lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <942022B5-291A-4E9D-A22E-9F8C56DD49F1@dasnet.org>
Date: Mon, 10 Mar 2014 13:28:31 -0400
From: David Schuetz <david@...net.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Apple TV log file password disclosure


   -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

                    Intrepidus Group Security Advisory 
                    http://www.intrepidusgroup.com

   -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Title:              Apple TV Touch Setup Wi-Fi and iTunes Password Disclosure
Release Date:       10 March 2014
Discoverer:         David Schuetz <david.schuetz@...repidusgroup.com>
Vendor:             Apple
Vendor Reference:   http://support.apple.com/kb/HT1222
CVE Reference:      CVE-2014-1279
Systems Affected:   Apple TV (3rd generation) running ATV 6.0 - 6.0.2 
Risk:               Medium
Status:             Published


Timeline
--------
Discovered:         10 October 2013
Reported:           8 November 2013
Fixed:              10 March 2014
Published:          10 March 2014


Summary
--------
The release of Apple TV version 6.0, based on iOS 7.0, introduced a new 
convenience feature for the setup of new Apple TV units, colloquially
referred to as "Touch Setup." 

This features permits a user with a mobile iOS device such as an iPhone, to 
use BlueTooth Low Energy (BTLE) to transfer certain configuration information
to a newly-activated Apple TV system, including iTunes Store ID and password, 
and Wi-Fi SSID and password.

An issue exists where detailed logging is enabled in the Apple TV.app binary,
resulting in detailed packet data being dumped to the Apple TV log. This data 
includes hexadecimal representations of the configuration information 
transferred from the mobile device to the Apple TV, including AppleID and 
Wi-Fi passwords passed in cleartext.

An attacker with access to an Apple TV may be able to recover this data from 
the system log, if it has been stored on the Apple TV. 


Details
-------
Apple TV applications may save certain logging and debugging information to 
the system using NSLog() and similar mechanisms. The logs may be viewed by 
attaching the Apple TV unit to an OS X system via a micro-USB cable, and 
using an application such as the Xcode Organizer or iPhone Configuration 
Utility. 

In general, these log entries are ephemeral, however, certain log data on
the Apple TV (and other iOS devices in general) are retained to some degree 
on the device filesystem and may thus be available for viewing at a later 
date.  At this time, it is not clear whether the Touch Setup logs are 
retained on the Apple TV or mobile iOS device after completion of the setup 
process.

The Apple TV app (as well as the touchsetupd daemon on the mobile iOS device)
sends detailed descriptions of data sent and received during the Touch Setup
process. 

In the case of the mobile iOS device, this data is encrypted using
a key exchanged between the two devices. However, it may be possible that
enough information is leaked in these debug messages (or other related log
entries) that an attacker may recover the session key and thus decrypt the
entire conversation.

In the case of the Apple TV unit, the data are generally written to the log 
two or even three times: First, the raw encrypted data as received from the 
mobile device, then the decrypted, yet compressed, plaintext of that data, 
and then finally the uncompressed data itself.

The decompressed data containing configuration information required to 
complete the Touch Setup process is provided as a binary property list 
(plist). The plist contains, among other data, the following information:

AppleID (iTunes account) information:
  * First Name
  * Last Name
  * AppleID (email address)
  * Password

Local Wi-Fi information:
  * SSID
  * Password


Steps to Reproduce
------------------
To demonstrate this vulnerability, the following hardware will be required:

1. Apple TV (3rd generation) running Apple TV system version 6.0 through 6.0.2 
2. A "recent" mobile iOS device such as iPhone 4S or later (see Systems 
   Affected for full list), running iOS version 7.0 or later
3. A system running OS X, with Xcode installed
4. A display connected to the Apple TV via HDMI
5. A micro-USB cable connected to the Apple TV and ready to connect to a 
   system running OS X


The procedure is as follows:

1. Ensure the Apple TV is "factory fresh" either by acquiring a new, 
   shrink-wrapped unit, or using a full "factory reset" on an existing unit.

2. Connect the Apple TV to the display using HDMI

3. Connect the micro-USB cable to the Apple TV (it may be necessary to obtain
   a very low-profile connector, or to use a utility knife to shave the 
   micro-USB connector, in order to connect both the HDMI and USB connectors 
   simultaneously). DO NOT connect the cable to the OS X machine at this point.

4. Ensure the mobile iOS device has BlueTooth enabled and is logged in to the
   local Wi-Fi network (following Apple's instructions: 
   http://support.apple.com/kb/HT5900)

5. Launch Xcode on the OS X system, and open the Xcode organizer.

6. Reboot the Apple TV by removing and re-inserting the power cable. Once the 
   Apple logo has appeared (or shortly thereafter) connect the micro-USB 
   cable to the OS X system.

7. In Xcode organizer, select the Apple TV device and view its Console log. It
   may be desirable to connect the mobile iOS device via another cable to 
   capture its log as well.

8. When the Apple TV has reached the language selection screen, follow the
   instructions to complete the Touch Setup process.

9. Save the Apple TV log data to a text file.

10. Search the log file for data similar to the following:

    Oct 10 15:48:07 Apple-TV Apple TV[24] <Warning>: [TRDeviceSetupServer] 
    Decompressed data: <62706c69 73743030 d2010203 04516151 70557365 747570d9 
    05060708 090a0b0c ....

11. Select the hexadecimal data (between the <> marks on that log entry) and
    convert to a binary file.

12. View that file using a plist editor. For example, 

    plutil -convert json -r <filename> -o -

13. The data recovered should look something like this: [keys and other
    data which may be unique or private have been redacted here]

{
  "a" : "setup",
  "p" : {
    "au" : {
      "h" : {
        "x-apple-orig-url" : "https:\/\/p44-buy.itunes.apple.com\/WebObjects\/MZFinance.woa\/wa\/authenticate",
        "edge-control" : "no-store, cache-maxage=0",
        "x-set-apple-store-front" : "143441-1,19",
        "Expires" : "Thu, 10 Oct 2013 22:47:49 GMT",
        "apple-timing-app" : "402 ms",
        "pod" : "44",
        "Cache-Control" : "private, no-cache, no-store, no-transform, must-revalidate, max-age=0",
        "x-apple-lokamai-no-cache" : "true",
        "Content-Type" : "text\/xml; charset=UTF-8",
        "x-apple-translated-wo-url" : "\/WebObjects\/MZFinance.woa\/wa\/authenticate",
        "x-apple-jingle-correlation-key" : "--redacted--",
        "Content-Encoding" : "gzip",
        "x-apple-date-generated" : "Thu, 10 Oct 2013 22:47:48 GMT",
        "x-apple-application-site" : "ST13",
        "x-apple-application-instance" : "440051",
        "x-apple-asset-version" : "0",
        "Date" : "Thu, 10 Oct 2013 22:47:49 GMT",
        "Set-Cookie" : "X-Dsid=--redacted--; version=\"1\"; expires=Fri, 10-Oct-2014 22:47:49 GMT; path=\/; domain=.apple.com, TrPod=3; version=\"1\"; expires=Fri, 10-Oct-2014 22:47:49 GMT; path=\/; domain=.apple.com, isPpuOptOut=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.apple.com, hsaccnt=1; version=\"1\"; path=\/WebObjects; domain=.apple.com, mz_at0---redacted--=--redacted--; version=\"1\"; expires=Wed, 30-Sep-2015 22:47:49 GMT; path=\/; domain=.apple.com, mz_at_ssl---redacted--=--redacted--; version=\"1\"; expires=Sat, 10-Oct-2015 22:47:49 GMT; path=\/; domain=.apple.com; secure, Pod=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.itunes.apple.com, X-Dsid=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.volume.itunes.apple.com, X-Dsid=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.vpp.itunes.apple.com, X-Token=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.volume.itunes.apple.com; secure, X-Token=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.vpp.itunes.apple.com; secure, Pod=44; version=\"1\"; expires=Sun, 10-Nov-2013 23:47:49 GMT; path=\/; domain=.apple.com, itspod=44; version=\"1\"; expires=Sun, 10-Nov-2013 23:47:49 GMT; path=\/; domain=.apple.com, mzf_in=440051; version=\"1\"; path=\/WebObjects; domain=.apple.com; secure, mzf_odc=ST1; version=\"1\"; expires=Thu, 10-Oct-2013 23:17:49 GMT; path=\/WebObjects; domain=.apple.com, mzf_dr=0; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/WebObjects; domain=.apple.com, ns-mzf-inst=179-11-80-157-121-8031-440051-44-st13; version=1; Max-Age=1800; path=\/; domain=.apple.com; httponly",
        "x-webobjects-loadaverage" : "23",
        "x-apple-request-store-front" : "143441-1,19 t:6",
        "Content-Length" : "522",
        "itspod" : "44"
      },
      "b" : {
        "status" : 0,
        "password" : "--redacted--",
        "m-allowed" : true,
        "creditBalance" : "1311811",
        "freeSongBalance" : "1311811",
        "clearToken" : "--redacted--",
        "is-cloud-enabled" : "true",
        "passwordToken" : "--redacted--",
        "dsPersonId" : "--redacted--",
        "creditDisplay" : "",
        "accountInfo" : {
          "address" : {
            "firstName" : "David",
            "lastName" : "Schuetz"
          },
          "accountKind" : "0",
          "appleId" : "--redacted--"
        }
      }
    },
    "np" : "--redacted--",
    "c" : "US",
    "l" : "en",
    "ns" : "--redacted--",
    "ha" : "--redacted--",
    "rp" : true,
    "hg" : "00000000-0353-d139-58e8-619c235c480b",
    "di" : true
  }
}


Fix Information
----------------
A review of the affected binaries using IDA Pro indicates that these debug
statements are hard-coded into the system. It may be possible for Apple to
remotely change the "DEBUG LEVEL" at which the system is run, to prevent this
data from being logged, however, it is not clear whether that will be possible.

Even if the logs are remotely disabled, the capability remains, and may be
inadvertently or maliciously reactivated at a later date. It is expected that
a fix will only be available by completely removing the logging commands
from the binary and shipping a new release of the Apple TV software.

   -------------------------

After reviewing the vulnerability, the vendor responded that the issue would
be fixed in a future release of the Apple TV operating system. 

The vendor has indicated that the issue was fixed in Apple TV system 6.1
(based on iOS 7.1), released on 10 March 2014. A review of the affected 
binaries in a pre-release version of 6.1 has indicated that the data is no 
longer written to the log. 


###


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ