[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <98A4543F-DBE4-4E9C-8294-5945CF19A32F@adap.org>
Date: Mon, 7 Mar 2016 09:26:58 -0500
From: Edsel Adap <edsel@...p.org>
To: Vulnerability Lab <research@...nerability-lab.com>
Cc: bugtraq@...urityfocus.com, bugs@...uritytracker.com
Subject: Re: Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link)
This is not reproducible. I tried it on several iPhones. I believe the user in the video is unlocking the phone via touch ID, hence “bypassing” the lock screen. In my tests, Siri responds with “You must unlock your iPhone first”.
> On 03-07-2016, at 3:52 AM, Vulnerability Lab <research@...nerability-lab.com> wrote:
>
> Document Title:
> ===============
> Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link)
>
>
> References (Source):
> ====================
> http://www.vulnerability-lab.com/get_content.php?id=1778
>
> Video: http://www.vulnerability-lab.com/get_content.php?id=1779
>
>
>
> Release Date:
> =============
> 2016-03-07
>
>
> Vulnerability Laboratory ID (VL-ID):
> ====================================
> 1778
>
>
> Common Vulnerability Scoring System:
> ====================================
> 6.4
>
>
> Product & Service Introduction:
> ===============================
> iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 2007 for the
> iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s Windows
> Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of September 12, 2012,
> Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times.
> It had a 14.9% share of the smartphone mobile operating system units shipped in the third quarter of 2012, behind only Google`s Android.
>
> In June 2012, it accounted for 65% of mobile web data consumption (including use on both the iPod Touch and the iPad). At the half of
> 2012, there were 410 million devices activated. According to the special media event held by Apple on September 12, 2012, 400 million
> devices have beensold through June 2012.
>
> ( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )
>
>
> Apple Inc. is an American multinational technology company headquartered in Cupertino, California, that designs, develops, and sells
> consumer electronics, computer software, and online services. Its hardware products include the iPhone smartphone, the iPad tablet
> computer, the Mac personal computer, the iPod portable media player, and the Apple Watch smartwatch. Apple's consumer software includes
> the OS X and iOS operating systems, the iTunes media player, the Safari web browser, and the iLife and iWork creativity and productivity
> suites. Its online services include the iTunes Store, the iOS App Store and Mac App Store, and iCloud.
>
> (Copy of the Homepage: https://en.wikipedia.org/wiki/Apple_Inc. )
>
>
> Abstract Advisory Information:
> ==============================
> The vulnerability laboratory research team discovered multiple connected passcode protection bypass vulnerabilities in the iOS v9.0, v9.1, v9.2.1 for Apple iPhone (5,5s,6 & 6s) and the iPad (mini,1 & 2).
>
>
> Vulnerability Disclosure Timeline:
> ==================================
> 2016-01-03: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
> 2016-01-04: Vendor Notification (Apple Product Security Team)
> 2016-**-**: Vendor Response/Feedback (Apple Product Security Team)
> 2016-**-**: Vendor Fix/Patch (Apple Developer Team)
> 2016-**-**: Security Acknowledgements (Apple Product Security Team)
> 2016-03-07: Public Disclosure (Vulnerability Laboratory)
>
>
> Discovery Status:
> =================
> Published
>
>
> Affected Product(s):
> ====================
> Apple
> Product: iOS - (Mobile Operating System) 9.1, 9.2 & 9.2.1
>
>
> Exploitation Technique:
> =======================
> Local
>
>
> Severity Level:
> ===============
> High
>
>
> Technical Details & Description:
> ================================
> An auth passcode bypass vulnerability has been discovered in the iOS v9.0, v9.1, v9.2.1 for Apple iPhone (5,5s,6 & 6s) and the iPad (mini,1 & 2).
> The vulnerability typ allows an local attacker with physical device access to bypass the passcode protection mechanism of the Apple mobile iOS devices.
>
> The vulnerabilities are located in the 'Appstore', 'Buy more Tones' or 'Weather Channel' links of the Clock, Event Calender & Siri User Interface.
> Local attackers can use siri, the event calender or the available clock module for an internal browser link request to the appstore that is able to
> bypass the customers passcode or fingerprint protection mechanism. The attacker can exploit the issue on several ways with siri, the events calender
> or the clock app of the control panel on default settings to gain unauthorized access to the affected Apple mobile iOS devices.
>
> 1.1
> In the first scenario the attacker requests for example via siri an non existing app, after that siri answers with an appstore link to search for it.
> Then the attacker opens the link and a restricted browser window is opened and listing some apps. At that point it is possible to unauthorized switch
> back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls is visible in the siri
> interface only and is called "open App Store". The vulnerability is exploitable in the Apple iPhone 5 & 6(s) with iOS v9.0, v9.1 & v9.2.1
>
> 1.2
> In the second scenario the attacker is using the control panel to gain access to the non restricted clock app. The local attacker opens the app via
> siri or via panel and opens then the timer to the end timer or Radar module. The developers of the app grant apple customers to buy more sounds for
> alerts and implemented a link. By pushing the link a restricted appstore browser window opens. At that point it is possible to unauthorized switch
> back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the
> Alert - Tone (Wecker - Ton) & Timer (End/Radar) and is called "Buy more Tones". The vulnerability is exploitable in the Apple iPhone 5 & 6(s)
> with iOS v9.0, v9.1 & v9.2.1.
>
> 1.3
> In the third scenario the attacker opens via panel or by a siri request the clock app. After that he opens the internal world clock module. In the
> buttom right is a link to the weather channel that redirects to the store as far as its deactivated. By pushing the link a restricted appstore
> browser window opens. At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or
> with siri again. The link to bypass the controls becomes visible in the World Clock (Weather Channel) and is an image as link. Thus special case is
> limited to the iPad because only in that models use to display the web world map. In the iPhone version the bug does not exist because the map is
> not displayed because of using a limited template. The vulnerability is exploitable in the Apple iPad2 with iOS v9.0, v9.1 & v9.2.1.
>
> 1.4
> In the fourth scenario the attacker opens via siri the 'App & Event Calender' panel. After that the attacker opens under the Tomorrow task the
> 'Information of Weather' (Informationen zum Wetter - Weather Channel LLC) link on the left bottom. As far as the weather app is deactivated on the
> Apple iOS device, a new browser window opens to the appstore. At that point it is possible to unauthorized switch back to the internal home screen
> by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the App & Events Calender panel.
> The vulnerability is exploitable in the Apple Pad2 with iOS v9.0, v9.1 & v9.2.1.
>
> The security risk of the passcode bypass vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
> Exploitation of the passcode protection mechanism bypass vulnerability requires no privileged ios device user account or low user interaction.
> Physical apple device access is required for successful exploitation. Successful exploitation of the vulnerability results in unauthorized
> device access, mobile apple device compromise and leak of sensitive device data like the address-book, photos, sms, mms, emails, phone app,
> mailbox, phone settings or access to other default/installed mobile apps.
>
>
> Vulnerable Module(s):
> [+] PassCode (Protection Mechanism)
>
>
> Affected Device(s):
> [+] iPhone (Models: 5, 5s, 6 & 6s)
> [+] iPad (Models: mini, 1 & 2)
>
> Affected OS Version(s):
> [+] iOS v9.0, v9.1 & v9.2.1
>
>
> Proof of Concept (PoC):
> =======================
> The passcode protection mechanism bypass vulnerabilities can be exploited by local attackers with physical device access and without privileged or restricted device user account.
> For Security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
>
>
> 1.1
> Manual steps to reproduce the vulnerability ... (Siri Interface - App Store Link) iPhone (Models: 5, 5s, 6 & 6s)
> 1. Take the iOS device and lock the passcode to the front
> 2. Open Siri by activation via Home button (push 2 seconds)
> 3. Ask Siri to open a non existing App
> Note: "Open App Digital (Öffne App Digital)
> 4. Siri responds to the non existing app and asks to search in the appstore
> 5. Now, and "open App store" button becomes visible to push (do it!)
> 6. A new restricted browser window opens with the appstore buttom menu links
> 7. Click to updates and open the last app or push twice the home button to let the task slide preview appear
> 8. Now choose the active front screen task
> 9. Successful reproduce of the passcode protection bypass vulnerability!
>
>
> 1.2
> Manual steps to reproduce the vulnerability ... (Clock & Timer - Buy more Tones Link) iPhone (Models: 5, 5s, 6 & 6s)
> 1. Take the iOS device and lock the passcode to the front
> 2. Open Siri by activation via Home button (push 2 seconds)
> Note: "Open World Clock" (Öffne App Weltuhr)
> 3. Push the 'Timer' module button on the buttom
> 4. Now, push the Radius or End Timer Button in the middle of the screen
> Note: A listing opens with the sounds collection and on top is a web link commercial
> 5. Push the button and a new restricted browser window opens with the appstore buttom menu links
> 6. Click to updates and open the last app or push twice the home button to let the task slide preview appear
> 7. Now choose the active front screen task
> 8. Successful reproduce of the passcode protection bypass vulnerability!
> Note: The vulnerability can also be exploited by pushing the same link in the Alerts Timer (Wecker) next to adding a new one.
>
>
> 1.3
> Manual steps to reproduce the vulnerability ... (Clock World - Weather Channel Image Link) iPad (Models: 1 & 2)
> 1. Take the iOS device and lock the passcode to the front
> 2. Open Siri by activation via Home button (push 2 seconds)
> Note: "Open App Clock" (Öffne App Uhr)
> 3. Switch in the buttom module menu to world clock
> Note: on the buttom right is an image of the weather channel llc network
> 4. Push the image of the weather channel llc company in the world map picture
> Note: Weather app needs to be deactivated by default
> 5. After pushing the button and a new restricted browser window opens with the appstore buttom menu links
> 6. Click to updates and open the last app or push twice the home button to let the task slide preview appear
> 7. Now choose the active front screen task
> 8. Successful reproduce of the passcode protection bypass vulnerability!
> Note: The issue is limited to the iPad 1 & 2 because of the extended map template!
>
>
> 1.4
> Manual steps to reproduce the vulnerability ... (Events Calender App - Weather Channel LLC Link) iPad (Models: 1 & 2) & iPhone (Models: 5, 5s, 6 & 6s)
> 1. Take the iOS device and lock the passcode to the front
> 2. Open Siri by activation via Home button (push 2 seconds)
> Note: "Open Events/Calender App" (Öffne Events/Kalender App)
> 3.Now push on the buttom of the screen next to the Tomorrow(Morgen) module the 'Information of Weather Channel' link
> Note: Weather app needs to be deactivated by default
> 4.After pushing the button and a new restricted browser window opens with the appstore buttom menu links
> 5. Click to updates and open the last app or push twice the home button to let the task slide preview appear
> 6. Now choose the active front screen task
> 7. Successful reproduce of the passcode protection bypass vulnerability!
>
>
> Video Demonstration: In the attached video demonstration we show how to bypass the passcode of the iphone 6s via the siri App Store- & timer Buy more Tones link.
> In the video we activated the passcode and setup to activate the control center by default to the locked mobile front screen. Siri was activated as well by default.
>
>
> Solution - Fix & Patch:
> =======================
> The vulnerabilities can be temporarily patched by the end user by hardening of the device settings. Deactivate in the Settings menu the Siri module permanently.
> Deactivate also the Events Calender without passcode to disable the push function of the Weather Channel LLC link. Deactivate in the next step the public control
> panel with the timer and world clock to disarm exploitation. Aktivate the weather app settings to prevent the redirect when the module is disabled by default in
> the events calender. Finally apple needs to issue a patch as workaround for the issue but since this happens a temp solution has bin published as well.
>
>
> Security Risk:
> ==============
> The security risk of the passcode protection mechanism bypass vulnerabilities in the apple ipad and iphone mobile devices are estimated as high. (CVSS 6.4)
>
>
> Credits & Authors:
> ==================
> Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@...nerability-lab.com) [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]
>
>
> Disclaimer & Information:
> =========================
> The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
> including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
> including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
> of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
> limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
>
> Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
> Contact: admin@...nerability-lab.com - research@...nerability-lab.com - admin@...lution-sec.com
> Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
> Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
> Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
> Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
>
> Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
> redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
> its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
> authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@...nerability-lab.com) to get a ask permission.
>
> Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
>
> --
> VULNERABILITY LABORATORY - RESEARCH TEAM
> SERVICE: www.vulnerability-lab.com
> CONTACT: research@...nerability-lab.com
>
--
Edsel Adap
edsel@...p.org
Powered by blists - more mailing lists