Jump to content
Nytro

Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities

Recommended Posts

Posted

Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities

 

From: Vulnerability Lab <research () vulnerability-lab com>
Date: Mon, 7 Mar 2016 09:52:02 +0100
Document Title:
===============
Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link)


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1778

Video: http://www.vulnerability-lab.com/get_content.php?id=1779



Release Date:
=============
2016-03-07


Vulnerability Laboratory ID (VL-ID):
====================================
1778


Common Vulnerability Scoring System:
====================================
6.4


Product & Service Introduction:
===============================
iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 
2007 for the 
iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike 
Microsoft`s Windows 
Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of 
September 12, 2012, 
Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more than 30 
billion times. 
It had a 14.9% share of the smartphone mobile operating system units shipped in the third quarter of 2012, behind only 
Google`s Android.

In June 2012, it accounted for 65% of mobile web data consumption (including use on both the iPod Touch and the iPad). 
At the half of 
2012, there were 410 million devices activated. According to the special media event held by Apple on September 12, 
2012, 400 million 
devices have beensold through June 2012.

( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )


Apple Inc. is an American multinational technology company headquartered in Cupertino, California, that designs, 
develops, and sells 
consumer electronics, computer software, and online services. Its hardware products include the iPhone smartphone, the 
iPad tablet 
computer, the Mac personal computer, the iPod portable media player, and the Apple Watch smartwatch. Apple's consumer 
software includes 
the OS X and iOS operating systems, the iTunes media player, the Safari web browser, and the iLife and iWork creativity 
and productivity 
suites. Its online services include the iTunes Store, the iOS App Store and Mac App Store, and iCloud.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Apple_Inc. )


Abstract Advisory Information:
==============================
The vulnerability laboratory research team discovered multiple connected passcode protection bypass vulnerabilities in 
the iOS v9.0, v9.1, v9.2.1 for Apple iPhone (5,5s,6 & 6s) and the iPad (mini,1 & 2).


Vulnerability Disclosure Timeline:
==================================
2016-01-03: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-01-04: Vendor Notification (Apple Product Security Team)
2016-**-**: Vendor Response/Feedback (Apple Product Security Team)
2016-**-**: Vendor Fix/Patch (Apple Developer Team)
2016-**-**: Security Acknowledgements (Apple Product Security Team)
2016-03-07: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Apple
Product: iOS - (Mobile Operating System) 9.1, 9.2 & 9.2.1


Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Technical Details & Description:
================================
An auth passcode bypass vulnerability has been discovered in the iOS v9.0, v9.1, v9.2.1 for Apple iPhone (5,5s,6 & 6s) 
and the iPad (mini,1 & 2).
The vulnerability typ allows an local attacker with physical device access to bypass the passcode protection mechanism 
of the Apple mobile iOS devices.

The vulnerabilities are located in the 'Appstore', 'Buy more Tones' or 'Weather Channel' links of the Clock, Event 
Calender & Siri User Interface. 
Local attackers can use siri, the event calender or the available clock module for an internal browser link request to 
the appstore that is able to 
bypass the customers passcode or fingerprint protection mechanism. The attacker can exploit the issue on several ways 
with siri, the events calender 
or the clock app of the control panel on default settings to gain unauthorized access to the affected Apple mobile iOS 
devices.

1.1
In the first scenario the attacker requests for example via siri an non existing app, after that siri answers with an 
appstore link to search for it. 
Then the attacker opens the link and a restricted browser window is opened and listing some apps. At that point it is 
possible to unauthorized switch 
back to the internal home screen by interaction with the home button or with siri again. The link to bypass the 
controls is visible in the siri 
interface only and is called "open App Store". The vulnerability is exploitable in the Apple iPhone 5 & 6(s) with iOS 
v9.0, v9.1 & v9.2.1

1.2
In the second scenario the attacker is using the control panel to gain access to the non restricted clock app. The 
local attacker opens the app via 
siri or via panel and opens then the timer to the end timer or Radar module. The developers of the app grant apple 
customers to buy more sounds for 
alerts and implemented a link. By pushing the link a restricted appstore browser window opens.  At that point it is 
possible to unauthorized switch 
back to the internal home screen by interaction with the home button or with siri again. The link to bypass the 
controls becomes visible in the 
Alert - Tone (Wecker - Ton) & Timer (End/Radar) and is called "Buy more Tones". The vulnerability is exploitable in the 
Apple iPhone 5 & 6(s) 
with iOS v9.0, v9.1 & v9.2.1.

1.3
In the third scenario the attacker opens via panel or by a siri request the clock app. After that he opens the internal 
world clock module. In the 
buttom right is a link to the weather channel that redirects to the store as far as its deactivated. By pushing the 
link a restricted appstore 
browser window opens.  At that point it is possible to unauthorized switch back to the internal home screen by 
interaction with the home button or 
with siri again. The link to bypass the controls becomes visible in the World Clock (Weather Channel) and is an image 
as link. Thus special case is 
limited to the iPad because only in that models use to display the web world map. In the iPhone version the bug does 
not exist because the map is 
not displayed because of using a limited template. The vulnerability is exploitable in the Apple iPad2 with iOS v9.0, 
v9.1 & v9.2.1.

1.4
In the fourth scenario the attacker opens via siri the 'App & Event Calender' panel. After that the attacker opens 
under the Tomorrow task the 
'Information of Weather' (Informationen zum Wetter - Weather Channel LLC) link on the left bottom. As far as the 
weather app is deactivated on the 
Apple iOS device, a new browser window opens to the appstore. At that point it is possible to unauthorized switch back 
to the internal home screen 
by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the App & 
Events Calender panel. 
The vulnerability is exploitable in the Apple Pad2 with iOS v9.0, v9.1 & v9.2.1.

The security risk of the passcode bypass vulnerability is estimated as high with a cvss (common vulnerability scoring 
system) count of 6.4. 
Exploitation of the passcode protection mechanism bypass vulnerability requires no privileged ios device user account 
or low user interaction. 
Physical apple device access is required for successful exploitation. Successful exploitation of the vulnerability 
results in unauthorized 
device access, mobile apple device compromise and leak of sensitive device data like the address-book, photos, sms, 
mms, emails, phone app, 
mailbox, phone settings or access to other default/installed mobile apps.


Vulnerable Module(s):
                        [+] PassCode (Protection Mechanism)


Affected Device(s):
                        [+] iPhone (Models: 5, 5s, 6 & 6s)
                        [+] iPad (Models: mini, 1 & 2)

Affected OS Version(s):
                        [+] iOS v9.0, v9.1 & v9.2.1


Proof of Concept (PoC):
=======================
The passcode protection mechanism bypass vulnerabilities can be exploited by local attackers with physical device 
access and without privileged or restricted device user account.
For Security demonstration or to reproduce the vulnerability follow the provided information and steps below to 
continue.


1.1
Manual steps to reproduce the vulnerability ... (Siri Interface - App Store Link) iPhone (Models: 5, 5s, 6 & 6s)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds)
3. Ask Siri to open a non existing App 
Note: "Open App Digital (Öffne App Digital)
4. Siri responds to the non existing app and asks to search in the appstore
5. Now, and "open App store" button becomes visible to push (do it!)
6. A new restricted browser window opens with the appstore buttom menu links
7. Click to updates and open the last app or push twice the home button to let the task slide preview appear
8. Now choose the active front screen task
9. Successful reproduce of the passcode protection bypass vulnerability!


1.2
Manual steps to reproduce the vulnerability ... (Clock & Timer - Buy more Tones Link) iPhone (Models: 5, 5s, 6 & 6s)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds) 
Note: "Open World Clock" (Öffne App Weltuhr)
3. Push the 'Timer' module button on the buttom
4. Now, push the Radius or End Timer Button in the middle of the screen
Note: A listing opens with the sounds collection and on top is a web link commercial
5. Push the button and a new restricted browser window opens with the appstore buttom menu links
6. Click to updates and open the last app or push twice the home button to let the task slide preview appear
7. Now choose the active front screen task
8. Successful reproduce of the passcode protection bypass vulnerability!
Note: The vulnerability can also be exploited by pushing the same link in the Alerts Timer (Wecker) next to adding a 
new one.


1.3
Manual steps to reproduce the vulnerability ... (Clock World - Weather Channel Image Link) iPad (Models: 1 & 2)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds)
Note: "Open App Clock" (Öffne App Uhr)
3. Switch in the buttom module menu to world clock
Note: on the buttom right is an image of the weather channel llc network
4. Push the image of the weather channel llc company in the world map picture
Note: Weather app needs to be deactivated by default
5. After pushing the button and a new restricted browser window opens with the appstore buttom menu links
6. Click to updates and open the last app or push twice the home button to let the task slide preview appear
7. Now choose the active front screen task
8. Successful reproduce of the passcode protection bypass vulnerability!
Note: The issue is limited to the iPad 1 & 2 because of the extended map template!


1.4
Manual steps to reproduce the vulnerability ... (Events Calender App - Weather Channel LLC Link) iPad (Models: 1 & 2) & 
iPhone (Models: 5, 5s, 6 & 6s)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds)
Note: "Open Events/Calender App" (Öffne Events/Kalender App)
3.Now push on the buttom of the screen next to the Tomorrow(Morgen) module the 'Information of Weather Channel' link
Note: Weather app needs to be deactivated by default
4.After pushing the button and a new restricted browser window opens with the appstore buttom menu links
5. Click to updates and open the last app or push twice the home button to let the task slide preview appear
6. Now choose the active front screen task
7. Successful reproduce of the passcode protection bypass vulnerability!


Video Demonstration: In the attached video demonstration we show how to bypass the passcode of the iphone 6s via the 
siri App Store- & timer Buy more Tones link.
In the video we activated the passcode and setup to activate the control center by default to the locked mobile front 
screen. Siri was activated as well by default.


Solution - Fix & Patch:
=======================
The vulnerabilities can be temporarily patched by the end user by hardening of the device settings. Deactivate in the 
Settings menu the Siri module permanently. 
Deactivate also the Events Calender without passcode to disable the push function of the Weather Channel LLC link. 
Deactivate in the next step the public control 
panel with the timer and world clock to disarm exploitation. Aktivate the weather app settings to prevent the redirect 
when the module is disabled by default in 
the events calender. Finally apple needs to issue a patch as workaround for the issue but since this happens a temp 
solution has bin published as well.


Security Risk:
==============
The security risk of the passcode protection mechanism bypass vulnerabilities in the apple ipad and iphone mobile 
devices are estimated as high. (CVSS 6.4)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research () vulnerability-lab com) 
[http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, either expressed or implied, 
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, 
including direct, indirect, incidental, consequential loss of business profits or special damages, even if 
Vulnerability-Lab or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing 
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack 
into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                              - 
www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com                             - admin 
() evolution-sec com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                             - 
evolution-sec.com/contact
Social:     twitter.com/vuln_lab                - facebook.com/VulnerabilityLab                                 - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php                    - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php         - 
vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. Permission to electronically 
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are 
reserved by Vulnerability-Lab Research Team or 
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific 
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research () vulnerability-lab 
com) to get a ask permission.

                                    Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com

Sursa: http://seclists.org/fulldisclosure/2016/Mar/15

 

 

  • Upvote 2
Posted

Doar PoC 1.2 merge pe 5s si iOS 9.2.1. Incercand PoC 1.1 imi da ecranul cu pin-ul iar 1.3 si 1.4 Siri imi zice "you need to unlock your iPhone first". Interesant, nonetheless si macar o varianta merge...

Posted (edited)

daca vrei ceva invata iTunesCore.dll si fa rost de un cert affiliat, dont forget "unbctivated" intodeauna isi face treaba

frate iti deblochez iCloud in fata ta, dar nu ai bani sa ma platesti - versuri :))

Edited by wishkey

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...