[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Apple iOS 8.0 - 8.0.2 - Controls Re Auth Bypass Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2015-04-22 8:48:20
Message-ID: 55376054.3060309 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Apple iOS 8.0 - 8.0.2 - Controls Re Auth Bypass Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1322
Video: http://www.vulnerability-lab.com/get_content.php?id=1334
Release Date:
=============
2015-03-02
Vulnerability Laboratory ID (VL-ID):
====================================
1322
Common Vulnerability Scoring System:
====================================
5.2
Product & Service Introduction:
===============================
iOS (previously iPhone OS) is a mobile operating system developed and distributed by \
Apple Inc. Originally released in 2007 for the iPhone and iPod Touch, it has been \
extended to support other Apple devices such as the iPad and Apple TV. Unlike \
Microsoft`s Windows Phone (Windows CE) and Google`s Android, Apple does not license \
iOS for installation on non-Apple hardware. As of September 12, 2012, Apple`s App \
Store contained more than 700,000 iOS applications, which have collectively been \
downloaded more than 30 billion times. It had a 14.9% share of the smartphone mobile \
operating system units shipped in the third quarter of 2012, behind only Google`s \
Android. In June 2012, it accounted for 65% of mobile web data consumption (including \
use on both the iPod Touch and the iPad). At the half of 2012, there were 410 \
million devices activated. According to the special media event held by Apple on \
September 12, 2012, 400 million devices have been sold through June 2012.
The user interface of iOS is based on the concept of direct manipulation, using \
multi-touch gestures. Interface control elements consist of sliders, switches, and \
buttons. Interaction with the OS includes gestures such as swipe, tap, pinch, and \
reverse pinch, all of which have specific definitions within the context of the iOS \
operating system and its multi-touch interface. Internal accelerometers are used by \
some applications to respond to shaking the device (one common result is the undo \
command) or rotating it in three dimensions (one common result is switching from \
portrait to landscape mode).
iOS is derived from OS X, with which it shares the Darwin foundation. iOS is Apple`s \
mobile version of the OS X operating system used on Apple computers.
In iOS, there are four abstraction layers: the Core OS layer, the Core Services \
layer, the Media layer, and the Cocoa Touch layer. The current version of the \
operating system (iOS 6.1) dedicates 1-1.5 GB of the device`s flash memory for the \
system partition, using roughly 800 MB of that partition (varying by model) for iOS \
itself. iOS currently runs on iPhone, Apple TV, iPod Touch, and iPad.
( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered bypass vulnerability in the \
official Apple (iPhone) iOS v8.0 (12A365) - v8.0.2 mobile device system.
Vulnerability Disclosure Timeline:
==================================
2014-09-18: Researcher Notification & Coordination (Benjamin Kunz Mejri - VL Core \
Research Team)
2014-09-28: Vendor Notification (Apple Security Team - Acknowledgement Program)
2015-03-02: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple
Product: iOS 8.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A local pass code (code lock) bypass and glitch has been discovered in the Apple iOS \
v8.0 (12A365) mobile device system. The vulnerability allows to bypass or evade via \
glitch the regular pass code restriction of the embed iOS device system.
The local bypass vulnerability is located in the favorite contact preview function \
that can be used for imessages or phone calls. Local attackers with physical access \
can glitch the display by usage of siri to bypass since the end of a call the device \
system access restriction.
To exploit the attacker visit the favorite call function via the home button in the \
ios task favorite preview slideshow. He clicks a contact and uses siri to merge via \
glitch with the authorized call app. In the next step he locks the mobile device. The \
he hold the volume + button multiple times to keep the service since the call end \
ahead to the pass code logon screen. The issue is very tricky to exploit but affects \
at the end obviously secure pass code restriction. The attacker is able to multiple \
times push in the last moment the power button to deactivate the display and start \
the pass code lock. However the local attacker is able to bypass exactly this \
mechanism in the mentioned location.
During the tests the security researcher revealed a video that demonstrates the \
security issue and the glitch that affects the local device security. Like in the \
Samsung in 2010 the device allows to access the information as long as a call runs in \
the phone app. The local issue has been tested to verify with the default configured \
iphone 6 and 5s device.
The security risk of the local pass code bypass vulnerability is estimated as medium \
with a cvss (common vulnerability scoring system) count of 5.2. Exploitation of the \
local glitch bypass vulnerability requires a privileged web-application user account, \
multi user account or restricted physical device access without user interaction. \
Successful exploitation of the local pass code bypass vulnerability results in \
device compromise or information leaking.
Affected Device(s):
[+] Apple > iPhone 5 & 6
Affected OS Version(s):
[+] iOS v8.0 (12A365)
Tested Device(s):
[+] Apple iPhone 5s & 6 > iOS v8.0 (12A365)
Proof of Concept (PoC):
=======================
The auth bypass vulnerability can be exploited by local attackers with physical \
device access without user interaction. For security demonstration or to reproduce \
the issue follow the provided information and steps below to continue.
Requirement(s):
[+] iOS v8.0 (default install)
[+] Apple Device (iPad 2, iPhone 5s or iPhone 6)
[+] Two healthy hands ;)
Manual Steps to reproduce the local vulnerability ...
1. Start your iOS device and install the new iOS v8.0 to your ipad2, iphone 5s or \
iphone 6 device 2. Start the mobile and login to the pass code
3. Now press the home button twice to see the app preview slide show and the new \
favorite contract slideshow above 4. move you finger over the favorite contact and \
two symboles become visible (Phone app and Message app) 5. Press now the home button \
two seconds to activate siri and push in the last second the private call button to \
the contact
Note: Be fast! After it the siri which is in default mode available glitches ahead to \
the phone call 6. Now you push the power button on top of the mobile and shortly \
after it you use the hardware volumen to reactivate
Note: The mobile now goes in the locked mode after the power button push but the siri \
is ahead glitched to the call that runs 7. In the call mask you can click the \
contacts button by pressing around the button because of the siri glitch 8. The \
contact list becomes available as long as the call runs with the glitch through siri \
9. Successul bypass of the secure pass code restriction!
Reference(s):
../poc-video.wmv
Picture(s):
../1.png
../2.png
../3.png
../4.png
../5.png
../6.png
../7.png
../8.png
Security Risk:
==============
The security risk of the local auth bypass issue and glitch in the iOS v8.0 is \
estimated as medium. (CVS 5.2)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri \
(bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability-Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability for consequential or incidental damages so the foregoing limitation may \
not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php \
- evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - \
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, \
including the use of other media, are reserved by Vulnerability-Lab Research Team or \
its suppliers. All pictures, texts, advisories, source code, videos and other \
information on this website is trademark of vulnerability-lab team & the specific \
authors or managers. To record, list (feed), modify, use or edit our material contact \
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic