| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <wsDqJnjEbDZObdaDBCD071CCG1Zst3_g-hCIWkwXRfT2khobwMtG62mkzC_iRCdGDP5FIYqqY4bwCK-G43tJKuYDmmBbtYhDyW4YoysJnqI=@proton.me> Date: Thu, 26 Jun 2025 06:11:49 +0000 From: josephgoyd via Fulldisclosure <fulldisclosure@...lists.org> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] iOS Activation Flaw Enables Pre-User Device Compromise and Identity Exposure (iOS 18.5) Title: iOS Activation Flaw Enables Pre-User Device Compromise Reported to Apple: May 19, 2025 Reported to US-CERT: May 19, 2025 US-CERT Case #: VU#346053 Vendor Status: Silent Public Disclosure: June 26, 2025 ------------------------------------------------------------------------ Summary ------------------------------------------------------------------------ A critical vulnerability exists in Apple’s iOS activation pipeline that allows remote XML payload injection *before* the user ever interacts with the device. During factory setup, iPhones contact: https://humb.apple.com/humbug/baa This provisioning endpoint returns unsigned `.plist` configuration payloads — accepted without cryptographic verification or source authentication. An attacker positioned on the network (or in any upstream infrastructure path) can inject arbitrary XML configuration data that SetupAssistant will silently process. These changes persist through reboot and affect system trust, network behavior, and identity provisioning — *before any user touches the screen.* ------------------------------------------------------------------------ Context ------------------------------------------------------------------------ This disclosure is based on forensic reconstruction of a **real-world attack observed in the wild**. These files were extracted from a live device that exhibited compromise behavior during initial activation. The artifacts presented here are part of a post-event forensic reconstruction — **not simulated**, emulated, or crafted artificially. The compromise occurred during normal SetupAssistant operation, with no jailbreak, developer tools, or device modifications present. ------------------------------------------------------------------------ Tested Device ------------------------------------------------------------------------ - iPhone running iOS 18.5 (latest as of June 2025) - Restored to factory settings - Activated using standard consumer setup flow - No MDM enrollment or dev profile present ------------------------------------------------------------------------ Impact ------------------------------------------------------------------------ - Remote injection of provisioning configuration before user control - Persistent `.plist` file modifications affecting: - Cloud identity frameworks - Trust and network defaults - Activation and Apple service behaviors - System logs show `.plist` entries written and processed before setup - **Other `.plist` files** can be similarly injected and silently applied - All occurs pre-setup, pre-consent, and without user awareness This undermines trust in the provisioning path for: - Consumers - Enterprises - Regulated and government environments Relevant regulatory exposure includes: - GDPR / CCPA (privacy violations before consent) - CMMC 2.0 / NIST 800-171 (loss of provisioning integrity) - FedRAMP / FISMA (unauthenticated system configuration) ------------------------------------------------------------------------ Technical Summary ------------------------------------------------------------------------ - SetupAssistant connects to `humb.apple.com/humbug/baa` during activation - This endpoint returns a `.plist` (XML) payload - Payload is **not signed, not authenticated, and not verified** - Device accepts and applies it as system configuration - The following were observed: - `mobileactivationd.log`: full provisioning POST/response - `com.apple.bird.plist`: persisted identity config before user input - Other config files can be similarly injected and silently accepted ------------------------------------------------------------------------ Artifacts ------------------------------------------------------------------------ Attached: 1. `mobileactivationd.log` — provisioning session from activation 2. `com.apple.bird.plist` — identity-related configuration written pre-setup These files are **unaltered and timestamped**, captured from a real device during activation after observed anomalous behavior. ------------------------------------------------------------------------ Recommendations ------------------------------------------------------------------------ - Enforce digital signature checks for activation payloads - Require authentication and origin validation for provisioning endpoints - Apply strict XML schema validation to all `.plist` responses - Halt logging of identity-related configuration during SetupAssistant - Release urgent patch (iOS 18.5.1) to harden client-side provisioning logic ------------------------------------------------------------------------ Timeline ------------------------------------------------------------------------ May 19, 2025 Reported to Apple and US-CERT June 23, 2025 US-CERT opened case VU#346053 June 26, 2025 Public disclosure ------------------------------------------------------------------------ Researcher ------------------------------------------------------------------------ Joseph Raymond Goydish II ------------------------------------------------------------------------ Download attachment "mobileactivationd log .pdf" of type "application/pdf" (94412 bytes) Download attachment "com.apple.bird.pdf" of type "application/pdf" (20679 bytes) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists