Apple iOS 9.3 S/Plus – touch password bypass vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201673424
Type myhack58
Reporter 佚名
Modified 2016-04-08T00:00:00


! Description iOS is developed by Apple Phoneoperating system, published in 2 0 0 7 years use on the iPhone and iPod Touch, and has begun to extend to other Apple devices such as the iPad and Apple TV. With Microsoft's Windows Phone (Windows CE)and Google's Android systems, Apple does not authorize other non-Apple hardware installed iOS system. As of 2 0 1 2 year 9 month 1 2 days, Apple's AppStore contained more than 7 0 0,000iOS application, the cumulative downloads of more than 3 billion times. Apple is a company that designs, develops, sells Consumer Electronics, Computer Software, Online Services Company. Its hardware products include the iPhone smartphone, iPad Tablet, Mac PC, iPod, Walkman, and the Apple watch. The software product includes the OSX and iOS operating systems, iTunes Media Player, Safari browser and the iLife and iWork productivity Suite. Online services include the iTunes Store, iOS app store, Mac App Store and iCloud. Vulnerability summary The vulnerability laboratory core research team in Apple iOS 9.3.1 iPhone 6S & Plus models found a local password bypass vulnerability. The impact of product iOS 9.3.1 (iPhone 6S & iPhone Plus) (need 3DTouch) Technical details iPhone 6S & iPhone Plus models iOSv9. 3. 1 The system contains a password bypass vulnerability. A local attacker can exploit to bypass the iPhone's device protection mechanisms. Apple on the display of the 3D touch sensor by pressing the interaction used to open the basic context menu. This new functionality only with new hardware iPhone6S and iPhone Plus can be used. The vulnerability exists in the Installed apps inside the application@ use the GET method. A remote attacker can use siri to request the task of the runtime application. This interaction does not require a password. After that, the attacker can browse, such as Facebook, twitter and yahoo etc app, then search for@[TAGS]in. Attack click on Add tag and press and hold the button, the new 3Dtouch function in the severe pressing will be to the attacker's display is substantially below the menu. And can be used in the menu there is the Add New contact option. Then the attacker clicks on the new contact picture/avatar button, he will be able to see the phone in the pictures library. Next, be able to physically contact the device's local attacker can by with the existing account associated with the mail to request contact. This password bypass vulnerability cvss score up to 6. 1. The attack only requires low privileged iOS device user account and without user interaction. To be a successful attack requires the device's physical contact. A successful attack to obtain unauthorized privileges, the phone that is to be captured, the sensitive information such as contacts, photo albums, SMS, e-mail, phone applications, Phone settings have been compromised, other installed applications information will be attacker to obtain. PoC According to the following steps to reproduce the vulnerability. Vulnerability reproduce 1. From the appstore download yahoo, twitter or facebook references 2. Start the program to a runtime task 3. In Settings add a new password 4. By the power button the lock screen 5. Click twice the Home button or click on the”hello siri” and opens siri 6. Let siri via twitter, yahoo or facebook to search 7. View search the tweets until you see the@tag or used in the preview search 8. The force pressing the@tag button 9. The system will display substantially below the menu 1 0. Select Add New contact 1 1. For this add the contact picture 1 2. Now the attacker can not verify the case to view the phone album. 1 3. Click on send a message, the mailbox will be without Safety verification case open Solutions By in the Settings menu to permanently cancel the Siri, the user can temporarily fix the vulnerability. Next cancel without entering the password into the common control panel. Through the privacy settings prohibit Siri to obtain image information or contacts information. Note: after a 2 0 1 6-0 4-0 4 Update, iOS 9.3.1 can still be attacked.