Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apple iMessage - DigitalTouch tap Message Processing Out-of-Bounds Read Exploit

🗓️ 24 Jul 2019 00:00:00Reported by Google Security ResearchType 
zdt
 zdt🔗 0day.today👁 43 Views

Apple iMessage DigitalTouch Out-of-Bounds Read Exploi

Related
Code
ReporterTitlePublishedViews
Family
Apple		About the security content of watchOS 5.3
22 Jul 201900:00
apple
Apple		About the security content of watchOS 5.3 - Apple Support
25 Jun 202007:44
apple
Circl		CVE-2019-8624
23 Jul 201922:00
circl
CNVD		Apple watchOS Digital Touch Component Buffer Overflow Vulnerability
25 Jul 201900:00
cnvd
CVE		CVE-2019-8624
18 Dec 201917:33
cve
Cvelist		CVE-2019-8624
18 Dec 201917:33
cvelist
EUVD		EUVD-2019-18014
7 Oct 202500:30
euvd
GoogleProjectZero		 The Fully Remote Attack Surface of the iPhone
7 Aug 201900:00
googleprojectzero
NVD		CVE-2019-8624
18 Dec 201918:15
nvd
Prion		Input validation
18 Dec 201918:15
prion
Rows per page
The digital touch iMessage extension can read out of bounds if a malformed Tap message contains a color array that is shorter than the points array and delta array. The method [ETTapMessage initWithArchiveData:] checks that the points array is twice as long as the deltas array, but only checks that the colors array is longer than eight bytes, even though a color is needed for every point-delta pair that is processed.

To reproduce the issue with the files in tapcrash.zip:

1) install frida (pip3 install frida)
2) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device
3) in injectMessage.js replace the marker "FULL PATH" with the path of the obj file
4) in the local directory, run:

python3 sendMessage.py

This will lead to a crash in SpringBoard requiring no user interaction.

I've also attached a crash dump and ETencode.m, which is the file that was used to generate the obj file.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47158.zip

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Jul 2019 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 25
CVSS 3.17.5
EPSS0.02194
imessagedigitaltouchout-of-bounds readexploittap messagemalformedcrashsecurity issueproof of conceptspringboard
43