HackDig : Dig high-quality web security articles for hacker

Apple iOS 10.3 - UI SMS Access Permission Vulnerability

2017-08-16 10:20
Document Title:
===============
Apple iOS 10.3 - UI SMS Access Permission Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2078

Apple Security ID: 666589482

Video: https://www.vulnerability-lab.com/get_content.php?id=2079

Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2017/08/14/apple-ios-v102-v103-sms-reply-access-permission-vulnerability


Release Date:
=============
2017-08-14


Vulnerability Laboratory ID (VL-ID):
====================================
2078


Common Vulnerability Scoring System:
====================================
4.5


Vulnerability Class:
====================
Access Permission Weakness


Current Estimated Price:
========================
3.000€ - 4.000€


Product & Service Introduction:
===============================
iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally
released in 2007 for the iPhone and iPod Touch, it has been extended to support other Apple devices such
as the iPad and Apple TV. Unlike Microsoft`s Windows Phone (Windows CE) and Google`s Android, Apple does
not license iOS for installation on non-Apple hardware. As of September 12, 2012, Apple`s App Store contained
more than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times.

( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local access permission vulnerability in the official
Apple iOS v10.3 iPhone 6S.


Vulnerability Disclosure Timeline:
==================================
2017-06-05: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2017-06-06: Vendor Notification (Apple Security Department)
2017-08-14: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Apple
Product: iOS - (Mobile Operating System) 10.2 & 10.3


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
An access permission vulnerability has been discovered in the official Apple iOS 10.2 & v10.3. The issue allows a local
attacker to
bypass the code lock function to "Answer with Message / Reply with message" and limited the idevice authentication
mechanism.
The SMS response menu appears on the screen when it has been deactivated physically by the apple idevice user.

Next to that, the issue leads to a glitch with an access permission issue to the sms function of the phone app in apple
iOS 10.
After exploitation, the phone stays permanently in a compromised mode were an attacker can send a sms without the
activated
setting in the code lock module. Phone calls stay in the line even if the other side already canceled the call.

In a video the researcher we deactivated the settings for sms on active incoming calls. Then we glitched the service
with the request.
However the sms menu was still available on the display screen and allows the attacker to perform several interactions
like using the
words to get contacts of the users like names and to unauthenticated followup with sms on active incoming calls. The
events are tracked
by the apple ios with several reports and unknown errors in the analysis module.

The security risk of the access permission vulnerability is estimated as medium with a common vulnerability scoring
system count of 4.5.
Exploitation of the apple ios access permission vulnerability requires limited physical idevice access and without user
interaction.
Successful exploitation of the vulnerability results in unauthorized functional access to the sms function or keyboard
settings.


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by local attackers with restricted physical device access and without user
interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to
continue.

Requirement(s):
[+] Siri activated by default
[+] Deactivated keyboard suggestions or tips
[+] Activate/Deactivate of code lock module with "Answer with Message / Reply with message" function
[+] Activated lock to disallow app usage from outside in locked idevice mode (Sperrbildschirm/LockScreen)


Manual steps to reproduce the vulnerability ...
1. Reset the idevice to default settings
2. Install the newest apple ios 10.2 or 10.3 version
3. Deactivate in the Settings > Keyboard > Suggestions
4. Check that siri is activated by default
5. Activate the lock to disallow app usage from outside in locked idevice mode
6. Activate the "Answer with Message / Reply with message" function
Note: After preparing and checking that the idevice is correctly setup we move into the exploitation phase
7. Call your idevice with another phone
8. Click the Message button and choose to answer with a customized message
9. Push the keyboard element and move up to the english or german keyboard
Note: At that point the incoming call can already be canceled
10. Now activate from outside without authentication the Suggestions by a push and hold ahead two seconds the home
button to activate via siri api call
Note: Now a glitch occurs and shows a keyboard ahead to the lock screen
11. Cancel the sms and move into the idevice settings by authentication
12. Deactivate the "Answer with Message / Reply with message" function in the code lock module
13. Move back outside the idevice and call yourself again with another phone line
14. The sms menu comes ahead to the active incoming call and allows to unauthenticated send sms to the receiver or
another mobile
15. In case of using siri again during the incoming accepted call that is accepted a sync issue occurs
Note: The sync issue allows to followup with the call even if the caller has already closed the phone line (unlimited
loop - side channel)
Note: On each call the sms menu comes ahead and allows the attacker to directly send sms to anybody or the caller
without permission
16. Successful reproduce of the vulnerability!


Security Video: PoC Demonstration
The video shows the idevice settings with the newst apple ios v10.3. The bugg is triggered first by showing the
function.
After that we show the mode of the issue with several smaller video recordings. At the end we show the settings
screenshots
of the setup and location glitches. At the end we was able to send sms to any sender calling our mobile phone number
and we
was able to use the function even if deactivated in the code lock settings of ios 10.3.

URL: https://www.vulnerability-lab.com/get_content.php?id=2079


Solution - Fix & Patch:
=======================
The vulnerability can be resolved by usage of the ios status administration settings to recheck the access permission
after the deactivate.


Security Risk:
==============
The security risk of the access permission vulnerability in the apple ios 10.2 & 10.3 is estimated as medium (CVSS 4.5).
The impact of the security problem is similar to the following CVE-2017-7058.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all
warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its
suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of
liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any
licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership
requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not
publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.

Domains: www.vulnerability-lab.com - www.vulnerability-db.com -
www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab -
youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires
authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the
use of other media, are reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact
(admin@) to get an ask permission.

Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™

--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


Source: 42/guA/7102/erusolcsidlluf/gro.stsilces

Read:452 | Comments:0 | Tags: IOS Vulnerability

“Apple iOS 10.3 - UI SMS Access Permission Vulnerability”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud