Document Title: =============== Apple iOS v12.1.1 - Combo Passcode Bypass Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2162 Video: https://www.vulnerability-lab.com/get_content.php?id=2169 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2018/12/24/apple-ios-120-1211-passcode-bypass-vulnerability Release Date: ============= 2018-12-24 Vulnerability Laboratory ID (VL-ID): ==================================== 2162 Common Vulnerability Scoring System: ==================================== 6.3 Vulnerability Class: ==================== Authentication Bypass Current Estimated Price: ======================== 10.000€ - 25.000€ Product & Service Introduction: =============================== iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 2007 for the iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s Windows Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of September 12, 2012, Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times. ( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local pin passcode bypass vulnerability in the official apple ios v12.0, 12.1 & 12.1.1. Vulnerability Disclosure Timeline: ================================== 2018-10-22: Researcher Notification & Coordination (Security Researcher) 2018-11-01: Vendor Notification (Security Department) 2018-11-12: Vendor Response/Feedback #1 (Security Department) - Not able to reproduce 2018-12-15: Vendor Response/Feedback #2 (Security Department) - Not able to reproduce 2018-**-**: Vendor Fix/Patch (Service Developer Team) 2018-**-**: Security Acknowledgements (Security Department) 2018-12-24: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Apple Product: iOS 11.x, 12.0, 12.0.1 & 12.1 Exploitation Technique: ======================= Local Severity Level: =============== Medium Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= No User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ An access permission vulnerability and glitch issue has been discovered in the official apple ios v12.0, 12.1 & 12.1.1. The issue allows a local attacker to bypass the apple ios passcode function to access or compromise the device. The access permission vulnerability is located in the message menu to answer custom messages in combination with the available default app functions of the ios device. The issue allows to combine different methods used to access and edit photos in the restricted mode. Using a hidden menu in combination with a glitch allows local attackers to access sensitive idevice data like contacts, the pictures library or default applications. The issue bypassed with the default permissions and the basic security protection of the newst 12.1.1 ios devices. The problem is located when processing the permissions when editing and writing images during the usage of siri and custom sms answer. The security risk of the local bypass by an access permission vulnerability is estimated as high with a cvss count of 6.3. Exploitation of the apple ios access permission vulnerability requires restricted physical device access without user interaction. Successful exploitation of the local vulnerability results in an authentication bypass and unauthorized idevice access to contact list, photo library and default apps. Proof of Concept (PoC): ======================= The vulnerability can be exploited by local attackers with restricted physical device access and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Requirement(s): [+] Default setup idevice with iOS v12.0, v12.1 & v12.1.1 Manual Description: 1. Call the the iphone by another phone Note: In case you do not know the number ask for it by siri (who i am) 2. Answer with a custom message on call 3. Write a short text inside the message box 4. Activate voiceover by siri 5. Make a screenshot Note: When the screenshot is done it will be displayed for a short time on the left buttom 6. Twice push on the screenshot and hold with the last push the position on the touch screen 7. Then click on the plus on the right buttom and open to signature 8. Now push on the right buttom above the plus and switch with the finger all time to the right side of the display Note: The message menu will be accessed by now in the background and there will be several functions available 9. Scale the picture to a small size 10. Move by switching with the finger to the name or the + / plus button 11. Now push the home button to activate siri and save the screenshot with the signature / edit mode 12. Now the contacts page is available without pin authentication by pushing twice the screenshot Note: From there the attacher can move to different other functions mail, contacts, pictures and other functions 13. From outside the attacker can then access the contacts list by a screenshot and then double push on the image at left buttom Video & Picture Description: The video shows the access to the contacts list from outside by usage of the screenshot function. The requirements are siri, voiceover, sms answer (custom), screenshot edit function, signature menu and a camera app part as default setup. We can confirm the issue for the newst ios 12.0, 12.1 and 12.1.1 version after patch. We tested with iphone 6s and iphone 7 and no default setting has been modified. The video shows clearly the impact of the problematic in best quality. PoC: https://www.youtube.com/watch?v=3jKMbdBo4kc Solution - Fix & Patch: ======================= 1. Disable siri and hey siri in the lock screen 2. Disable in the lock settings the custom sms answer on calls 3. Deactivate the voiceover function Note: Apple product security team was not able to reproduce the vulnerability with demo videos, mailing, images and manual description. Since users as end customers need to be informed about the risk of the unresolved vulnerability, we have now published the vulnerability. Security Risk: ============== The security risk of the local passcode bypass vulnerability in the newst ios 12.1.1 devices is estimated as high. Credits & Authors: ================== Benjamin K.M. [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™