[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Apple iOS 8.0 - 8.0.2 - Controls Re Auth Bypass Vulnerability

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Apple iOS 8.0 - 8.0.2 - Controls Re Auth Bypass Vulnerability
From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Apr 2015 10:48:20 +0200
Document Title:
===============
Apple iOS 8.0 - 8.0.2 - Controls Re Auth Bypass Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1322

Video: http://www.vulnerability-lab.com/get_content.php?id=1334


Release Date:
=============
2015-03-02


Vulnerability Laboratory ID (VL-ID):
====================================
1322


Common Vulnerability Scoring System:
====================================
5.2


Product & Service Introduction:
===============================
iOS (previously iPhone OS) is a mobile operating system developed and 
distributed by Apple Inc. Originally released in 2007 for 
the iPhone and iPod Touch, it has been extended to support other Apple devices 
such as the iPad and Apple TV. Unlike Microsoft`s 
Windows Phone (Windows CE) and Google`s Android, Apple does not license iOS for 
installation on non-Apple hardware. As of 
September 12, 2012, Apple`s App Store contained more than 700,000 iOS 
applications, which have collectively been downloaded more 
than 30 billion times. It had a 14.9% share of the smartphone mobile operating 
system units shipped in the third quarter of 2012, 
behind only Google`s Android. In June 2012, it accounted for 65% of mobile web 
data consumption (including use on both the iPod 
Touch and the iPad). At the half of 2012, there were 410 million devices 
activated. According to the special media event held by 
Apple on September 12, 2012, 400 million devices have been sold through June 
2012.

The user interface of iOS is based on the concept of direct manipulation, using 
multi-touch gestures. Interface control elements 
consist of sliders, switches, and buttons. Interaction with the OS includes 
gestures such as swipe, tap, pinch, and reverse pinch, 
all of which have specific definitions within the context of the iOS operating 
system and its multi-touch interface. Internal 
accelerometers are used by some applications to respond to shaking the device 
(one common result is the undo command) or rotating 
it in three dimensions (one common result is switching from portrait to 
landscape mode).

iOS is derived from OS X, with which it shares the Darwin foundation. iOS is 
Apple`s mobile version of the OS X operating system 
used on Apple computers.

In iOS, there are four abstraction layers: the Core OS layer, the Core Services 
layer, the Media layer, and the Cocoa Touch layer. 
The current version of the operating system (iOS 6.1) dedicates 1-1.5 GB of the 
device`s flash memory for the system partition, 
using roughly 800 MB of that partition (varying by model) for iOS itself. iOS 
currently runs on iPhone, Apple TV, iPod Touch, and iPad.

( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )



Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered bypass vulnerability in 
the official Apple (iPhone) iOS v8.0 (12A365) - v8.0.2 mobile device system.


Vulnerability Disclosure Timeline:
==================================
2014-09-18: Researcher Notification & Coordination (Benjamin Kunz Mejri - VL 
Core Research Team)
2014-09-28: Vendor Notification (Apple Security Team - Acknowledgement Program)
2015-03-02: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Apple
Product: iOS 8.0


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
A local pass code (code lock) bypass and glitch has been discovered in the 
Apple iOS v8.0 (12A365) mobile device system.
The vulnerability allows to bypass or evade via glitch the regular pass code 
restriction of the embed iOS device system.

The local bypass vulnerability is located in the favorite contact preview 
function that can be used for imessages or phone calls. 
Local attackers with physical access can glitch the display by usage of siri to 
bypass since the end of a call the device system 
access restriction.

To exploit the attacker visit the favorite call function via the home button in 
the ios task favorite preview slideshow. He clicks 
a contact and uses siri to merge via glitch with the authorized call app. In 
the next step he locks the mobile device. The he 
hold the volume + button multiple times to keep the service since the call end 
ahead to the pass code logon screen. The issue 
is very tricky to exploit but affects at the end obviously secure pass code 
restriction. The attacker is able to multiple times 
push in the last moment the power button to deactivate the display and start 
the pass code lock. However the local attacker is 
able to bypass exactly this mechanism in the mentioned location.

During the tests the security researcher revealed a video that demonstrates the 
security issue and the glitch that affects the 
local device security. Like in the Samsung in 2010 the device allows to access 
the information as long as a call runs in 
the phone app. The local issue has been tested to verify with the default 
configured iphone 6 and 5s device.

The security risk of the local pass code bypass vulnerability is estimated as 
medium with a cvss (common vulnerability scoring 
system) count of 5.2. Exploitation of the local glitch bypass vulnerability 
requires a privileged web-application user account, 
multi user account or restricted physical device access without user 
interaction. Successful exploitation of the local pass code 
bypass vulnerability results in device compromise or information leaking.


Affected Device(s):
                        [+] Apple > iPhone 5 & 6

Affected OS Version(s):
                        [+] iOS v8.0 (12A365)

Tested Device(s):
                        [+] Apple iPhone 5s & 6 > iOS v8.0 (12A365)


Proof of Concept (PoC):
=======================
The auth bypass vulnerability can be exploited by local attackers with physical 
device access without user interaction.
For security demonstration or to reproduce the issue follow the provided 
information and steps below to continue.

Requirement(s):
                        [+] iOS v8.0 (default install)
                        [+] Apple Device (iPad 2, iPhone 5s or iPhone 6)
                        [+] Two healthy hands ;)


Manual Steps to reproduce the local vulnerability ...

1. Start your iOS device and install the new iOS v8.0 to your ipad2, iphone 5s 
or iphone 6 device
2. Start the mobile and login to the pass code
3. Now press the home button twice to see the app preview slide show and the 
new favorite contract slideshow above
4. move you finger over the favorite contact and two symboles become visible 
(Phone app and Message app)
5. Press now the home button two seconds to activate siri and push in the last 
second the private call button to the contact
Note: Be fast! After it the siri which is in default mode available glitches 
ahead to the phone call
6. Now you push the power button on top of the mobile and shortly after it you 
use the hardware volumen to reactivate
Note: The mobile now goes in the locked mode after the power button push but 
the siri is ahead glitched to the call that runs
7. In the call mask you can click the contacts button by pressing around the 
button because of the siri glitch
8. The contact list becomes available as long as the call runs with the glitch 
through siri
9. Successul bypass of the secure pass code restriction! 

Reference(s):
                        ../poc-video.wmv

Picture(s):
                        ../1.png
                        ../2.png
                        ../3.png
                        ../4.png
                        ../5.png
                        ../6.png
                        ../7.png
                        ../8.png


Security Risk:
==============
The security risk of the local auth bypass issue and glitch in the iOS v8.0 is 
estimated as medium. (CVS 5.2)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential 
loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen 
material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
                        - www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - 
research@xxxxxxxxxxxxxxxxxxxxx                        - admin@xxxxxxxxxxxxxxxxx
Section:    magazine.vulnerability-db.com       - 
vulnerability-lab.com/contact.php                     - 
evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
                        - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All 
other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To 
record, list (feed), modify, use or edit our material contact 
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a 
permission.

                                Copyright © 2015 | Vulnerability Laboratory - 
[Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
PGP KEY: 
http://www.vulnerability-lab.com/keys/admin@xxxxxxxxxxxxxxxxxxxxx%280x198E9928%29.txt



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Prev by Date: Re: [FD] Photo Manager Pro 4.4.0 iOS - Code Execution Vulnerability
Next by Date: [FD] iPassword Manager v2.6 iOS - Persistent Vulnerabilities
Previous by thread: [FD] Google Analytics by Yoast stored XSS #2
Next by thread: [FD] iPassword Manager v2.6 iOS - Persistent Vulnerabilities
Index(es):
- Date
- Thread