Document Title: =============== Apple iOS 10.3 - UI SMS Access Permission Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2078 Apple Security ID: 666589482 Video: https://www.vulnerability-lab.com/get_content.php?id=2079 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2017/08/14/apple-ios-v102-v103-sms-reply-access-permission-vulnerability Release Date: ============= 2017-08-14 Vulnerability Laboratory ID (VL-ID): ==================================== 2078 Common Vulnerability Scoring System: ==================================== 4.5 Vulnerability Class: ==================== Access Permission Weakness Current Estimated Price: ======================== 3.000€ - 4.000€ Product & Service Introduction: =============================== iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 2007 for the iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s Windows Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of September 12, 2012, Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times. ( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local access permission vulnerability in the official Apple iOS v10.3 iPhone 6S. Vulnerability Disclosure Timeline: ================================== 2017-06-05: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2017-06-06: Vendor Notification (Apple Security Department) 2017-08-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Apple Product: iOS - (Mobile Operating System) 10.2 & 10.3 Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ An access permission vulnerability has been discovered in the official Apple iOS 10.2 & v10.3. The issue allows a local attacker to bypass the code lock function to "Answer with Message / Reply with message" and limited the idevice authentication mechanism. The SMS response menu appears on the screen when it has been deactivated physically by the apple idevice user. Next to that, the issue leads to a glitch with an access permission issue to the sms function of the phone app in apple iOS 10. After exploitation, the phone stays permanently in a compromised mode were an attacker can send a sms without the activated setting in the code lock module. Phone calls stay in the line even if the other side already canceled the call. In a video the researcher we deactivated the settings for sms on active incoming calls. Then we glitched the service with the request. However the sms menu was still available on the display screen and allows the attacker to perform several interactions like using the words to get contacts of the users like names and to unauthenticated followup with sms on active incoming calls. The events are tracked by the apple ios with several reports and unknown errors in the analysis module. The security risk of the access permission vulnerability is estimated as medium with a common vulnerability scoring system count of 4.5. Exploitation of the apple ios access permission vulnerability requires limited physical idevice access and without user interaction Successful exploitation of the vulnerability results in unauthorized functional access to the sms function or keyboard settings. Proof of Concept (PoC): ======================= The vulnerability can be exploited by local attackers with restricted physical device access and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Requirement(s): [+] Siri activated by default [+] Deactivated keyboard suggestions or tips [+] Activate/Deactivate of code lock module with "Answer with Message / Reply with message" function [+] Activated lock to disallow app usage from outside in locked idevice mode (Sperrbildschirm/LockScreen) Manual steps to reproduce the vulnerability ... 1. Reset the idevice to default settings 2. Install the newest apple ios 10.2 or 10.3 version 3. Deactivate in the Settings > Keyboard > Suggestions 4. Check that siri is activated by default 5. Activate the lock to disallow app usage from outside in locked idevice mode 6. Activate the "Answer with Message / Reply with message" function Note: After preparing and checking that the idevice is correctly setup we move into the exploitation phase 7. Call your idevice with another phone 8. Click the Message button and choose to answer with a customized message 9. Push the keyboard element and move up to the english or german keyboard Note: At that point the incoming call can already be canceled 10. Now activate from outside without authentication the Suggestions by a push and hold ahead two seconds the home button to activate via siri api call Note: Now a glitch occurs and shows a keyboard ahead to the lock screen 11. Cancel the sms and move into the idevice settings by authentication 12. Deactivate the "Answer with Message / Reply with message" function in the code lock module 13. Move back outside the idevice and call yourself again with another phone line 14. The sms menu comes ahead to the active incoming call and allows to unauthenticated send sms to the receiver or another mobile 15. In case of using siri again during the incoming accepted call that is accepted a sync issue occurs Note: The sync issue allows to followup with the call even if the caller has already closed the phone line (unlimited loop - side channel) Note: On each call the sms menu comes ahead and allows the attacker to directly send sms to anybody or the caller without permission 16. Successful reproduce of the vulnerability! Security Video: PoC Demonstration The video shows the idevice settings with the newst apple ios v10.3. The bugg is triggered first by showing the function. After that we show the mode of the issue with several smaller video recordings. At the end we show the settings screenshots of the setup and location glitches. At the end we was able to send sms to any sender calling our mobile phone number and we was able to use the function even if deactivated in the code lock settings of ios 10.3. URL: https://www.vulnerability-lab.com/get_content.php?id=2079 Solution - Fix & Patch: ======================= The vulnerability can be resolved by usage of the ios status administration settings to recheck the access permission after the deactivate. Security Risk: ============== The security risk of the access permission vulnerability in the apple ios 10.2 & 10.3 is estimated as medium (CVSS 4.5). The impact of the security problem is similar to the following CVE-2017-7058. Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™