Document Title: =============== Apple iOS 6.1.2 10B146 - Pass Code Bypass Vulnerability 3 Date: ===== 2013-03-02 References: =========== http://www.vulnerability-lab.com/get_content.php?id=891 (Advisory) http://www.vulnerability-lab.com/get_content.php?id=893 (Video) VL-ID: ===== 891 Common Vulnerability Scoring System: ==================================== 6.6 Introduction: ============= iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 2007 for the iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s Windows Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of September 12, 2012, Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times. It had a 14.9% share of the smartphone mobile operating system units shipped in the third quarter of 2012, behind only Google`s Android. In June 2012, it accounted for 65% of mobile web data consumption (including use on both the iPod Touch and the iPad). At the half of 2012, there were 410 million devices activated. According to the special media event held by Apple on September 12, 2012, 400 million devices have been sold through June 2012. The user interface of iOS is based on the concept of direct manipulation, using multi-touch gestures. Interface control elements consist of sliders, switches, and buttons. Interaction with the OS includes gestures such as swipe, tap, pinch, and reverse pinch, all of which have specific definitions within the context of the iOS operating system and its multi-touch interface. Internal accelerometers are used by some applications to respond to shaking the device (one common result is the undo command) or rotating it in three dimensions (one common result is switching from portrait to landscape mode). iOS is derived from OS X, with which it shares the Darwin foundation. iOS is Apple`s mobile version of the OS X operating system used on Apple computers. In iOS, there are four abstraction layers: the Core OS layer, the Core Services layer, the Media layer, and the Cocoa Touch layer. The current version of the operating system (iOS 6.1.2) dedicates 1-1.5 GB of the device`s flash memory for the system partition, using roughly 800 MB of that partition (varying by model) for iOS itself. Usage: iOS currently runs on iPhone, Apple TV, iPod Touch, and iPad. (Copy of the Homepage: http://en.wikipedia.org/wiki/IOS ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a passcode bypass vulnerability in the official Apple iPhone5 with iOS v6.1(10B143) & 6.1.2 (10B146). Report-Timeline: ================ 2013-03-03: Public Disclosure Status: ======== Published Affected Products: ================== Apple Product: iOS v6.1.2 (10B146) Exploitation-Technique: ======================= Local Severity: ========= High Details: ======== A passcode (codelock) bypass vulnerability has been discovered in the Apple iPhone 5 iOS v6.1, v6.0.1, v6.1.2 & v6.1.3 Beta. The vulnerability allows local attackers with physical device access to bypass pass code auth of the Apple iPhone5. The vulnerability is located in the main camera and emergency function module of the mobile iOS iPhone5 device. Local attackers are able to use restricted mobile with Siri to set a timer to use the push message notification and the shutdown function to bypass the passcode (codelock) auth. The vulnerability allows the local attacker to bypass the passcode auth to sync via iTunes or access via USB. The vulnerability can be exploited by local attackers with physical device access without privileged iOS account or required user interaction. Successful exploitation of the vulnerability results in unauthorized device access, unauthorized itunes configuration and sync and information disclosure. Vulnerable OS: [+] Apple iOS 6.1, 6.0.1, 6.1.2 & 6.1.3 Beta Vulnerable Module(s): [+] Camera [+] Emergency Used Function(s): [+] Power off [Weak up] (Standby) Button [+] Home Button (Square Button) [+] Emergency Button Affected Module(s): [+] Passcode Auth - Device Login iPhone5 Proof of Concept: ================= The iOS iphone pass code bypass vulnerability can be exploited by local attackers in two ways with physical iphone device access without any user interaction. For security demonstration or to reproduce vulnerability follow the provided information and steps below to continue. Manual steps to reproduce ... (Fast) 3.1 1. The attacker opens the Siri by holding the Home Button 2-3 seconds 2. The local attacker configure the Siri timer to 10 or 20 seconds (Command Timer 10/20 seconds) 3. Lock the mobile with the activated timer of 10/20 seconds via power button (top|right) 4. At last 4 seconds the attacker reactivates the iphone, opens the passcode and push the last 3 seconds the power button 5. In the last second the attacker pushs the emergency call button 6. The emergency index dial mask will be opened, the slide bar of the shutdown comes up and also the timer of the siri 7. The timer notification message of the siri is over the shutdown message but the status bar is already black 8. The attackers push now only the square button and the template of the status bar becomes blue the shutdown bar disappears, the notifcation stay unconfirmed 9. Now, the attsacker can use a usb plug to bypass the passcode protection to access all iphone data or connect to the iphone via itunes 10. Successful reproduced! Note: Second 04 - Reactivates the iphone, open the passcode and push the last 3 seconds the power button Second 03 - Push the last 3 seconds the power button Second 01 - Switch to the Emergency Dial Mask - keep holding the power button Second 00 - Shutdown slide bar button appears with timer message over it - keep holding the power button Second -1 - Push Square button - stop pushing the power button Manually steps to reproduce ... (Slow) #3.2 ... (1.-4.) 5. The mobile will shut down after pressing the power button and restart 6. After the restart the timer will directly start to ring because of the earlier saved timer push message notification 7. Hold 3 seconds the power button and press slowly the emergency call button 8. The emergency index dial mask will be opened, the slide bar of the shutdown comes up and also the saved timer of the siri 9. The timer notification message of the siri is over the shutdown message menu but the status bar is already black 10. The attackers push now only the square button and the template of the status bar becomes blue the shutdown bar disappears, the notifcation stays unconfirmed 11. Now, the attacker can use a usb plug to bypass the passcode protection to access all iphone data or connect to the iphone via itunes 12. Successful reproduced! The timer popup which is required to use with the shutdown slide bar can only popup on restricted iphone mobiles in the emergency mask or in the accessable camera module. All other restricted sections without passcode are not allowed to access and do not provide the push notificatio message from the core siri function. The emegerncy call allows you to reproduce the bug with visible effect. On the camera module reproduce you need to interact blind because the status bar is not available ;) Risk: ===== The security risk of the local passcode (pin lock) bypass vulnerability in iOS v6.1.2 (10B146) and iOS v6.0.1 is estimated as high. Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory [Evolution Security]