Search...

Apple iOS 10.3 - UI SMS Access Permission Vulnerability

2017-08-14T00:00:00

ID VULNERLAB:2078
Type vulnerlab
Reporter Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
Modified 2017-08-14T00:00:00

Description

                                        
                                            Document Title:
===============
Apple iOS 10.3 - UI SMS Access Permission Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2078

Apple Security ID: 666589482

Video: https://www.vulnerability-lab.com/get_content.php?id=2079

Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2017/08/14/apple-ios-v102-v103-sms-reply-access-permission-vulnerability


Release Date:
=============
2017-08-14


Vulnerability Laboratory ID (VL-ID):
====================================
2078


Common Vulnerability Scoring System:
====================================
4.5


Vulnerability Class:
====================
Access Permission Weakness


Current Estimated Price:
========================
3.000€ - 4.000€


Product & Service Introduction:
===============================
iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally 
released in 2007 for the iPhone and iPod Touch, it has been extended to support other Apple devices such 
as the iPad and Apple TV. Unlike Microsoft`s Windows Phone (Windows CE) and Google`s Android, Apple does 
not license iOS for installation on non-Apple hardware. As of September 12, 2012, Apple`s App Store contained 
more than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times.

( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local access permission vulnerability in the official Apple iOS v10.3 iPhone 6S.


Vulnerability Disclosure Timeline:
==================================
2017-06-05: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2017-06-06: Vendor Notification (Apple Security Department)
2017-08-14: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Apple
Product: iOS - (Mobile Operating System) 10.2 & 10.3


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
An access permission vulnerability has been discovered in the official Apple iOS 10.2 & v10.3. The issue allows a local attacker to 
bypass the code lock function to "Answer with Message / Reply with message" and limited the idevice authentication mechanism. 
The SMS response menu appears on the screen when it has been deactivated physically by the apple idevice user.

Next to that, the issue leads to a glitch with an access permission issue to the sms function of the phone app in apple iOS 10. 
After exploitation, the phone stays permanently in a compromised mode were an attacker can send a sms without the activated 
setting in the code lock module. Phone calls stay in the line even if the other side already canceled the call.

In a video the researcher we deactivated the settings for sms on active incoming calls. Then we glitched the service with the request. 
However the sms menu was still available on the display screen and allows the attacker to perform several interactions like using the 
words to get contacts of the users like names and to unauthenticated followup with sms on active incoming calls. The events are tracked 
by the apple ios with several reports and unknown errors in the analysis module.

The security risk of the access permission vulnerability is estimated as medium with a common vulnerability scoring system count of 4.5. 
Exploitation of the apple ios access permission vulnerability requires limited physical idevice access and without user interaction.
Successful exploitation of the vulnerability results in unauthorized functional access to the sms function or keyboard settings.


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by local attackers with restricted physical device access and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Requirement(s):
[+] Siri activated by default
[+] Deactivated keyboard suggestions or tips
[+] Activate/Deactivate of code lock module with "Answer with Message / Reply with message" function
[+] Activated lock to disallow app usage from outside in locked idevice mode (Sperrbildschirm/LockScreen)


Manual steps to reproduce the vulnerability ...
1.  Reset the idevice to default settings
2.  Install the newest apple ios 10.2 or 10.3 version
3.  Deactivate in the Settings &gt; Keyboard &gt; Suggestions
4.  Check that siri is activated by default
5.  Activate the lock to disallow app usage from outside in locked idevice mode
6.  Activate the "Answer with Message / Reply with message" function
Note: After preparing and checking that the idevice is correctly setup we move into the exploitation phase
7.  Call your idevice with another phone
8.  Click the Message button and choose to answer with a customized message
9.  Push the keyboard element and move up to the english or german keyboard
Note: At that point the incoming call can already be canceled
10. Now activate from outside without authentication the Suggestions by a push and hold ahead two seconds the home button to activate via siri api call
Note: Now a glitch occurs and shows a keyboard ahead to the lock screen
11. Cancel the sms and move into the idevice settings by authentication
12. Deactivate the "Answer with Message / Reply with message" function in the code lock module
13. Move back outside the idevice and call yourself again with another phone line
14. The sms menu comes ahead to the active incoming call and allows to unauthenticated send sms to the receiver or another mobile
15. In case of using siri again during the incoming accepted call that is accepted a sync issue occurs
Note: The sync issue allows to followup with the call even if the caller has already closed the phone line (unlimited loop - side channel)
Note: On each call the sms menu comes ahead and allows the attacker to directly send sms to anybody or the caller without permission
16. Successful reproduce of the vulnerability!


Security Video: PoC Demonstration
The video shows the idevice settings with the newst apple ios v10.3. The bugg is triggered first by showing the function.
After that we show the mode of the issue with several smaller video recordings. At the end we show the settings screenshots 
of the setup and location glitches. At the end we was able to send sms to any sender calling our mobile phone number and we 
was able to use the function even if deactivated in the code lock settings of ios 10.3.

URL: https://www.vulnerability-lab.com/get_content.php?id=2079


Solution - Fix & Patch:
=======================
The vulnerability can be resolved by usage of the ios status administration settings to recheck the access permission after the deactivate.


Security Risk:
==============
The security risk of the access permission vulnerability in the apple ios 10.2 & 10.3 is estimated as medium (CVSS 4.5).
The impact of the security problem is similar to the following CVE-2017-7058.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. 

Domains:    www.vulnerability-lab.com		- www.vulnerability-db.com					- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.

				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™

JSON Vulners Source

Initial Source

{"sourceData": "Document Title:\r\n===============\r\nApple iOS 10.3 - UI SMS Access Permission Vulnerability\r\n\r\n\r\nReferences (Source):\r\n====================\r\nhttps://www.vulnerability-lab.com/get_content.php?id=2078\r\n\r\nApple Security ID: 666589482\r\n\r\nVideo: https://www.vulnerability-lab.com/get_content.php?id=2079\r\n\r\nVulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2017/08/14/apple-ios-v102-v103-sms-reply-access-permission-vulnerability\r\n\r\n\r\nRelease Date:\r\n=============\r\n2017-08-14\r\n\r\n\r\nVulnerability Laboratory ID (VL-ID):\r\n====================================\r\n2078\r\n\r\n\r\nCommon Vulnerability Scoring System:\r\n====================================\r\n4.5\r\n\r\n\r\nVulnerability Class:\r\n====================\r\nAccess Permission Weakness\r\n\r\n\r\nCurrent Estimated Price:\r\n========================\r\n3.000\u20ac - 4.000\u20ac\r\n\r\n\r\nProduct & Service Introduction:\r\n===============================\r\niOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally \r\nreleased in 2007 for the iPhone and iPod Touch, it has been extended to support other Apple devices such \r\nas the iPad and Apple TV. Unlike Microsoft`s Windows Phone (Windows CE) and Google`s Android, Apple does \r\nnot license iOS for installation on non-Apple hardware. As of September 12, 2012, Apple`s App Store contained \r\nmore than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times.\r\n\r\n( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )\r\n\r\n\r\nAbstract Advisory Information:\r\n==============================\r\nThe vulnerability laboratory core research team discovered a local access permission vulnerability in the official Apple iOS v10.3 iPhone 6S.\r\n\r\n\r\nVulnerability Disclosure Timeline:\r\n==================================\r\n2017-06-05: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)\r\n2017-06-06: Vendor Notification (Apple Security Department)\r\n2017-08-14: Public Disclosure (Vulnerability Laboratory)\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nAffected Product(s):\r\n====================\r\nApple\r\nProduct: iOS - (Mobile Operating System) 10.2 & 10.3\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nLocal\r\n\r\n\r\nSeverity Level:\r\n===============\r\nMedium\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\nAn access permission vulnerability has been discovered in the official Apple iOS 10.2 & v10.3. The issue allows a local attacker to \r\nbypass the code lock function to \"Answer with Message / Reply with message\" and limited the idevice authentication mechanism. \r\nThe SMS response menu appears on the screen when it has been deactivated physically by the apple idevice user.\r\n\r\nNext to that, the issue leads to a glitch with an access permission issue to the sms function of the phone app in apple iOS 10. \r\nAfter exploitation, the phone stays permanently in a compromised mode were an attacker can send a sms without the activated \r\nsetting in the code lock module. Phone calls stay in the line even if the other side already canceled the call.\r\n\r\nIn a video the researcher we deactivated the settings for sms on active incoming calls. Then we glitched the service with the request. \r\nHowever the sms menu was still available on the display screen and allows the attacker to perform several interactions like using the \r\nwords to get contacts of the users like names and to unauthenticated followup with sms on active incoming calls. The events are tracked \r\nby the apple ios with several reports and unknown errors in the analysis module.\r\n\r\nThe security risk of the access permission vulnerability is estimated as medium with a common vulnerability scoring system count of 4.5. \r\nExploitation of the apple ios access permission vulnerability requires limited physical idevice access and without user interaction.\r\nSuccessful exploitation of the vulnerability results in unauthorized functional access to the sms function or keyboard settings.\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe vulnerability can be exploited by local attackers with restricted physical device access and without user interaction.\r\nFor security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.\r\n\r\nRequirement(s):\r\n[+] Siri activated by default\r\n[+] Deactivated keyboard suggestions or tips\r\n[+] Activate/Deactivate of code lock module with \"Answer with Message / Reply with message\" function\r\n[+] Activated lock to disallow app usage from outside in locked idevice mode (Sperrbildschirm/LockScreen)\r\n\r\n\r\nManual steps to reproduce the vulnerability ...\r\n1. Reset the idevice to default settings\r\n2. Install the newest apple ios 10.2 or 10.3 version\r\n3. Deactivate in the Settings > Keyboard > Suggestions\r\n4. Check that siri is activated by default\r\n5. Activate the lock to disallow app usage from outside in locked idevice mode\r\n6. Activate the \"Answer with Message / Reply with message\" function\r\nNote: After preparing and checking that the idevice is correctly setup we move into the exploitation phase\r\n7. Call your idevice with another phone\r\n8. Click the Message button and choose to answer with a customized message\r\n9. Push the keyboard element and move up to the english or german keyboard\r\nNote: At that point the incoming call can already be canceled\r\n10. Now activate from outside without authentication the Suggestions by a push and hold ahead two seconds the home button to activate via siri api call\r\nNote: Now a glitch occurs and shows a keyboard ahead to the lock screen\r\n11. Cancel the sms and move into the idevice settings by authentication\r\n12. Deactivate the \"Answer with Message / Reply with message\" function in the code lock module\r\n13. Move back outside the idevice and call yourself again with another phone line\r\n14. The sms menu comes ahead to the active incoming call and allows to unauthenticated send sms to the receiver or another mobile\r\n15. In case of using siri again during the incoming accepted call that is accepted a sync issue occurs\r\nNote: The sync issue allows to followup with the call even if the caller has already closed the phone line (unlimited loop - side channel)\r\nNote: On each call the sms menu comes ahead and allows the attacker to directly send sms to anybody or the caller without permission\r\n16. Successful reproduce of the vulnerability!\r\n\r\n\r\nSecurity Video: PoC Demonstration\r\nThe video shows the idevice settings with the newst apple ios v10.3. The bugg is triggered first by showing the function.\r\nAfter that we show the mode of the issue with several smaller video recordings. At the end we show the settings screenshots \r\nof the setup and location glitches. At the end we was able to send sms to any sender calling our mobile phone number and we \r\nwas able to use the function even if deactivated in the code lock settings of ios 10.3.\r\n\r\nURL: https://www.vulnerability-lab.com/get_content.php?id=2079\r\n\r\n\r\nSolution - Fix & Patch:\r\n=======================\r\nThe vulnerability can be resolved by usage of the ios status administration settings to recheck the access permission after the deactivate.\r\n\r\n\r\nSecurity Risk:\r\n==============\r\nThe security risk of the access permission vulnerability in the apple ios 10.2 & 10.3 is estimated as medium (CVSS 4.5).\r\nThe impact of the security problem is similar to the following CVE-2017-7058.\r\n\r\n\r\nCredits & Authors:\r\n==================\r\nVulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)\r\n\r\n\r\nDisclaimer & Information:\r\n=========================\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or \r\nimplied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any \r\ncase of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its \r\nsuppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental\r\nor consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface \r\nwebsites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories \r\nor vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, \r\nphone numbers, conversations or anything else to journalists, investigative authorities or private individuals. \r\n\r\nDomains: www.vulnerability-lab.com\t\t- www.vulnerability-db.com\t\t\t\t\t- www.evolution-sec.com\r\nPrograms: vulnerability-lab.com/submit.php \t- vulnerability-lab.com/list-of-bug-bounty-programs.php \t- vulnerability-lab.com/register.php\r\nFeeds:\t vulnerability-lab.com/rss/rss.php \t- vulnerability-lab.com/rss/rss_upcoming.php \t\t\t- vulnerability-lab.com/rss/rss_news.php\r\nSocial:\t twitter.com/vuln_lab\t\t- facebook.com/VulnerabilityLab \t\t\t\t- youtube.com/user/vulnerability0lab\r\n\r\nAny modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. \r\nPermission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by \r\nVulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark \r\nof vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.\r\n\r\n\t\t\t\t Copyright \u00a9 2017 | Vulnerability Laboratory - [Evolution Security GmbH]\u2122\r\n\r\n\r\n\r\n", "history": [], "description": "", "reporter": "Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)", "href": "http://www.vulnerability-lab.com/get_content.php?id=2078", "type": "vulnerlab", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "8b73268c37891c388619c5559e7491c3"}, {"key": "cvss", "hash": "635d7f080910dc81e99c0ca9b0d4203f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "0c549c62df9b26e6f43969c22695be08"}, {"key": "modified", "hash": "6561e7f0cbf888bba052bd3a00991a64"}, {"key": "published", "hash": "6561e7f0cbf888bba052bd3a00991a64"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "5b85434ff067fbcd6f5078e7719012ac"}, {"key": "sourceData", "hash": "4b28b1eba40c0652b4762fb0d0e11aec"}, {"key": "title", "hash": "2131cd2e8b0a77f38e4b7d9d9c8d1137"}, {"key": "type", "hash": "c51e07649f7fd47199f456897e9390ca"}], "viewCount": 0, "references": [], "lastseen": "2018-03-01T19:13:56", "published": "2017-08-14T00:00:00", "objectVersion": "1.3", "cvelist": ["CVE-2017-7058"], "id": "VULNERLAB:2078", "hash": "66e23ee9728c3f38c9116205115fa33d6f21127217c3a5544d4454bbfd5c3b08", "modified": "2017-08-14T00:00:00", "title": "Apple iOS 10.3 - UI SMS Access Permission Vulnerability", "edition": 1, "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "bulletinFamily": "exploit", "enchantments": {"vulnersScore": 7.2}}