Document Title: =============== Apple iOS 8.0.3 - Silent VCF & iMessage DoS Vulnerability Date: ===== 2015-05-29 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1324 Video: http://www.vulnerability-lab.com/get_content.php?id=1333 Article: http://vulnerability-db.com/magazine/articles/2014/10/22/apple-ios-v802-silent-contact-0day-vulnerability-denial-service VL-ID: ===== 1324 Common Vulnerability Scoring System: ==================================== 4 Introduction: ============= iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 2007 for the iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s Windows Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of September 12, 2012, Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times. It had a 14.9% share of the smartphone mobile operating system units shipped in the third quarter of 2012, behind only Google`s Android. In June 2012, it accounted for 65% of mobile web data consumption (including use on both the iPod Touch and the iPad). At the half of 2012, there were 410 million devices activated. According to the special media event held by Apple on September 12, 2012, 400 million devices have been sold through June 2012. The user interface of iOS is based on the concept of direct manipulation, using multi-touch gestures. Interface control elements consist of sliders, switches, and buttons. Interaction with the OS includes gestures such as swipe, tap, pinch, and reverse pinch, all of which have specific definitions within the context of the iOS operating system and its multi-touch interface. Internal accelerometers are used by some applications to respond to shaking the device (one common result is the undo command) or rotating it in three dimensions (one common result is switching from portrait to landscape mode). iOS is derived from OS X, with which it shares the Darwin foundation. iOS is Apple`s mobile version of the OS X operating system used on Apple computers. In iOS, there are four abstraction layers: the Core OS layer, the Core Services layer, the Media layer, and the Cocoa Touch layer. The current version of the operating system (iOS 6.1) dedicates 1-1.5 GB of the device`s flash memory for the system partition, using roughly 800 MB of that partition (varying by model) for iOS itself. iOS currently runs on iPhone, Apple TV, iPod Touch, and iPad. ( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a local denial of service vulnerability in the official Apple iOS v8.0 mobile device system. Report-Timeline: ================ 2014-09-19: Researcher Notification & Coordination (Benjamin Kunz Mejri - VL Core Research Team) 2014-10-23: Public Disclosure (Vulnerability Laboratory) 2015-05-28 - Again reported by another person via iMessage Note: The arabic signs are useless in the new payload. As reference to the duplicate of the external researcher watch: http://www.vulnerability-lab.com/get_content.php?id=455 > http://www.heise.de/security/meldung/Nachricht-des-Todes-legt-auch-Apple-Watch-lahm-2671449.html Status: ======== Published Affected Products: ================== Apple Product: iOS v8.0 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A local denial of service vulnerability has been discovered in the Apple iOS v8.3 mobile application device system. The issue allows a local attacker to shutdown the mobile device by a corrupt interaction with a default core function. The local denial of service vulnerability is located in the favorite contact preview slideshow of the imessage core app. During the tests of a new feature we included several script codes and payloads to evade the core validation. After the manipulation of a .vcf file and imessage body the researcher was able to catch a critical unhandled NSRangeException (__NSArrayI objectAtIndex). The injected payload in the contact file (.vcf) crashs the internal imessage application when processing to open or receive the malicious contact/message. The bug appears to confuse the the mechanism that parses the context of the contact or body message that gets converted to the imessage app itself. Even if the array shows an empty value the injected script code with the frame will return to crash. As result to prevent a critical corruption the mobile restarts after 2 seconds during to the invalid process and unhandled crash. The issue is exploitable by exchange of malicious vcf files or by sending a special crafted imessage to a victim mobile ios phone. The security risk of the remote denial of service vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.0. Exploitation of the local denial of service vulnerability requires no physical device access without interaction. Successful exploitation of the local denial of service vulnerability results in device shutdown and imessage ui application crash by a corruption that causes through an unhandled (uncaught) exception. Affected Device(s): [+] Apple > iPhone 5 & 6 Affected OS Version(s): [+] iOS v8.0 (12A365) - 8.3 Tested Device(s): [+] Apple iPhone 5s & 6 > iOS v8.3 Proof of Concept: ================= The denial of service vulnerability can be exploited by local attackers with physical device access without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manually steps to reproduce the security vulnerability ... 1. Start the mobile iOS device (ipad2, iphone 5s or iphone 6) with the new iOS v8.0 2. Import the file to the local ios contacts service 3. Call the new service one time without paying anything because the call is invalid Note: After the call the contact becomes visible to the `history` in the task slide preview module! It`s also possible to interact by an include to the `favority contacts` module to exploit 4. Go to the home screen of ios and press two times the home button to review the new iOS 8.0 feature with the favorites or history contacts 5. Press the include test contact and open the message/imessage symbole 6. The application crashs with an unknown exception and the mobile shutsdown Note: The contact can be send by imessage, email or via sms to compromise the preview contact slideshow of favorites or history calls 7. Successful exploitation of the local denial of service vulnerability! PoC: Payload(s) - iMessage ็¬็ส็็็็็ -็็็็็็็็็็็็็็็็็็็็ส็¬็็็็็็็็¬็็็็็็็็็็็็็็็็ส็็็็¬็็็็็็็็็-็็็็็็็ ็็็็็ส็็็็็็็¬็็็็็็็็็็¬็็็็็็็็ส็็็็็็็็็็¬็็็็็็็็็็็ ¬็็็็ส็็็็็็็็็็็็็¬็็็็ ็็็็็็็็¬ส็็็็็็็็็็็็็็็็-็็็็็็็็็ส็็็็็็็็็็็็็็็็็็็ ¬็็็็็็ส็็็็็็็¬ส็็็็็็็็็็็็็็็็็็็็็็็็็ส็็็¬¬็็็็็็็็็็็็็็็็็็็็็็ส็็็็็็¬็ or ็¬็ส็็็็็ -็็็็็็็็็็็็็็็็็็็็ส็¬็็็็็็็็¬็็็็็็็็็็็็็็็็ส็็็็¬็็็็็็็็็-็็็็็็็ ็็็็็ส็็็็็็็¬็็็็็็็็็็¬็็็็็็็็ส็็็็็็็็็็¬็็็็็็็็็็็ ¬็็็็ส็็็็็็็็็็็็็¬็็็็ ็็็็็็็็¬ส็็็็็็็็็็็็็็็็-็็็็็็็็็ส็็็็็็็็็็็็็็็็็็็ ¬็็็็็็ส็็็็็็็¬ส็็็็็็็็็็็็็็็็็็็็็็็็็ส็็็¬¬็็็็็็็็็็็็็็็็็็็็็็ส็็็็็็¬็ PoC1: Import or Exchange via iMessage (*.vcf) BEGIN:VCARD VERSION:3.0 PRODID:-//Apple Inc.//iOS 8.0//EN N:%20