Document Title: =============== Apple iOS v9.1, 9.2 & 9.2.1 - Application Update Loop Pass Code Bypass
References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1710 Apple Follow-up ID: 631627909 Video: http://www.vulnerability-lab.com/get_content.php?id=1711 Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2016/02/04/apple-ios-v9x-application-update-loop-pass-code-bypass Release Date: ============= 2016-02-04 Vulnerability Laboratory ID (VL-ID): ==================================== 1710 Common Vulnerability Scoring System: ==================================== 6 Product & Service Introduction: =============================== iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 2007 for the iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s Windows Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of September 12, 2012, Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times. It had a 14.9% share of the smartphone mobile operating system units shipped in the third quarter of 2012, behind only Google`s Android. In June 2012, it accounted for 65% of mobile web data consumption (including use on both the iPod Touch and the iPad). At the half of 2012, there were 410 million devices activated. According to the special media event held by Apple on September 12, 2012, 400 million devices have been sold through June 2012. ( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered a pass code lock auth bypass vulnerability in the official Apple iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 & v9.2. Vulnerability Disclosure Timeline: ================================== 2015-10-22: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2015-10-23: Vendor Notification (Apple Product Security Team) 2015-01-22: Vendor Response/Feedback (Apple Product Security Team) 2016-**-**: Vendor Fix/Patch (Apple Product Developer Team) 2016-02-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Apple Product: iOS - (Mobile Operating System) 9.1, 9.2 & 9.2.1 Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ An application update loop that results in a pass code bypass vulnerability has been discovered in the official Apple iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 & v9.2. The security vulnerability allows local attackers to bypass pass code lock protection of the apple iphone via an application update loop issue. The issue affects the device security when processing to request a local update by an installed mobile ios web-application. The vulnerability is located in the iPad 2 & iPhone 5 & 6 hardware configuration with iOS v8.2 - v9.2 when processing an update which results in a interface loop by the application slides. Local attacker can trick the iOS device into a mode were a runtime issue with unlimited loop occurs. This finally results in a temporarily deactivate of the pass code lock screen. By loading the loop with remote app interaction we was able to stable bypass the auth of an iphone after the reactivation via shutdown button. The settings of the device was permanently requesting the pass code lock on interaction. Normally the pass code lock is being activated during the shutdown button interaction. In case of the loop the request shuts the display down but does not activate the pass code lock like demonstrated in the attached poc security video. In case of exploitation the attack could be performed time-based by a manipulated iOS application or by physical device access and interaction with restricted system user account. In earlier cases of exploitation these type of loops were able to be used as jailbreak against iOS. The vulnerability can be exploited in non-jailbroken unlocked apple iphone mobiles. The security risk of the local pass code bypass issue is estimated as high with a cvss (common vulnerability scoring system) count of 6.0. Exploitation of the local bug requires pending on the attack scenario local device access or a manipulated app installed to the device without user interaction. Successful exploitation of the security vulnerability results in unauthorized device access via pass code lock bypass. Proof of Concept (PoC): ======================= The new attack case of scenario can be exploited by local attackers with physical bank branch office service access and valid local banking card. For security demonstration or to reproduce the issue follow the provided information & steps below to continue. Manual steps to reproduce the vulnerability ... 1. First fill up about some % of the free memory in the iOS device with random data 2. Now, you open the app-store choose to update all applications (update all push button) 3. Switch fast via home button to the slide index and perform iOS update at the same time Note: The interaction to switch needs to be performed very fast to successfully exploit. In the first load of the update you can still use the home button. Press it go back to index 4. Now, press the home button again to review the open runnings slides 5. Switch to the left menu after the last slide which is new and perform to open siri in the same moment. Now the slide hangs and runs all time in a loop 6. Turn of via power button the ipad or iphone .... 7. Reactivate via power button and like you can see the session still runs in the loop and can be requested without any pass code Note: Normally the pass code becomes available after the power off button interaction to stand-by mode 8. Successful reproduce of the local security vulnerability! Video Demonstration: In a video we demonstrate how to bypass with a unlimited loop in the interface the pass code lock settings of the iOS v9 iPad2. The issue is not limited to the device and can be exploited with iPhone as well. The power button on top activates with the stand-by mode the pass code lock for the iOS device. In case of the loop we tricked the device into a mode were we was able to bypass the pass code. URL: https://www.youtube.com/watch?v=V-9lE1L3nq0 Solution - Fix & Patch: ======================= The loop issue needs to be patched in the main interface by the dev team. The issue can be prevented by a locate of the stack with a restriction. Security Risk: ============== The security risk of the local iOS loop that results in a pass code bypass vulnerability is estimated as high. (CVSS 6.0) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (resea...@vulnerability-lab.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: ad...@vulnerability-lab.com - resea...@vulnerability-lab.com - ad...@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or resea...@vulnerability-lab.com) to get a permission. Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/ad...@vulnerability-lab.com%280x198E9928%29.txt _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
