Advertisement




Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2016110147

Below is a copy:

Apple iOS 10.1 - Multiple Access Permission Vulnerabilities *youtubeDocument Title:
===============
Apple iOS 10.1 - Multiple Access Permission Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2012

Apple Security ID: 648680301

Video1: https://www.youtube.com/watch?v=fY2Obtxk_Dg
Video2: https://www.youtube.com/watch?v=46CHjQxkKxk


Release Date:
=============
2016-11-17


Vulnerability Laboratory ID (VL-ID):
====================================
2012


Common Vulnerability Scoring System:
====================================
6.3


Product & Service Introduction:
===============================
iOS is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating
system that presently powers many of the company's mobile devices, including the iPhone, iPad, and iPod touch.

(Copy of the Homepage: https://en.wikipedia.org/wiki/IOS )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local passcode bypass via access permission vulnerability in the official Apple iOS v10.1 for iphones and ipads.


Vulnerability Disclosure Timeline:
==================================
1.1
2016-09-23: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2016-10-01: Vendor Notification (Apple Prodct Security Team)
2016-11-15: Vendor Response/Feedback (Apple Prodct Security Team)
2016-**-**: Vendor Fix/Patch (Apple Prodct Security Team)
2016-**-**: Security Acknowledgements (Apple Prodct Security Team)
2016-11-16: Public Disclosure (Vulnerability Laboratory)

1.2
2016-09-23: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2016-10-01: Vendor Notification (Apple Prodct Security Team)
2016-11-15: Vendor Response/Feedback (Apple Prodct Security Team)
2016-**-**: Vendor Fix/Patch (Apple Prodct Security Team)
2016-**-**: Security Acknowledgements (Apple Prodct Security Team)
2016-11-16: Public Disclosure (Vulnerability Laboratory)


1.3
2016-09-01: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2016-09-07: Vendor Notification (Apple Prodct Security Team)
2016-11-15: Vendor Response/Feedback (Apple Prodct Security Team)
2016-**-**: Vendor Fix/Patch (Apple Prodct Security Team)
2016-**-**: Security Acknowledgements (Apple Prodct Security Team)
2016-11-16: Public Disclosure (Vulnerability Laboratory)

1.4
2016-09-23: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2016-10-01: Vendor Notification (Apple Prodct Security Team)
2016-11-15: Vendor Response/Feedback (Apple Prodct Security Team)
2016-**-**: Vendor Fix/Patch (Apple Prodct Security Team)
2016-**-**: Security Acknowledgements (Apple Prodct Security Team)
2016-11-16: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Apple
Product: iOS 10.0 & 10.1


Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Technical Details & Description:
================================
A local passcode bypass via access permission vulnerability in the official Apple iOS v10.1 for iphones and ipads.
The ios access permision vulnerability allows a local attacker to unauthorized access the internal device data.

The same type of issue has been detected multiple times within the new update version 10.0 and the followup 10.1.
To explain the different type of issues we splitted the information into 3 different parts.

1. Dictation to Share Access Permission via incompatible Device
The vulnerability is located after installtion of the ios 10.x version to the incompatible apple ipad2 device.
The website of the apple site showed us that imcompatible devices can cause on usage in unexpected behavoir,
so we decided to install the version to one of our test environment devices. After the installation we have
noticed that the dictionary function became available ahead to the desk. In our testings we used the function
to trigger a glitch on accessing the more information button in the locked device mode. After processing the
interaction manually in a loop, we was able to get ahead the passcode screen area a push magnifying glass preview.
Watching the bug displayed information of a restricted area that is located in `Device - Siri - About Sir &
Data Security to Privacy`. Now i moved to the link by searching blind the location and pushed twice to receive
the input menu bar like when marking a text. People that are aware of ios know that these function allows
several options depending on the input and connected function. Now an attacker can use the share function that
became visible ahead during the passcode lock screen via glitch and pushs the share button. Now the email
opens. Then the attacker marks the email of the contact and pushs twice the contact plus a keyboard letter of
an exisiting contact. Now the contact comes ahead, click the info button and move to the profil location.
Add the information to a new contact, then press the image button and now the attacker is able to access
the photo album of the device without any restrictions. Attackers can use an incompatible device to a
specific version that runs on the hardware to bypass. After that they can process a backup to move the
data back to the compatible device. It is very important to say that the location of the site module is
behind the protected layer of the passcode. All abilities are granted at that point to move to different
important device functions or locations.

The security risk of the issue is estimated as high with a cvss (common vulnerability scoring system) count of 6.1.
Exploitation of the local device vulnerability requires physical device access without privileged device user account.
Successful exploitation of the local access permission vulnerability results in information leaking and apple device
compromise by malicious interaction.


2. Voice Over Call to Contact Access Permission Vulnerability - Access Permission via compatible Device
In the second test reported to he issue within august to september, we noticed another access permission issue
that came across because of the voice over function and another unrecognized issue by the apple developer team.
Our story starts when we was processing to bypass again the passcode screen for the apple product security team
to discover a new vulnerability in the bug bounty program. After using the function in combination with siri there
was an ability to trigger a glitch, that allows to freeze the contact list. During the investigation the the glitch
made information of contacts available. Normally thus is not an evil behavoir, when having siri activated. You ever
have the ability as user to call or write a specific contact a message as far as you know the same and contact.
In some cases the siri also shows some small information about the call number but all so far okey. So we added to
one of our contact another information, then the phone number plus address and identified that when we reproduce the
glitch that like in the normal search listing of the phone app, the information becomes visible. The difference
between was that ago there was no information button next to the account listed after saving for example an
email or skype. We reproduced the the contact issue by activating and deactivating the voice over function via
siri and pushed directly in the visible list the information button. Now, the contact of the letter you press
opens and the attacker can move to edit. By pushing the picture the attacker is able to access unauthorized the
album of the device without restriction. By pushing the contact button or email, the attacker is able to write
or interaction to compromise. On both issues all abilities are granted at that point to move to different
important device functions or locations. We figured out that when you process to push the cloud button on share
that the mobile will move to a black screen mode, for luck we was not able like in 2012/2013 accessing the data
via usb connection.

The security risk of the issue is estimated as high with a cvss (common vulnerability scoring system) count of 6.3.
Exploitation of the local device vulnerability requires physical device access without privileged device user account.
Successful exploitation of the local access permission vulnerability results in information leaking and apple device
compromise by malicious interaction.


3. Facetime Call to non-exisiting Contact Acces Permission Vulnerability via compatible Device
Due to the last updates to ios 10.0 and 10.1 there are some new features. When you process to say to siri
`Hi Siri call George via Facetime` ... Siri will answer `I can't call the user`. Now you say again `call
George via Facetime`. Next to that push and hold the middle of the display ... now a second button under
the first siri call becomes visible with the already well known `Others` function. Push the button and the
contact list opens. In that modus it is not possible to move inside the contacts because they are grey,
but you can preview all the names and use the search as well. A full escalte is at that point not possible.

The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 4.2.
Exploitation of the local device vulnerability requires physical device access without privileged device user account.
Successful exploitation of the local access permission vulnerability results in information leaking and apple device
compromise by malicious interaction.


4. Voice Over to Contacts & Characters Memory Issue - Access Permission Vulnerability
On investigation with the 2. vulnerability we identified another very strange vulnerability. When processing to request
via Voice Over permanently the contact list by usage of a glitch, it can happen that the device is that irritated that
is shows you some really private information. Within the last year i deleted several of my old contacts because of they
did switch to another numbers, during the investigate my employee was all time seeing me reproduce the issue and asked
me one time ... have you not deleted those accounts about 1 year ago permanently. I was watching into the sim contacts,
the phone contacts and checked as well the icloud sync. At that moment we came to that point, were we was reading
sensitive device information that stores in the cloud as well all the deleted entries. The problem occurs mainly when
process to push `.` or `space`button with a contact list glitch on voice over. In the most cases the information shows
you the context that is illegal requested in the formular search entry but in case of our issue the device shows permanently
deleted account information of the cloud that should not be stored anymore at all. So even if you remove the data of
icloud, your deviceand the sim. However it is not clear why the information is accessable on usage of the glitch.

The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 5.8.
Exploitation of the local device vulnerability requires physical device access without privileged device user account.
Successful exploitation of the local access permission vulnerability results in information leaking of permanently
deleted contact information.


Proof of Concept (PoC):
=======================
1.1
The local vulnerability can be exploited by attackers with physical device access and without user interaction.
For security demonstration or to reproduce the issue follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Install the new iOS update to version 10 of apple
2. Push the home button to get light on the screen
3. Push the dictation function on top next to the search
4. Then a message box appears with 3 different options
5. Click the middle option to receive more information (Mehr Infos)
Note: Basically the data security police is only available after include
of the active passcode or fingerprint
6. Do the procedure twice again by pushing option 2
7. Push the home button and then push after it by leaving the home
button the power button
Note: The light goes off you are ahead to the locked home screen
8. In the next step the local attacker pushs the home button twice to
receive ahead to the visible slides the passcode layer
9. Now you can push anywhere inside the passcode form to watch the
document thats behind the passcode of the dictation module in the
keyboard settings
Note: You can now mark the text with an iphone plus or an iphone 7 and
get the text highlighting options
10. Push the and hold to get the menu inside of the text
11. Now the attacker uses the Copy, Lookup (Nachschlagen) or Shares
(Freigaben) functions to shimmy through the layer function
12. Successful reproduce of the local issue!

Note: The mask behind the dictation function becomes normally only visible by an auth because of the protected layer.
The menu functions like, copy, share and lookup are normally as well not available at thus layer without authentication.
The glitch affects as well the passcode layer in the home screen in case of collision handling.


1.2
The local vulnerability can be exploited by attackers with physical device access and without user interaction.
For security demonstration or to reproduce the issue follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Install the new iOS update to version 10 of apple
2. Lock the device
3. Now make a call to your test device within the locked mode
4. Select on arrival of the call the customized answer via message button
5. Push the home button and say "Activate Voice Over"
Note: Now the voice over function uses the ui to perform to open on push
6. Push with one button on top twice the name of the contact to message and then press directly after it a character like A
7. A glitch happens and the contact list becomes available. Now process that again since you find a visit card contact with email or skype
Note: Behind the contact is an Information button to the profile of the old iOS version 9.x
9. Push that button
Note: Now the profile opens
10. Push to edit and then push the picture of the profile to set
11. Now you are inside the album and can move to share for further compromise via email or apps
12. Successful reproduce of the second local access permission vulnerability!


1.3
The local vulnerability can be exploited by attackers with physical device access and without user interaction.
For security demonstration or to reproduce the issue follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Install the new iOS update to version 10 of apple
2. Lock the device
3. Now push and hold the home button for siri
4. "Call George via Facetime"
5. "George does not exisit"
Note: Now a button appears with <Others> as option
6. Push the button and process the same twice again
7. After the thrid time push the button "Others" that appears twice at least and hold the siri button
Note: A glitch appears that moves the button to a grey template
8. Push the button again with the grey element and the contact list opens without access permission
9. Successful reproduce of the third local access permission vulnerability!


1.4
The local vulnerability can be exploited by attackers with physical device access and without user interaction.
For security demonstration or to reproduce the issue follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Install the new iOS update to version 10 of apple
2. Lock the device
3. Now make a call to your test device within the locked mode
4. Select on arrival of the call the customized answer via message button
5. Push the home button and say "Activate Voice Over"
Note: Now the voice over function uses the ui to perform to open on push
6. Push with one button on top twice the name of the contact to message and then press directly after it a character . with Siri via Home
7. Now a smart green contact list appears with blue tags showing all permanently deleted accounts sorted
Note: The data displayed comes of the internal memory storage without authentication
9. Successful reproduce of the fourth local vulnerability!


Solution - Fix & Patch:
=======================
The following steps are a temp solution to resolve the vulnerabilities manually.
1. Deactivate siri application
2. Deactivate the dictation application
3. Disable the app access in the locked device mode
4. Deactivate the voice over function in the device settings
5. Deactivate facetime calls within the locked mode
6. Deactivate the message arrival answer
6. Now, wait for the next updates of ios that  resolve the issues permanently!


Security Risk:
==============
1.1
The security risk of the first access permission vulnerability in the apple ios device is estimated as high. (cvss 6.3)

1.2
The security risk of the second access permission vulnerability in the apple ios device is estimated as high. (cvss 6.1)

1.3
The security risk of the third access permission vulnerability in the apple ios device is estimated as medium. (cvss 4.2)

1.4
The security risk of the fourth vulnerability in the apple ios device is estimated as high. (cvss 5.8)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                              - www.evolution-sec.com
Section:    magazine.vulnerability-lab.com      - vulnerability-lab.com/contact.php                             - evolution-sec.com/contact
Social:     twitter.com/vuln_lab                - facebook.com/VulnerabilityLab                                 - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php                    - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php         - vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact ([email protected]) to get a ask permission.

                                    Copyright  2016 | Vulnerability Laboratory - [Evolution Security GmbH]

Copyright ©2022 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.