iOS 10.1.x Certificate File Memory Corruption

`iOS 10.1.x Remote memory corruption through certificate file  
Credit: Maksymilian Arciemowicz from https://cxsecurity.com  
  
--------------------------------------------------------------------------------------  
0. Short description  
Special crafted certificate file may lead to memory corruption of several processes and the vector attack may be through Mobile Safari or Mail app. Attacker may control the overflow through the certificate length in OCSP field  
  
--------------------------------------------------------------------------------------  
1. Possible vectors of attack  
- Apple Mail (double click on certificate)  
- Safari Mobile ( go to special crafted link eg https://cert.cx/appleios10/700k.php which will redirect you to CRT file )  
- other unspecified  
  
--------------------------------------------------------------------------------------  
2. Symptoms of memory overflow  
By appropriate length of the certificate, an attacker can trigger crash of:  
- profiled  
- Preferences  
- other unexpected behaviors  
  
--------------------------------------------------------------------------------------  
3. Crash log:  
- profiled  
---------------------------------------------------------------  
{"app_name":"profiled","app_version":"","bug_type":"109","timestamp":"2016-09-20 09:15:09.85 +0200","os_version":"iPhone OS 10.0.1 (14A403)","incident_id":"XXXXXXXXXXXXXX","slice_uuid":"XXXXXXXXXXXXXX","build_version":"","is_first_party":true,"share_with_app_devs":false,"name":"profiled"}  
Incident Identifier: XXXXXXXXXXXXXX  
CrashReporter Key: XXXXXXXXXXXXXX  
Hardware Model: iPhone6,2  
Process: profiled [1595]  
Path: /System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled  
Identifier: profiled  
Version: ???  
Code Type: ARM-64 (Native)  
Role: Unspecified  
Parent Process: launchd [1]  
Coalition: <none> [253]  
  
  
Date/Time: 2016-09-20 09:15:09.7892 +0200  
Launch Time: 2016-09-20 09:15:01.1603 +0200  
OS Version: iPhone OS 10.0.1 (14A403)  
Report Version: 104  
  
Exception Type: EXC_BAD_ACCESS (SIGSEGV)  
Exception Subtype: KERN_INVALID_ADDRESS at 0x000000016e193ca0  
Termination Signal: Segmentation fault: 11  
Termination Reason: Namespace SIGNAL, Code 0xb  
Terminating Process: exc handler [0]  
Triggered by Thread: 2  
  
---------------------------------------------------------------  
  
- Preferences  
---------------------------------------------------------------  
{"app_name":"Preferences","timestamp":"2016-09-20 01:11:44.56 +0200","app_version":"1","slice_uuid":"XXXXXXXXXXX","adam_id":0,"build_version":"1.0","bundleID":"com.apple.Preferences","share_with_app_devs":false,"is_first_party":true,"bug_type":"109","os_version":"iPhone OS 10.0.1 (14A403)","incident_id":"XXXXXXXXXXX","name":"Preferences"}  
Incident Identifier: XXXXXXXXXXX  
CrashReporter Key: XXXXXXXXXXX  
Hardware Model: iPhone6,2  
Process: Preferences [1517]  
Path: /Applications/Preferences.app/Preferences  
Identifier: com.apple.Preferences  
Version: 1.0 (1)  
Code Type: ARM-64 (Native)  
Role: Foreground  
Parent Process: launchd [1]  
Coalition: com.apple.Preferences [754]  
  
  
Date/Time: 2016-09-20 01:11:43.4478 +0200  
Launch Time: 2016-09-20 01:10:54.3002 +0200  
OS Version: iPhone OS 10.0.1 (14A403)  
Report Version: 104  
  
Exception Type: EXC_BAD_ACCESS (SIGSEGV)  
Exception Subtype: KERN_INVALID_ADDRESS at 0x000000016fc6df90  
Termination Signal: Segmentation fault: 11  
Termination Reason: Namespace SIGNAL, Code 0xb  
Terminating Process: exc handler [0]  
Triggered by Thread: 0  
---------------------------------------------------------------  
  
  
Logs:  
==============================  
Sep 20 20:17:02 xscxsc com.apple.CoreSimulator.SimDevice.27D...8F.launchd_sim[1905] (com.apple.managedconfiguration.profiled[3085]): Service exited due to signal: Segmentation fault: 11  
Sep 20 20:17:02 xscxsc MobileSafari[2870]: (Error) MC: Queue data for acceptance error. Error: NSError:  
Desc : Couldnat communicate with a helper application.  
Sugg : Try your operation again. If that fails, quit and relaunch the application and try again.  
Domain : NSCocoaErrorDomain  
Code : 4097  
Extra info:  
{  
NSDebugDescription = "connection to service named com.apple.managedconfiguration.profiled";  
}  
Sep 20 20:17:02 xscxsc profiled[3133]: (Note ) profiled: Service starting...  
==============================  
  
--------------------------------------------------------------------------------------  
4. PoC  
https://cert.cx/appleios10/300k.php  
https://cert.cx/appleios10/500k.php  
https://cert.cx/appleios10/700k.php  
https://cert.cx/appleios10/900k.php  
  
or https://cert.cx/appleios10/expl.html  
  
just click on this link by using Safari.   
  
EDB Proofs of Concept Mirror:  
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40906.zip  
  
--------------------------------------------------------------------------------------  
5. Safari and sandbox  
How is possible that safari don't ask user before run 'Preferences' app to start process of importing certificate? Safari automatically start new process without asking user for acceptance of this operation what can be exploited through http redirect to untrusted content.  
  
--------------------------------------------------------------------------------------  
  
6. References  
CAPEC-44: Overflow Binary Resource File  
https://capec.mitre.org/data/definitions/44.html  
https://cert.cx/  
https://cxsecurity.com/  
  
Best Regards/Pozdrowienia/D! D1/2DdegD,D>>NNND,D1/4D, D?D3/4DPDuD>>DdegD1/2D,ND1/4D,  
Maksymilian Arciemowicz  
  
References:  
  
https://support.apple.com/HT207422  
https://support.apple.com/HT207425  
https://support.apple.com/HT207426  
https://cert.cx/appleios10/300k.php  
https://cert.cx/appleios10/500k.php  
https://cert.cx/appleios10/700k.php  
https://cert.cx/appleios10/900k.php  
https://cert.cx/appleios10/expl.html  
https://capec.mitre.org/data/definitions/44.html  
  
`