Apple iOS/tvOS/watchOS Remote memory corruption through certificate

2016-11-06 / 2016-12-12
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

iOS 10.1.x Remote memory corruption through certificate file Credit: Maksymilian Arciemowicz from https://cxsecurity.com -------------------------------------------------------------------------------------- 0. Short description Special crafted certificate file may lead to memory corruption of several processes and the vector attack may be through Mobile Safari or Mail app. Attacker may control the overflow through the certificate length in OCSP field -------------------------------------------------------------------------------------- 1. Possible vectors of attack - Apple Mail (double click on certificate) - Safari Mobile ( go to special crafted link eg https://cert.cx/appleios10/700k.php which will redirect you to CRT file ) - other unspecified -------------------------------------------------------------------------------------- 2. Symptoms of memory overflow By appropriate length of the certificate, an attacker can trigger crash of: - profiled - Preferences - other unexpected behaviors -------------------------------------------------------------------------------------- 3. Crash log: - profiled --------------------------------------------------------------- {"app_name":"profiled","app_version":"","bug_type":"109","timestamp":"2016-09-20 09:15:09.85 +0200","os_version":"iPhone OS 10.0.1 (14A403)","incident_id":"XXXXXXXXXXXXXX","slice_uuid":"XXXXXXXXXXXXXX","build_version":"","is_first_party":true,"share_with_app_devs":false,"name":"profiled"} Incident Identifier: XXXXXXXXXXXXXX CrashReporter Key: XXXXXXXXXXXXXX Hardware Model: iPhone6,2 Process: profiled [1595] Path: /System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled Identifier: profiled Version: ??? Code Type: ARM-64 (Native) Role: Unspecified Parent Process: launchd [1] Coalition: <none> [253] Date/Time: 2016-09-20 09:15:09.7892 +0200 Launch Time: 2016-09-20 09:15:01.1603 +0200 OS Version: iPhone OS 10.0.1 (14A403) Report Version: 104 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Subtype: KERN_INVALID_ADDRESS at 0x000000016e193ca0 Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] Triggered by Thread: 2 --------------------------------------------------------------- - Preferences --------------------------------------------------------------- {"app_name":"Preferences","timestamp":"2016-09-20 01:11:44.56 +0200","app_version":"1","slice_uuid":"XXXXXXXXXXX","adam_id":0,"build_version":"1.0","bundleID":"com.apple.Preferences","share_with_app_devs":false,"is_first_party":true,"bug_type":"109","os_version":"iPhone OS 10.0.1 (14A403)","incident_id":"XXXXXXXXXXX","name":"Preferences"} Incident Identifier: XXXXXXXXXXX CrashReporter Key: XXXXXXXXXXX Hardware Model: iPhone6,2 Process: Preferences [1517] Path: /Applications/Preferences.app/Preferences Identifier: com.apple.Preferences Version: 1.0 (1) Code Type: ARM-64 (Native) Role: Foreground Parent Process: launchd [1] Coalition: com.apple.Preferences [754] Date/Time: 2016-09-20 01:11:43.4478 +0200 Launch Time: 2016-09-20 01:10:54.3002 +0200 OS Version: iPhone OS 10.0.1 (14A403) Report Version: 104 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Subtype: KERN_INVALID_ADDRESS at 0x000000016fc6df90 Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] Triggered by Thread: 0 --------------------------------------------------------------- Logs: ============================== Sep 20 20:17:02 xscxsc com.apple.CoreSimulator.SimDevice.27D...8F.launchd_sim[1905] (com.apple.managedconfiguration.profiled[3085]): Service exited due to signal: Segmentation fault: 11 Sep 20 20:17:02 xscxsc MobileSafari[2870]: (Error) MC: Queue data for acceptance error. Error: NSError: Desc : Couldn’t communicate with a helper application. Sugg : Try your operation again. If that fails, quit and relaunch the application and try again. Domain : NSCocoaErrorDomain Code : 4097 Extra info: { NSDebugDescription = "connection to service named com.apple.managedconfiguration.profiled"; } Sep 20 20:17:02 xscxsc profiled[3133]: (Note ) profiled: Service starting... ============================== -------------------------------------------------------------------------------------- 4. PoC https://cert.cx/appleios10/300k.php https://cert.cx/appleios10/500k.php https://cert.cx/appleios10/700k.php https://cert.cx/appleios10/900k.php or https://cert.cx/appleios10/expl.html just click on this link by using Safari. -------------------------------------------------------------------------------------- 5. Safari and sandbox How is possible that safari don't ask user before run 'Preferences' app to start process of importing certificate? Safari automatically start new process without asking user for acceptance of this operation what can be exploited through http redirect to untrusted content. -------------------------------------------------------------------------------------- 6. References CAPEC-44: Overflow Binary Resource File https://capec.mitre.org/data/definitions/44.html https://cert.cx/ https://cxsecurity.com/ Best Regards/Pozdrowienia/С наилучшими пожеланиями Maksymilian Arciemowicz

References:

https://support.apple.com/HT207422
https://support.apple.com/HT207425
https://support.apple.com/HT207426
https://cert.cx/appleios10/300k.php
https://cert.cx/appleios10/500k.php
https://cert.cx/appleios10/700k.php
https://cert.cx/appleios10/900k.php
https://cert.cx/appleios10/expl.html
https://capec.mitre.org/data/definitions/44.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top