{"id": "VULNERLAB:2078", "bulletinFamily": "exploit", "title": "Apple iOS 10.3 - UI SMS Access Permission Vulnerability", "description": "", "published": "2017-08-14T00:00:00", "modified": "2017-08-14T00:00:00", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://www.vulnerability-lab.com/get_content.php?id=2078", "reporter": "Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)", "references": [], "cvelist": ["CVE-2017-7058"], "type": "vulnerlab", "lastseen": "2018-03-01T19:13:56", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "8b73268c37891c388619c5559e7491c3"}, {"key": "cvss", "hash": "635d7f080910dc81e99c0ca9b0d4203f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "0c549c62df9b26e6f43969c22695be08"}, {"key": "modified", "hash": "6561e7f0cbf888bba052bd3a00991a64"}, {"key": "published", "hash": "6561e7f0cbf888bba052bd3a00991a64"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "5b85434ff067fbcd6f5078e7719012ac"}, {"key": "sourceData", "hash": "4b28b1eba40c0652b4762fb0d0e11aec"}, {"key": "title", "hash": "2131cd2e8b0a77f38e4b7d9d9c8d1137"}, {"key": "type", "hash": "c51e07649f7fd47199f456897e9390ca"}], "hash": "66e23ee9728c3f38c9116205115fa33d6f21127217c3a5544d4454bbfd5c3b08", "viewCount": 0, "enchantments": {"vulnersScore": 4.3}, "objectVersion": "1.3", "sourceData": "Document Title:\r\n===============\r\nApple iOS 10.3 - UI SMS Access Permission Vulnerability\r\n\r\n\r\nReferences (Source):\r\n====================\r\nhttps://www.vulnerability-lab.com/get_content.php?id=2078\r\n\r\nApple Security ID: 666589482\r\n\r\nVideo: https://www.vulnerability-lab.com/get_content.php?id=2079\r\n\r\nVulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2017/08/14/apple-ios-v102-v103-sms-reply-access-permission-vulnerability\r\n\r\n\r\nRelease Date:\r\n=============\r\n2017-08-14\r\n\r\n\r\nVulnerability Laboratory ID (VL-ID):\r\n====================================\r\n2078\r\n\r\n\r\nCommon Vulnerability Scoring System:\r\n====================================\r\n4.5\r\n\r\n\r\nVulnerability Class:\r\n====================\r\nAccess Permission Weakness\r\n\r\n\r\nCurrent Estimated Price:\r\n========================\r\n3.000\u20ac - 4.000\u20ac\r\n\r\n\r\nProduct & Service Introduction:\r\n===============================\r\niOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally \r\nreleased in 2007 for the iPhone and iPod Touch, it has been extended to support other Apple devices such \r\nas the iPad and Apple TV. Unlike Microsoft`s Windows Phone (Windows CE) and Google`s Android, Apple does \r\nnot license iOS for installation on non-Apple hardware. As of September 12, 2012, Apple`s App Store contained \r\nmore than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times.\r\n\r\n( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )\r\n\r\n\r\nAbstract Advisory Information:\r\n==============================\r\nThe vulnerability laboratory core research team discovered a local access permission vulnerability in the official Apple iOS v10.3 iPhone 6S.\r\n\r\n\r\nVulnerability Disclosure Timeline:\r\n==================================\r\n2017-06-05: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)\r\n2017-06-06: Vendor Notification (Apple Security Department)\r\n2017-08-14: Public Disclosure (Vulnerability Laboratory)\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nAffected Product(s):\r\n====================\r\nApple\r\nProduct: iOS - (Mobile Operating System) 10.2 & 10.3\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nLocal\r\n\r\n\r\nSeverity Level:\r\n===============\r\nMedium\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\nAn access permission vulnerability has been discovered in the official Apple iOS 10.2 & v10.3. The issue allows a local attacker to \r\nbypass the code lock function to \"Answer with Message / Reply with message\" and limited the idevice authentication mechanism. \r\nThe SMS response menu appears on the screen when it has been deactivated physically by the apple idevice user.\r\n\r\nNext to that, the issue leads to a glitch with an access permission issue to the sms function of the phone app in apple iOS 10. \r\nAfter exploitation, the phone stays permanently in a compromised mode were an attacker can send a sms without the activated \r\nsetting in the code lock module. Phone calls stay in the line even if the other side already canceled the call.\r\n\r\nIn a video the researcher we deactivated the settings for sms on active incoming calls. Then we glitched the service with the request. \r\nHowever the sms menu was still available on the display screen and allows the attacker to perform several interactions like using the \r\nwords to get contacts of the users like names and to unauthenticated followup with sms on active incoming calls. The events are tracked \r\nby the apple ios with several reports and unknown errors in the analysis module.\r\n\r\nThe security risk of the access permission vulnerability is estimated as medium with a common vulnerability scoring system count of 4.5. \r\nExploitation of the apple ios access permission vulnerability requires limited physical idevice access and without user interaction.\r\nSuccessful exploitation of the vulnerability results in unauthorized functional access to the sms function or keyboard settings.\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe vulnerability can be exploited by local attackers with restricted physical device access and without user interaction.\r\nFor security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.\r\n\r\nRequirement(s):\r\n[+] Siri activated by default\r\n[+] Deactivated keyboard suggestions or tips\r\n[+] Activate/Deactivate of code lock module with \"Answer with Message / Reply with message\" function\r\n[+] Activated lock to disallow app usage from outside in locked idevice mode (Sperrbildschirm/LockScreen)\r\n\r\n\r\nManual steps to reproduce the vulnerability ...\r\n1. Reset the idevice to default settings\r\n2. Install the newest apple ios 10.2 or 10.3 version\r\n3. Deactivate in the Settings > Keyboard > Suggestions\r\n4. Check that siri is activated by default\r\n5. Activate the lock to disallow app usage from outside in locked idevice mode\r\n6. Activate the \"Answer with Message / Reply with message\" function\r\nNote: After preparing and checking that the idevice is correctly setup we move into the exploitation phase\r\n7. Call your idevice with another phone\r\n8. Click the Message button and choose to answer with a customized message\r\n9. Push the keyboard element and move up to the english or german keyboard\r\nNote: At that point the incoming call can already be canceled\r\n10. Now activate from outside without authentication the Suggestions by a push and hold ahead two seconds the home button to activate via siri api call\r\nNote: Now a glitch occurs and shows a keyboard ahead to the lock screen\r\n11. Cancel the sms and move into the idevice settings by authentication\r\n12. Deactivate the \"Answer with Message / Reply with message\" function in the code lock module\r\n13. Move back outside the idevice and call yourself again with another phone line\r\n14. The sms menu comes ahead to the active incoming call and allows to unauthenticated send sms to the receiver or another mobile\r\n15. In case of using siri again during the incoming accepted call that is accepted a sync issue occurs\r\nNote: The sync issue allows to followup with the call even if the caller has already closed the phone line (unlimited loop - side channel)\r\nNote: On each call the sms menu comes ahead and allows the attacker to directly send sms to anybody or the caller without permission\r\n16. Successful reproduce of the vulnerability!\r\n\r\n\r\nSecurity Video: PoC Demonstration\r\nThe video shows the idevice settings with the newst apple ios v10.3. The bugg is triggered first by showing the function.\r\nAfter that we show the mode of the issue with several smaller video recordings. At the end we show the settings screenshots \r\nof the setup and location glitches. At the end we was able to send sms to any sender calling our mobile phone number and we \r\nwas able to use the function even if deactivated in the code lock settings of ios 10.3.\r\n\r\nURL: https://www.vulnerability-lab.com/get_content.php?id=2079\r\n\r\n\r\nSolution - Fix & Patch:\r\n=======================\r\nThe vulnerability can be resolved by usage of the ios status administration settings to recheck the access permission after the deactivate.\r\n\r\n\r\nSecurity Risk:\r\n==============\r\nThe security risk of the access permission vulnerability in the apple ios 10.2 & 10.3 is estimated as medium (CVSS 4.5).\r\nThe impact of the security problem is similar to the following CVE-2017-7058.\r\n\r\n\r\nCredits & Authors:\r\n==================\r\nVulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)\r\n\r\n\r\nDisclaimer & Information:\r\n=========================\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or \r\nimplied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any \r\ncase of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its \r\nsuppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental\r\nor consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface \r\nwebsites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories \r\nor vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, \r\nphone numbers, conversations or anything else to journalists, investigative authorities or private individuals. \r\n\r\nDomains: www.vulnerability-lab.com\t\t- www.vulnerability-db.com\t\t\t\t\t- www.evolution-sec.com\r\nPrograms: vulnerability-lab.com/submit.php \t- vulnerability-lab.com/list-of-bug-bounty-programs.php \t- vulnerability-lab.com/register.php\r\nFeeds:\t vulnerability-lab.com/rss/rss.php \t- vulnerability-lab.com/rss/rss_upcoming.php \t\t\t- vulnerability-lab.com/rss/rss_news.php\r\nSocial:\t twitter.com/vuln_lab\t\t- facebook.com/VulnerabilityLab \t\t\t\t- youtube.com/user/vulnerability0lab\r\n\r\nAny modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. \r\nPermission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by \r\nVulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark \r\nof vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.\r\n\r\n\t\t\t\t Copyright \u00a9 2017 | Vulnerability Laboratory - [Evolution Security GmbH]\u2122\r\n\r\n\r\n\r\n"}
{"result": {"cve": [{"id": "CVE-2017-7058", "type": "cve", "title": "CVE-2017-7058", "description": "An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. The issue involves the \"Notifications\" component. It allows physically proximate attackers to read unintended notifications on the lock screen.", "published": "2017-07-20T12:29:02", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7058", "cvelist": ["CVE-2017-7058"], "lastseen": "2017-07-25T10:54:23"}]}}