Vulners
Lucene search
Apple iOS v12.1.1 - (Combo) Passcode Bypass Vulnerability
🗓️ 24 Dec 2018 00:00:00Reported by Benjamin K.M. [[email protected]] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.Type 
vulnerlab🔗 www.vulnerability-lab.com👁 698 Views
Document Title:
===============
Apple iOS v12.1.1 - (Combo) Passcode Bypass Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2162
Video: https://www.vulnerability-lab.com/get_content.php?id=2169
Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2018/12/24/apple-ios-120-1211-passcode-bypass-vulnerability
Release Date:
=============
2018-12-24
Vulnerability Laboratory ID (VL-ID):
====================================
2162
Common Vulnerability Scoring System:
====================================
6.3
Vulnerability Class:
====================
Authentication Bypass
Current Estimated Price:
========================
10.000€ - 25.000€
Product & Service Introduction:
===============================
iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally
released in 2007 for the iPhone and iPod Touch, it has been extended to support other Apple devices such
as the iPad and Apple TV. Unlike Microsoft`s Windows Phone (Windows CE) and Google`s Android, Apple does
not license iOS for installation on non-Apple hardware. As of September 12, 2012, Apple`s App Store contained
more than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times.
( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local pin passcode bypass vulnerability in the official apple ios v12.0, 12.1 & 12.1.1.
Vulnerability Disclosure Timeline:
==================================
2018-10-22: Researcher Notification & Coordination (Security Researcher)
2018-11-01: Vendor Notification (Security Department)
2018-11-12: Vendor Response/Feedback #1 (Security Department) - Not able to reproduce
2018-12-15: Vendor Response/Feedback #2 (Security Department) - Not able to reproduce
2018-**-**: Vendor Fix/Patch (Service Developer Team)
2018-**-**: Security Acknowledgements (Security Department)
2018-12-24: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple
Product: iOS 11.x, 12.0, 12.0.1 & 12.1
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Authentication Type:
====================
Pre auth - no privileges
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Responsible Disclosure Program
Technical Details & Description:
================================
An access permission vulnerability and glitch issue has been discovered in the official apple ios v12.0, 12.1 & 12.1.1.
The issue allows a local attacker to bypass the apple ios passcode function to access or compromise the device.
The access permission vulnerability is located in the message menu to answer custom messages in combination with
the available default app functions of the ios device. The issue allows to combine different methods used to access
and edit photos in the restricted mode. Using a hidden menu in combination with a glitch allows local attackers to
access sensitive idevice data like contacts, the pictures library or default applications. The issue bypassed with
the default permissions and the basic security protection of the newst 12.1.1 ios devices. The problem is located
when processing the permissions when editing and writing images during the usage of siri and custom sms answer.
The security risk of the local bypass by an access permission vulnerability is estimated as high with a cvss count of 6.3.
Exploitation of the apple ios access permission vulnerability requires restricted physical device access without user interaction.
Successful exploitation of the local vulnerability results in an authentication bypass and unauthorized idevice access to
contact list, photo library and default apps.
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by local attackers with restricted physical device access and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Requirement(s):
[+] Default setup idevice with iOS v12.0, v12.1 & v12.1.1
Manual Description:
1. Call the the iphone by another phone
Note: In case you do not know the number ask for it by siri (who i am)
2. Answer with a custom message on call
3. Write a short text inside the message box
4. Activate voiceover by siri
5. Make a screenshot
Note: When the screenshot is done it will be displayed for a short time on the left buttom
6. Twice push on the screenshot and hold with the last push the position on the touch screen
7. Then click on the plus on the right buttom and open to signature
8. Now push on the right buttom above the plus and switch with the finger all time to the right side of the display
Note: The message menu will be accessed by now in the background and there will be several functions available
9. Scale the picture to a small size
10. Move by switching with the finger to the name or the + / plus button
11. Now push the home button to activate siri and save the screenshot with the signature / edit mode
12. Now the contacts page is available without pin authentication by pushing twice the screenshot
Note: From there the attacher can move to different other functions mail, contacts, pictures and other functions
13. From outside the attacker can then access the contacts list by a screenshot and then double push on the image at left buttom
Video & Picture Description:
The video shows the access to the contacts list from outside by usage of the screenshot function. The requirements are siri, voiceover, sms answer (custom),
screenshot edit function, signature menu and a camera app part as default setup. We can confirm the issue for the newst ios 12.0, 12.1 and 12.1.1 version after patch.
We tested with iphone 6s and iphone 7 and no default setting has been modified. The video shows clearly the impact
of the problematic in best quality.
PoC: https://www.youtube.com/watch?v=3jKMbdBo4kc
Solution - Fix & Patch:
=======================
1. Disable siri and hey siri in the lock screen
2. Disable in the lock settings the custom sms answer on calls
3. Deactivate the voiceover function
Note: Apple product security team was not able to reproduce the vulnerability with demo videos, mailing, images and manual description.
Since users as end customers need to be informed about the risk of the unresolved vulnerability, we have now published the vulnerability.
Security Risk:
==============
The security risk of the local passcode bypass vulnerability in the newst ios 12.1.1 devices is estimated as high.
Credits & Authors:
==================
Benjamin K.M. [[email protected]] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Dec 2018 00:00Current
0.1Low risk
Vulners AI Score0.1