Document Title:
===============
Apple iOS (Notify iTunes) - Bypass & Persistent Vulnerability


Date:
=====
2017-01-16


References:
===========
https://www.vulnerability-lab.com/get_content.php?id=2024

Followup ID: 654962036

Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2016/12/22/apple-ios-102-notify-function-vulnerable-attacks-idevice-itunes-appstore


VL-ID:
=====
2024


Common Vulnerability Scoring System:
====================================
4.4


Introduction:
=============
iOS is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. 
It is the operating system that presently powers many of the company's mobile devices, including 
the iPhone, iPad, and iPod touch.

(Copy of the Homepage: https://en.wikipedia.org/wiki/IOS )

iTunes is a media player, media library, online radio broadcaster, and mobile device management 
application developed by Apple Inc. It is used to play, download, and organize digital downloads 
of music and video (as well as other types of media available on the iTunes Store) on personal 
computers running the macOS and Microsoft Windows operating systems. The iTunes Store is also 
available on the iPhone, iPad, and iPod Touch. Through the iTunes Store, users can purchase and 
download music, music videos, television shows, audiobooks, podcasts, movies, and movie rentals 
in some countries, and ringtones, available on the iPhone and iPod Touch (fourth generation onward). 
Application software for the iPhone, iPad and iPod Touch can be downloaded from the App Store. iTunes 
12.5 is the most recent major version of iTunes, available for Mac OS X v10.9.5 or later and Windows 7 
or later; it was released on September 13, 2016. iTunes 12.2 added Apple Music to the application, along 
with the Beats 1 radio station, and iTunes 12.5 offers a refinement of the Apple Music interface.

(Copy of the Homepage: https://en.wikipedia.org/wiki/ITunes )


Abstract:
=========
The vulnerability laboratory core research team discovered a persistent input validation vulnerability, a filter bypass and a 
malformed mail encode issue in the official apple ios 10.2 notify function and itunes online service web-application.


Report-Timeline:
================
2016-12-15: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-12-16: Vendor Notification (Apple Product Security Team)
2016-12-16: Vendor Response/Feedback (Apple Product Security Team)
2017-01-16: Temp Vendor Fix/Patch (Apple Cupertino Service Developer Team)
2017-01-16: Public Disclosure (Vulnerability Laboratory)
2017-01-20: Security Acknowledgements (Apple Product Security Team)
2017-01-28: Vendor Fix/Patch (Apple Cupertino Service Developer Team)


Status:
========
Published


Affected Products:
==================
Apple
Product: iTunes & AppStore - Online Service (Web-Application) v2016 Q4


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
A persistent input validation vulnerability, a filter bypass and a malformed mail encode issue has been discovered in 
the official apple ios 10.2 notify function and itunes online service web-application. The persistent vulnerability 
allows remote attackers to inject own malicious script codes to the application-side of the vulnerable module or function.

The vulnerability is located in the new iTunes and Appstore `Notify` function for iOS v10.2 devices. The function does take 
the user credentials of the icloud or devicename values to perform the notify. The performed outgoing email of the new-itunes 
services has not parse mechanism for the user credentials streamed through the email client. Thus allows remote attackers to 
inject own malicious payloads to execute them within the introduction word line were the name is visible in the email body of 
the notify message. The request method is a sync via the device and the attack vector is persistent. The injection point are 
the user credentials of the `firstname` parameter and the execution point occurs in the outgoing email by the "@new.itunes.com" 
email sender. The same type of vulnerability has been disclosed already by our team in the invoices of the appstore and itunes 
in 2015. (Ref: https://www.vulnerability-lab.com/get_content.php?id=1512 )The vulnerability can be exploited on restricted 
accessable ios devices to the main account holder inbox. The issue could be used as well to continue the calender spam activities. 

We identified as well an attack vector against the management application of the itunes service with persistent vector. The test 
payload executes on preview of the content within the backend management module of the new-itunes web-server.

The client policy allows to execute scripts of the original sever with certificate. Thus allows to perform a malicious request 
outside the basic client conditions to provoke a direct execution in the ios mail client. The problem is in connection to the 
basic client delivery policy of original owner email with certificate. Therefore we suggest to remove the service because the 
management is processed by an external service provider.

By saving another unverified email to the input the device can be shutdown and then opened to perform the itunes request.
Another attack vector for us was an already smuggeled payload in the database with old name input conditions. The last 
case of attack was basically performed through a non icloud conneced account with malicious devicename parameter.

The security risk of the persistent input validation and mail encoding web vulnerability is estimated as high with a cvss 
(common vulnerability scoring system) count of 4.4. Exploitation of the persistent input validation and mail encoding web 
vulnerability requires a low privilege apple (appstore/itunes) account and low or medium user interaction. Exploitation of 
the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and 
persistent manipulation of affected or connected service module.

Vulnerable Module(s):
[+] Notify (New Function)

Vulnerable Paramter(s):
[+] firstname & name

Affected Module(s):
[+] Outgoing Service Notify Email Body

Affected Sender(s):
[+] do_not_reply@new.itunes.com


Proof of Concept:
=================
The persistent input validation and mail encode vulnerability can be exploited by remote attackers with low privilege 
user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


PoC: Payload(s)
>"<iframe src="evil.source" onload=alert("ITUNESHACKWITHMARIO")>


Manual steps to reproduce the vulnerability ... (via icloud on old entries)
1. First you need to have an exisiting account with a script code payload in the firstname and lastname
2. Login with the account and move into the idevice
3. Then open the itunes app or appstore app
4. Search for super mario run and the new notification button
5. Activate the activation button
Note: Now wait until the app is available because then you will receive a notify email with the name credentials
6. The email arrives to the inbox with manipulated credentials in the firstname and lastname of the email body introduction word "Hello"

Manual steps to reproduce the vulnerability ... (without icloud on new entries)
1. Change device name to a script code payload (exp ipad2)
2. Then move to the appstore or itunes app 
3. Search for super mario run and click to process the notification
4. In the moment the release becomes available an email will arrive with the values used by the device or account
5. The email arrives to the inbox with manipulated credentials in the firstname and lastname of the email body introduction word "Hello"

Note: The issue is similar to the already discovered itunes invoice vulnerbility exploited in 2015. The new.itunes.com service does 
not have the secure validation because it has implemented lately. Due to the taken values of the user account during the activate of 
the notify button the issue can be exploited. We prepared the exploitation already in september and got the confirm with the super 
mario run release in the eu around 15th.


PoC: Vulnerable Source (Email - New.iTunes)
<!-- end table containing Apple logo -->
<!-- begin table containing body copy -->
<table style="margin:0 auto" class="appl_100" width="600" cellspacing="0" cellpadding="0" border="0">
<tbody><tr><td class="appl_stack" valign="top" align="left">
<!-- begin table containing individual app -->
<table width="100%" cellspacing="0" cellpadding="0" border="0">
<tbody><tr><td class="appl_app_txt" style="padding-bottom:14px;" align="left">
<div style="font-family:Helvetica Neue, Helvetica,Lucida Grande,Lucida Sans,Lucida Sans Unicode,Arial,
sans-serif;color:#444444;font-size:14px;line-height:1.32em;">
Hallo &gt;"<iframe src="evil.source" onload="alert(&quot;ITUNESHACKWITHMARIO&quot;)">,
</div></td></tr>
<tr><td align="left" class="appl_app_txt" style="padding-bottom:14px;">
<div style="font-family:Helvetica Neue, Helvetica,Lucida Grande,Lucida Sans,Lucida Sans Unicode,Arial,
sans-serif;color:#444444;font-size:14px;line-height:1.32em;">
du wolltest benachrichtigt werden, wenn es soweit ist &ndash; &bdquo;Super Mario Run&ldquo; von Nintendo 
ist jetzt erh&auml;ltlich. Du kannst das Spiel im App Store 
auf deinem iPhone oder iPad laden.&nbsp;
<br/><br/>
<a href="http://new.itunes.com/r?v=2&la=de&lc=de&a=FOqorWUXVdIQSl%2BmwRhvEMkn5ABvajpZZ04kDWpusUAHBdiykmA79VRZJzTLitI%2F&ct=aI6r3a7q6p" 
style="color:#0088cc" class="appl-link">Jetzt laden</a>
<BR><BR>
Beste Gr&uuml;&szlig;e<br/>
Das App Store-Team


Vulnerable Email (Header)
Return-Path: <donotrep_nt_bounces@new.itunes.com>
------=_Part_10460774_1004383268.1481850993725
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hallo >"<iframe src="evil.source" onload=alert("ITUNESHACKWITHMARIO")>,
du wolltest benachrichtigt werden, wenn es soweit ist =E2=80=93 =E2=80=9ESu=
per Mario Run=E2=80=9C von Nintendo ist jetzt erh=C3=A4ltlich. Du kannst da=
s Spiel im App Store auf deinem iPhone oder iPad laden.=C2=A0

Jetzt laden
http://new.itunes.com/r?v=3D2&la=3Dde&lc=3Dde&a=3DFOqorWUXVdIQSl%2BmwRhvEMk=
n5ABvajpZZ04kDWpusUAHBdiykmA79VRZJzTLitI%2F&ct=3DaI6y6a2j9C

Beste Gr=C3=BC=C3=9Fe
Das App Store-Team


Reference(s):
https://itunes.apple.com/us/app/super-mario-run/id1145275343


Solution:
=========
The vulnerability can be patched by the following solution steps ...
1. Disallow the usage of special chars for the name variable (firstname) to prevent the injection point.
2. Parse in the @new.itunes.com sender the outgoing name values to prevent the execution point.
3. Use only the icloud credentials were a secure protection on input has implemented during the time.
4. The issue in the backend needs to be resolved separatly because of different execution points in the user management section.


Note: Apple announced 2017-01-18 to remove the full application and functionality.


Risk:
=====
The security risk of the persistent input validation web vulnerability, filter bypass bug and malformed mail issue in the 
apple notify function and new itunes web-server is estimated as medium. (CVSS 4.4)


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.

				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™