Document Title: =============== Apple iOS 10.1 - Multiple Access Permission Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2012 Apple Security ID: 648680301 Video1: https://www.youtube.com/watch?v=fY2Obtxk_Dg Video2: https://www.youtube.com/watch?v=46CHjQxkKxk Release Date: ============= 2016-11-17 Vulnerability Laboratory ID (VL-ID): ==================================== 2012 Common Vulnerability Scoring System: ==================================== 6.3 Product & Service Introduction: =============================== iOS is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that presently powers many of the company's mobile devices, including the iPhone, iPad, and iPod touch. (Copy of the Homepage: https://en.wikipedia.org/wiki/IOS ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local passcode bypass via access permission vulnerability in the official Apple iOS v10.1 for iphones and ipads. Vulnerability Disclosure Timeline: ================================== 1.1 2016-09-23: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2016-10-01: Vendor Notification (Apple Prodct Security Team) 2016-11-15: Vendor Response/Feedback (Apple Prodct Security Team) 2016-**-**: Vendor Fix/Patch (Apple Prodct Security Team) 2016-**-**: Security Acknowledgements (Apple Prodct Security Team) 2016-11-16: Public Disclosure (Vulnerability Laboratory) 1.2 2016-09-23: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2016-10-01: Vendor Notification (Apple Prodct Security Team) 2016-11-15: Vendor Response/Feedback (Apple Prodct Security Team) 2016-**-**: Vendor Fix/Patch (Apple Prodct Security Team) 2016-**-**: Security Acknowledgements (Apple Prodct Security Team) 2016-11-16: Public Disclosure (Vulnerability Laboratory) 1.3 2016-09-01: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2016-09-07: Vendor Notification (Apple Prodct Security Team) 2016-11-15: Vendor Response/Feedback (Apple Prodct Security Team) 2016-**-**: Vendor Fix/Patch (Apple Prodct Security Team) 2016-**-**: Security Acknowledgements (Apple Prodct Security Team) 2016-11-16: Public Disclosure (Vulnerability Laboratory) 1.4 2016-09-23: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2016-10-01: Vendor Notification (Apple Prodct Security Team) 2016-11-15: Vendor Response/Feedback (Apple Prodct Security Team) 2016-**-**: Vendor Fix/Patch (Apple Prodct Security Team) 2016-**-**: Security Acknowledgements (Apple Prodct Security Team) 2016-11-16: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Apple Product: iOS 10.0 & 10.1 Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A local passcode bypass via access permission vulnerability in the official Apple iOS v10.1 for iphones and ipads. The ios access permision vulnerability allows a local attacker to unauthorized access the internal device data. The same type of issue has been detected multiple times within the new update version 10.0 and the followup 10.1. To explain the different type of issues we splitted the information into 3 different parts. 1. Dictation to Share Access Permission via incompatible Device The vulnerability is located after installtion of the ios 10.x version to the incompatible apple ipad2 device. The website of the apple site showed us that imcompatible devices can cause on usage in unexpected behavoir, so we decided to install the version to one of our test environment devices. After the installation we have noticed that the dictionary function became available ahead to the desk. In our testings we used the function to trigger a glitch on accessing the more information button in the locked device mode. After processing the interaction manually in a loop, we was able to get ahead the passcode screen area a push magnifying glass preview. Watching the bug displayed information of a restricted area that is located in `Device - Siri - About Sir & Data Security to Privacy`. Now i moved to the link by searching blind the location and pushed twice to receive the input menu bar like when marking a text. People that are aware of ios know that these function allows several options depending on the input and connected function. Now an attacker can use the share function that became visible ahead during the passcode lock screen via glitch and pushs the share button. Now the email opens. Then the attacker marks the email of the contact and pushs twice the contact plus a keyboard letter of an exisiting contact. Now the contact comes ahead, click the info button and move to the profil location. Add the information to a new contact, then press the image button and now the attacker is able to access the photo album of the device without any restrictions. Attackers can use an incompatible device to a specific version that runs on the hardware to bypass. After that they can process a backup to move the data back to the compatible device. It is very important to say that the location of the site module is behind the protected layer of the passcode. All abilities are granted at that point to move to different important device functions or locations. The security risk of the issue is estimated as high with a cvss (common vulnerability scoring system) count of 6.1. Exploitation of the local device vulnerability requires physical device access without privileged device user account. Successful exploitation of the local access permission vulnerability results in information leaking and apple device compromise by malicious interaction. 2. Voice Over Call to Contact Access Permission Vulnerability - Access Permission via compatible Device In the second test reported to he issue within august to september, we noticed another access permission issue that came across because of the voice over function and another unrecognized issue by the apple developer team. Our story starts when we was processing to bypass again the passcode screen for the apple product security team to discover a new vulnerability in the bug bounty program. After using the function in combination with siri there was an ability to trigger a glitch, that allows to freeze the contact list. During the investigation the the glitch made information of contacts available. Normally thus is not an evil behavoir, when having siri activated. You ever have the ability as user to call or write a specific contact a message as far as you know the same and contact. In some cases the siri also shows some small information about the call number but all so far okey. So we added to one of our contact another information, then the phone number plus address and identified that when we reproduce the glitch that like in the normal search listing of the phone app, the information becomes visible. The difference between was that ago there was no information button next to the account listed after saving for example an email or skype. We reproduced the the contact issue by activating and deactivating the voice over function via siri and pushed directly in the visible list the information button. Now, the contact of the letter you press opens and the attacker can move to edit. By pushing the picture the attacker is able to access unauthorized the album of the device without restriction. By pushing the contact button or email, the attacker is able to write or interaction to compromise. On both issues all abilities are granted at that point to move to different important device functions or locations. We figured out that when you process to push the cloud button on share that the mobile will move to a black screen mode, for luck we was not able like in 2012/2013 accessing the data via usb connection. The security risk of the issue is estimated as high with a cvss (common vulnerability scoring system) count of 6.3. Exploitation of the local device vulnerability requires physical device access without privileged device user account. Successful exploitation of the local access permission vulnerability results in information leaking and apple device compromise by malicious interaction. 3. Facetime Call to non-exisiting Contact Acces Permission Vulnerability via compatible Device Due to the last updates to ios 10.0 and 10.1 there are some new features. When you process to say to siri `Hi Siri call George via Facetime` ... Siri will answer `I can't call the user`. Now you say again `call George via Facetime`. Next to that push and hold the middle of the display ... now a second button under the first siri call becomes visible with the already well known `Others` function. Push the button and the contact list opens. In that modus it is not possible to move inside the contacts because they are grey, but you can preview all the names and use the search as well. A full escalte is at that point not possible. The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 4.2. Exploitation of the local device vulnerability requires physical device access without privileged device user account. Successful exploitation of the local access permission vulnerability results in information leaking and apple device compromise by malicious interaction. 4. Voice Over to Contacts & Characters Memory Issue - Access Permission Vulnerability On investigation with the 2. vulnerability we identified another very strange vulnerability. When processing to request via Voice Over permanently the contact list by usage of a glitch, it can happen that the device is that irritated that is shows you some really private information. Within the last year i deleted several of my old contacts because of they did switch to another numbers, during the investigate my employee was all time seeing me reproduce the issue and asked me one time ... have you not deleted those accounts about 1 year ago permanently. I was watching into the sim contacts, the phone contacts and checked as well the icloud sync. At that moment we came to that point, were we was reading sensitive device information that stores in the cloud as well all the deleted entries. The problem occurs mainly when process to push `.` or `space`button with a contact list glitch on voice over. In the most cases the information shows you the context that is illegal requested in the formular search entry but in case of our issue the device shows permanently deleted account information of the cloud that should not be stored anymore at all. So even if you remove the data of icloud, your deviceand the sim. However it is not clear why the information is accessable on usage of the glitch. The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 5.8. Exploitation of the local device vulnerability requires physical device access without privileged device user account. Successful exploitation of the local access permission vulnerability results in information leaking of permanently deleted contact information. Proof of Concept (PoC): ======================= 1.1 The local vulnerability can be exploited by attackers with physical device access and without user interaction. For security demonstration or to reproduce the issue follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the new iOS update to version 10 of apple 2. Push the home button to get light on the screen 3. Push the dictation function on top next to the search 4. Then a message box appears with 3 different options 5. Click the middle option to receive more information (Mehr Infos) Note: Basically the data security police is only available after include of the active passcode or fingerprint 6. Do the procedure twice again by pushing option 2 7. Push the home button and then push after it by leaving the home button the power button Note: The light goes off you are ahead to the locked home screen 8. In the next step the local attacker pushs the home button twice to receive ahead to the visible slides the passcode layer 9. Now you can push anywhere inside the passcode form to watch the document thats behind the passcode of the dictation module in the keyboard settings Note: You can now mark the text with an iphone plus or an iphone 7 and get the text highlighting options 10. Push the and hold to get the menu inside of the text 11. Now the attacker uses the Copy, Lookup (Nachschlagen) or Shares (Freigaben) functions to shimmy through the layer function 12. Successful reproduce of the local issue! Note: The mask behind the dictation function becomes normally only visible by an auth because of the protected layer. The menu functions like, copy, share and lookup are normally as well not available at thus layer without authentication. The glitch affects as well the passcode layer in the home screen in case of collision handling. 1.2 The local vulnerability can be exploited by attackers with physical device access and without user interaction. For security demonstration or to reproduce the issue follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the new iOS update to version 10 of apple 2. Lock the device 3. Now make a call to your test device within the locked mode 4. Select on arrival of the call the customized answer via message button 5. Push the home button and say "Activate Voice Over" Note: Now the voice over function uses the ui to perform to open on push 6. Push with one button on top twice the name of the contact to message and then press directly after it a character like A 7. A glitch happens and the contact list becomes available. Now process that again since you find a visit card contact with email or skype Note: Behind the contact is an Information button to the profile of the old iOS version 9.x 9. Push that button Note: Now the profile opens 10. Push to edit and then push the picture of the profile to set 11. Now you are inside the album and can move to share for further compromise via email or apps 12. Successful reproduce of the second local access permission vulnerability! 1.3 The local vulnerability can be exploited by attackers with physical device access and without user interaction. For security demonstration or to reproduce the issue follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the new iOS update to version 10 of apple 2. Lock the device 3. Now push and hold the home button for siri 4. "Call George via Facetime" 5. "George does not exisit" Note: Now a button appears with as option 6. Push the button and process the same twice again 7. After the thrid time push the button "Others" that appears twice at least and hold the siri button Note: A glitch appears that moves the button to a grey template 8. Push the button again with the grey element and the contact list opens without access permission 9. Successful reproduce of the third local access permission vulnerability! 1.4 The local vulnerability can be exploited by attackers with physical device access and without user interaction. For security demonstration or to reproduce the issue follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the new iOS update to version 10 of apple 2. Lock the device 3. Now make a call to your test device within the locked mode 4. Select on arrival of the call the customized answer via message button 5. Push the home button and say "Activate Voice Over" Note: Now the voice over function uses the ui to perform to open on push 6. Push with one button on top twice the name of the contact to message and then press directly after it a character . with Siri via Home 7. Now a smart green contact list appears with blue tags showing all permanently deleted accounts sorted Note: The data displayed comes of the internal memory storage without authentication 9. Successful reproduce of the fourth local vulnerability! Solution - Fix & Patch: ======================= The following steps are a temp solution to resolve the vulnerabilities manually. 1. Deactivate siri application 2. Deactivate the dictation application 3. Disable the app access in the locked device mode 4. Deactivate the voice over function in the device settings 5. Deactivate facetime calls within the locked mode 6. Deactivate the message arrival answer 6. Now, wait for the next updates of ios that resolve the issues permanently! Security Risk: ============== 1.1 The security risk of the first access permission vulnerability in the apple ios device is estimated as high. (cvss 6.3) 1.2 The security risk of the second access permission vulnerability in the apple ios device is estimated as high. (cvss 6.1) 1.3 The security risk of the third access permission vulnerability in the apple ios device is estimated as medium. (cvss 4.2) 1.4 The security risk of the fourth vulnerability in the apple ios device is estimated as high. (cvss 5.8) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission. Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™