[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Apple iOS 8.0 - 8.0.2 - Controls Re Auth Bypass Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2015-04-22 8:48:20
Message-ID: 55376054.3060309 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Apple iOS 8.0 - 8.0.2 - Controls Re Auth Bypass Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1322
Video: http://www.vulnerability-lab.com/get_content.php?id=1334
Release Date:
=============
2015-03-02
Vulnerability Laboratory ID (VL-ID):
====================================
1322
Common Vulnerability Scoring System:
====================================
5.2
Product & Service Introduction:
===============================
iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. \
Originally released in 2007 for the iPhone and iPod Touch, it has been extended to support \
other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s Windows Phone (Windows \
CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As \
of September 12, 2012, Apple`s App Store contained more than 700,000 iOS applications, which \
have collectively been downloaded more than 30 billion times. It had a 14.9% share of the \
smartphone mobile operating system units shipped in the third quarter of 2012, behind only \
Google`s Android. In June 2012, it accounted for 65% of mobile web data consumption (including \
use on both the iPod Touch and the iPad). At the half of 2012, there were 410 million devices \
activated. According to the special media event held by Apple on September 12, 2012, 400 \
million devices have been sold through June 2012.
The user interface of iOS is based on the concept of direct manipulation, using multi-touch \
gestures. Interface control elements consist of sliders, switches, and buttons. Interaction \
with the OS includes gestures such as swipe, tap, pinch, and reverse pinch, all of which have \
specific definitions within the context of the iOS operating system and its multi-touch \
interface. Internal accelerometers are used by some applications to respond to shaking the \
device (one common result is the undo command) or rotating it in three dimensions (one common \
result is switching from portrait to landscape mode).
iOS is derived from OS X, with which it shares the Darwin foundation. iOS is Apple`s mobile \
version of the OS X operating system used on Apple computers.
In iOS, there are four abstraction layers: the Core OS layer, the Core Services layer, the \
Media layer, and the Cocoa Touch layer. The current version of the operating system (iOS 6.1) \
dedicates 1-1.5 GB of the device`s flash memory for the system partition, using roughly 800 MB \
of that partition (varying by model) for iOS itself. iOS currently runs on iPhone, Apple TV, \
iPod Touch, and iPad.
( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered bypass vulnerability in the official \
Apple (iPhone) iOS v8.0 (12A365) - v8.0.2 mobile device system.
Vulnerability Disclosure Timeline:
==================================
2014-09-18: Researcher Notification & Coordination (Benjamin Kunz Mejri - VL Core Research \
Team)
2014-09-28: Vendor Notification (Apple Security Team - Acknowledgement Program)
2015-03-02: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple
Product: iOS 8.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A local pass code (code lock) bypass and glitch has been discovered in the Apple iOS v8.0 \
(12A365) mobile device system. The vulnerability allows to bypass or evade via glitch the \
regular pass code restriction of the embed iOS device system.
The local bypass vulnerability is located in the favorite contact preview function that can be \
used for imessages or phone calls. Local attackers with physical access can glitch the display \
by usage of siri to bypass since the end of a call the device system access restriction.
To exploit the attacker visit the favorite call function via the home button in the ios task \
favorite preview slideshow. He clicks a contact and uses siri to merge via glitch with the \
authorized call app. In the next step he locks the mobile device. The he hold the volume + \
button multiple times to keep the service since the call end ahead to the pass code logon \
screen. The issue is very tricky to exploit but affects at the end obviously secure pass code \
restriction. The attacker is able to multiple times push in the last moment the power button \
to deactivate the display and start the pass code lock. However the local attacker is able to \
bypass exactly this mechanism in the mentioned location.
During the tests the security researcher revealed a video that demonstrates the security issue \
and the glitch that affects the local device security. Like in the Samsung in 2010 the device \
allows to access the information as long as a call runs in the phone app. The local issue has \
been tested to verify with the default configured iphone 6 and 5s device.
The security risk of the local pass code bypass vulnerability is estimated as medium with a \
cvss (common vulnerability scoring system) count of 5.2. Exploitation of the local glitch \
bypass vulnerability requires a privileged web-application user account, multi user account or \
restricted physical device access without user interaction. Successful exploitation of the \
local pass code bypass vulnerability results in device compromise or information leaking.
Affected Device(s):
[+] Apple > iPhone 5 & 6
Affected OS Version(s):
[+] iOS v8.0 (12A365)
Tested Device(s):
[+] Apple iPhone 5s & 6 > iOS v8.0 (12A365)
Proof of Concept (PoC):
=======================
The auth bypass vulnerability can be exploited by local attackers with physical device access \
without user interaction. For security demonstration or to reproduce the issue follow the \
provided information and steps below to continue.
Requirement(s):
[+] iOS v8.0 (default install)
[+] Apple Device (iPad 2, iPhone 5s or iPhone 6)
[+] Two healthy hands ;)
Manual Steps to reproduce the local vulnerability ...
1. Start your iOS device and install the new iOS v8.0 to your ipad2, iphone 5s or iphone 6 \
device 2. Start the mobile and login to the pass code
3. Now press the home button twice to see the app preview slide show and the new favorite \
contract slideshow above 4. move you finger over the favorite contact and two symboles become \
visible (Phone app and Message app) 5. Press now the home button two seconds to activate siri \
and push in the last second the private call button to the contact
Note: Be fast! After it the siri which is in default mode available glitches ahead to the phone \
call 6. Now you push the power button on top of the mobile and shortly after it you use the \
hardware volumen to reactivate
Note: The mobile now goes in the locked mode after the power button push but the siri is ahead \
glitched to the call that runs 7. In the call mask you can click the contacts button by \
pressing around the button because of the siri glitch 8. The contact list becomes available as \
long as the call runs with the glitch through siri 9. Successul bypass of the secure pass code \
restriction!
Reference(s):
../poc-video.wmv
Picture(s):
../1.png
../2.png
../3.png
../4.png
../5.png
../6.png
../7.png
../8.png
Security Risk:
==============
The security risk of the local auth bypass issue and glitch in the iOS v8.0 is estimated as \
medium. (CVS 5.2)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic