[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Apple iOS v9.1, 9.2 & 9.2.1 - Application Update Loop Pass Code Bypass
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] Apple iOS v9.1, 9.2 & 9.2.1 - Application Update Loop Pass Code Bypass
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 4 Feb 2016 12:16:08 +0100
Document Title:
===============
Apple iOS v9.1, 9.2 & 9.2.1 - Application Update Loop Pass Code Bypass
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1710
Apple Follow-up ID: 631627909
Video: http://www.vulnerability-lab.com/get_content.php?id=1711
Vulnerability Magazine:
http://magazine.vulnerability-db.com/?q=articles/2016/02/04/apple-ios-v9x-application-update-loop-pass-code-bypass
Release Date:
=============
2016-02-04
Vulnerability Laboratory ID (VL-ID):
====================================
1710
Common Vulnerability Scoring System:
====================================
6
Product & Service Introduction:
===============================
iOS (previously iPhone OS) is a mobile operating system developed and
distributed by Apple Inc. Originally released in 2007 for the
iPhone and iPod Touch, it has been extended to support other Apple devices such
as the iPad and Apple TV. Unlike Microsoft`s Windows
Phone (Windows CE) and Google`s Android, Apple does not license iOS for
installation on non-Apple hardware. As of September 12, 2012,
Apple`s App Store contained more than 700,000 iOS applications, which have
collectively been downloaded more than 30 billion times.
It had a 14.9% share of the smartphone mobile operating system units shipped in
the third quarter of 2012, behind only Google`s Android.
In June 2012, it accounted for 65% of mobile web data consumption (including
use on both the iPod Touch and the iPad). At the half of 2012,
there were 410 million devices activated. According to the special media event
held by Apple on September 12, 2012, 400 million devices have been
sold through June 2012.
( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a pass code lock
auth bypass vulnerability in the official Apple iOS (iPhone5&6|iPad2) v8.x,
v9.0, v9.1 & v9.2.
Vulnerability Disclosure Timeline:
==================================
2015-10-22: Researcher Notification & Coordination (Benjamin Kunz Mejri -
Evolution Security GmbH)
2015-10-23: Vendor Notification (Apple Product Security Team)
2015-01-22: Vendor Response/Feedback (Apple Product Security Team)
2016-**-**: Vendor Fix/Patch (Apple Product Developer Team)
2016-02-04: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple
Product: iOS - (Mobile Operating System) 9.1, 9.2 & 9.2.1
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
An application update loop that results in a pass code bypass vulnerability has
been discovered in the official Apple iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 &
v9.2.
The security vulnerability allows local attackers to bypass pass code lock
protection of the apple iphone via an application update loop issue.
The issue affects the device security when processing to request a local update
by an installed mobile ios web-application.
The vulnerability is located in the iPad 2 & iPhone 5 & 6 hardware
configuration with iOS v8.2 - v9.2 when processing an update which results in a
interface
loop by the application slides. Local attacker can trick the iOS device into a
mode were a runtime issue with unlimited loop occurs. This finally results in
a temporarily deactivate of the pass code lock screen. By loading the loop with
remote app interaction we was able to stable bypass the auth of an iphone after
the reactivation via shutdown button. The settings of the device was
permanently requesting the pass code lock on interaction. Normally the pass
code lock is
being activated during the shutdown button interaction. In case of the loop the
request shuts the display down but does not activate the pass code lock like
demonstrated in the attached poc security video.
In case of exploitation the attack could be performed time-based by a
manipulated iOS application or by physical device access and interaction with
restricted
system user account. In earlier cases of exploitation these type of loops were
able to be used as jailbreak against iOS. The vulnerability can be exploited in
non-jailbroken unlocked apple iphone mobiles.
The security risk of the local pass code bypass issue is estimated as high with
a cvss (common vulnerability scoring system) count of 6.0.
Exploitation of the local bug requires pending on the attack scenario local
device access or a manipulated app installed to the device without user
interaction.
Successful exploitation of the security vulnerability results in unauthorized
device access via pass code lock bypass.
Proof of Concept (PoC):
=======================
The new attack case of scenario can be exploited by local attackers with
physical bank branch office service access and valid local banking card.
For security demonstration or to reproduce the issue follow the provided
information & steps below to continue.
Manual steps to reproduce the vulnerability ...
1. First fill up about some % of the free memory in the iOS device with random
data
2. Now, you open the app-store choose to update all applications (update all
push button)
3. Switch fast via home button to the slide index and perform iOS update at the
same time
Note: The interaction to switch needs to be performed very fast to successfully
exploit. In
the first load of the update you can still use the home button. Press it go
back to index
4. Now, press the home button again to review the open runnings slides
5. Switch to the left menu after the last slide which is new and perform to
open siri in the same
moment. Now the slide hangs and runs all time in a loop
6. Turn of via power button the ipad or iphone ....
7. Reactivate via power button and like you can see the session still runs in
the loop and can be
requested without any pass code
Note: Normally the pass code becomes available after the power off button
interaction to
stand-by mode
8. Successful reproduce of the local security vulnerability!
Video Demonstration:
In a video we demonstrate how to bypass with a unlimited loop in the interface
the pass code lock settings of the iOS v9 iPad2. The issue is not
limited to the device and can be exploited with iPhone as well. The power
button on top activates with the stand-by mode the pass code lock for
the iOS device. In case of the loop we tricked the device into a mode were we
was able to bypass the pass code.
URL: https://www.youtube.com/watch?v=V-9lE1L3nq0
Solution - Fix & Patch:
=======================
The loop issue needs to be patched in the main interface by the dev team. The
issue can be prevented by a locate of the stack with a restriction.
Security Risk:
==============
The security risk of the local iOS loop that results in a pass code bypass
vulnerability is estimated as high. (CVSS 6.0)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(research@xxxxxxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen
material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: magazine.vulnerability-db.com -
vulnerability-lab.com/contact.php -
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All
other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To
record, list (feed), modify, use or edit our material contact
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a
permission.
Copyright © 2016 | Vulnerability Laboratory -
[Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
PGP KEY:
http://www.vulnerability-lab.com/keys/admin@xxxxxxxxxxxxxxxxxxxxx%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/