or low user interaction.
>> Physical apple device access is required for successful exploitation.
>> Successful exploitation of the vulnerability results in unauthorized
>> device access, mobile apple device compromise and leak of sensitive device
>> data like the address-book, photos, sms, mms, emails, phone app,
>> mailbox, phone settings or access to other default/installed mobile apps.
>>
>>
>> Vulnerable Module(s):
>> [+] PassCode (Protection Mechanism)
>>
>>
>> Affected Device(s):
>> [+] iPhone (Models: 5, 5s, 6 & 6s)
>> [+] iPad (Models: mini, 1 & 2)
>>
>> Affected OS Version(s):
>> [+] iOS v9.0, v9.1 & v9.2.1
>>
>>
>> Proof of Concept (PoC):
>> =======================
>> The passcode protection mechanism bypass vulnerabilities can be exploited by
>> local attackers with physical device access and without privileged or
>> restricted device user account.
>> For Security demonstration or to reproduce the vulnerability follow the
>> provided information and steps below to continue.
>>
>>
>> 1.1
>> Manual steps to reproduce the vulnerability ... (Siri Interface - App Store
>> Link) iPhone (Models: 5, 5s, 6 & 6s)
>> 1. Take the iOS device and lock the passcode to the front
>> 2. Open Siri by activation via Home button (push 2 seconds)
>> 3. Ask Siri to open a non existing App
>> Note: "Open App Digital (Öffne App Digital)
>> 4. Siri responds to the non existing app and asks to search in the appstore
>> 5. Now, and "open App store" button becomes visible to push (do it!)
>> 6. A new restricted browser window opens with the appstore buttom menu links
>> 7. Click to updates and open the last app or push twice the home button to
>> let the task slide preview appear
>> 8. Now choose the active front screen task
>> 9. Successful reproduce of the passcode protection bypass vulnerability!
>>
>>
>> 1.2
>> Manual steps to reproduce the vulnerability ... (Clock & Timer - Buy more
>> Tones Link) iPhone (Models: 5, 5s, 6 & 6s)
>> 1. Take the iOS device and lock the passcode to the front
>> 2. Open Siri by activation via Home button (push 2 seconds)
>> Note: "Open World Clock" (Öffne App Weltuhr)
>> 3. Push the 'Timer' module button on the buttom
>> 4. Now, push the Radius or End Timer Button in the middle of the screen
>> Note: A listing opens with the sounds collection and on top is a web link
>> commercial
>> 5. Push the button and a new restricted browser window opens with the
>> appstore buttom menu links
>> 6. Click to updates and open the last app or push twice the home button to
>> let the task slide preview appear
>> 7. Now choose the active front screen task
>> 8. Successful reproduce of the passcode protection bypass vulnerability!
>> Note: The vulnerability can also be exploited by pushing the same link in
>> the Alerts Timer (Wecker) next to adding a new one.
>>
>>
>> 1.3
>> Manual steps to reproduce the vulnerability ... (Clock World - Weather
>> Channel Image Link) iPad (Models: 1 & 2)
>> 1. Take the iOS device and lock the passcode to the front
>> 2. Open Siri by activation via Home button (push 2 seconds)
>> Note: "Open App Clock" (Öffne App Uhr)
>> 3. Switch in the buttom module menu to world clock
>> Note: on the buttom right is an image of the weather channel llc network
>> 4. Push the image of the weather channel llc company in the world map picture
>> Note: Weather app needs to be deactivated by default
>> 5. After pushing the button and a new restricted browser window opens with
>> the appstore buttom menu links
>> 6. Click to updates and open the last app or push twice the home button to
>> let the task slide preview appear
>> 7. Now choose the active front screen task
>> 8. Successful reproduce of the passcode protection bypass vulnerability!
>> Note: The issue is limited to the iPad 1 & 2 because of the extended map
>> template!
>>
>>
>> 1.4
>> Manual steps to reproduce the vulnerability ... (Events Calender App -
>> Weather Channel LLC Link) iPad (Models: 1 & 2) & iPhone (Models: 5, 5s, 6 &
>> 6s)
>> 1. Take the iOS device and lock the passcode to the front
>> 2. Open Siri by activation via Home button (push 2 seconds)
>> Note: "Open Events/Calender App" (Öffne Events/Kalender App)
>> 3.Now push on the buttom of the screen next to the Tomorrow(Morgen) module
>> the 'Information of Weather Channel' link
>> Note: Weather app needs to be deactivated by default
>> 4.After pushing the button and a new restricted browser window opens with
>> the appstore buttom menu links
>> 5. Click to updates and open the last app or push twice the home button to
>> let the task slide preview appear
>> 6. Now choose the active front screen task
>> 7. Successful reproduce of the passcode protection bypass vulnerability!
>>
>>
>> Video Demonstration: In the attached video demonstration we show how to
>> bypass the passcode of the iphone 6s via the siri App Store- & timer Buy
>> more Tones link.
>> In the video we activated the passcode and setup to activate the control
>> center by default to the locked mobile front screen. Siri was activated as
>> well by default.
>>
>>
>> Solution - Fix & Patch:
>> =======================
>> The vulnerabilities can be temporarily patched by the end user by hardening
>> of the device settings. Deactivate in the Settings menu the Siri module
>> permanently.
>> Deactivate also the Events Calender without passcode to disable the push
>> function of the Weather Channel LLC link. Deactivate in the next step the
>> public control
>> panel with the timer and world clock to disarm exploitation. Aktivate the
>> weather app settings to prevent the redirect when the module is disabled by
>> default in
>> the events calender. Finally apple needs to issue a patch as workaround for
>> the issue but since this happens a temp solution has bin published as well.
>>
>>
>> Security Risk:
>> ==============
>> The security risk of the passcode protection mechanism bypass
>> vulnerabilities in the apple ipad and iphone mobile devices are estimated as
>> high. (CVSS 6.4)
>>
>>
>> Credits & Authors:
>> ==================
>> Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
>> (research@xxxxxxxxxxxxxxxxxxxxx)
>> [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]
>>
>>
>> Disclaimer & Information:
>> =========================
>> The information provided in this advisory is provided as it is without any
>> warranty. Vulnerability Lab disclaims all warranties, either expressed or
>> implied,
>> including the warranties of merchantability and capability for a particular
>> purpose. Vulnerability-Lab or its suppliers are not liable in any case of
>> damage,
>> including direct, indirect, incidental, consequential loss of business
>> profits or special damages, even if Vulnerability-Lab or its suppliers have
>> been advised
>> of the possibility of such damages. Some states do not allow the exclusion
>> or limitation of liability for consequential or incidental damages so the
>> foregoing
>> limitation may not apply. We do not approve or encourage anybody to break
>> any licenses, policies, deface websites, hack into databases or trade with
>> stolen data.
>>
>> Domains: www.vulnerability-lab.com - www.vuln-lab.com
>> - www.evolution-sec.com
>> Contact: admin@xxxxxxxxxxxxxxxxxxxxx - research@xxxxxxxxxxxxxxxxxxxxx
>> - admin@xxxxxxxxxxxxxxxxx
>> Section: magazine.vulnerability-db.com -
>> vulnerability-lab.com/contact.php - evolution-sec.com/contact
>> Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab
>> - youtube.com/user/vulnerability0lab
>> Feeds: vulnerability-lab.com/rss/rss.php -
>> vulnerability-lab.com/rss/rss_upcoming.php -
>> vulnerability-lab.com/rss/rss_news.php
>> Programs: vulnerability-lab.com/submit.php -
>> vulnerability-lab.com/list-of-bug-bounty-programs.php -
>> vulnerability-lab.com/register.php
>>
>> Any modified copy or reproduction, including partially usages, of this file
>> requires authorization from Vulnerability Laboratory. Permission to
>> electronically
>> redistribute this alert in its unmodified form is granted. All other rights,
>> including the use of other media, are reserved by Vulnerability-Lab Research
>> Team or
>> its suppliers. All pictures, texts, advisories, source code, videos and
>> other information on this website is trademark of vulnerability-lab team &
>> the specific
>> authors or managers. To record, list, modify, use or edit our material
>> contact (admin@ or research@xxxxxxxxxxxxxxxxxxxxx) to get a ask permission.
>>
>> Copyright © 2016 | Vulnerability Laboratory - [Evolution
>> Security GmbH]™
>>
>> --
>> VULNERABILITY LABORATORY - RESEARCH TEAM
>> SERVICE: www.vulnerability-lab.com
>> CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
>>
>
> --
> Edsel Adap
> edsel@xxxxxxxx
>
>
>