BugTraq
Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link) Mar 07 2016 08:52AM
Vulnerability Lab (research vulnerability-lab com) (1 replies)
Document Title:
===============
Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link)

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1778

Video: http://www.vulnerability-lab.com/get_content.php?id=1779

Release Date:
=============
2016-03-07

Vulnerability Laboratory ID (VL-ID):
====================================
1778

Common Vulnerability Scoring System:
====================================
6.4

Product & Service Introduction:
===============================
iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 2007 for the
iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s Windows
Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of September 12, 2012,
Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times.
It had a 14.9% share of the smartphone mobile operating system units shipped in the third quarter of 2012, behind only Google`s Android.

In June 2012, it accounted for 65% of mobile web data consumption (including use on both the iPod Touch and the iPad). At the half of
2012, there were 410 million devices activated. According to the special media event held by Apple on September 12, 2012, 400 million
devices have beensold through June 2012.

( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )

Apple Inc. is an American multinational technology company headquartered in Cupertino, California, that designs, develops, and sells
consumer electronics, computer software, and online services. Its hardware products include the iPhone smartphone, the iPad tablet
computer, the Mac personal computer, the iPod portable media player, and the Apple Watch smartwatch. Apple's consumer software includes
the OS X and iOS operating systems, the iTunes media player, the Safari web browser, and the iLife and iWork creativity and productivity
suites. Its online services include the iTunes Store, the iOS App Store and Mac App Store, and iCloud.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Apple_Inc. )

Abstract Advisory Information:
==============================
The vulnerability laboratory research team discovered multiple connected passcode protection bypass vulnerabilities in the iOS v9.0, v9.1, v9.2.1 for Apple iPhone (5,5s,6 & 6s) and the iPad (mini,1 & 2).

Vulnerability Disclosure Timeline:
==================================
2016-01-03: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-01-04: Vendor Notification (Apple Product Security Team)
2016-**-**: Vendor Response/Feedback (Apple Product Security Team)
2016-**-**: Vendor Fix/Patch (Apple Developer Team)
2016-**-**: Security Acknowledgements (Apple Product Security Team)
2016-03-07: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Apple
Product: iOS - (Mobile Operating System) 9.1, 9.2 & 9.2.1

Exploitation Technique:
=======================
Local

Severity Level:
===============
High

Technical Details & Description:
================================
An auth passcode bypass vulnerability has been discovered in the iOS v9.0, v9.1, v9.2.1 for Apple iPhone (5,5s,6 & 6s) and the iPad (mini,1 & 2).
The vulnerability typ allows an local attacker with physical device access to bypass the passcode protection mechanism of the Apple mobile iOS devices.

The vulnerabilities are located in the 'Appstore', 'Buy more Tones' or 'Weather Channel' links of the Clock, Event Calender & Siri User Interface.
Local attackers can use siri, the event calender or the available clock module for an internal browser link request to the appstore that is able to
bypass the customers passcode or fingerprint protection mechanism. The attacker can exploit the issue on several ways with siri, the events calender
or the clock app of the control panel on default settings to gain unauthorized access to the affected Apple mobile iOS devices.

1.1
In the first scenario the attacker requests for example via siri an non existing app, after that siri answers with an appstore link to search for it.
Then the attacker opens the link and a restricted browser window is opened and listing some apps. At that point it is possible to unauthorized switch
back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls is visible in the siri
interface only and is called "open App Store". The vulnerability is exploitable in the Apple iPhone 5 & 6(s) with iOS v9.0, v9.1 & v9.2.1

1.2
In the second scenario the attacker is using the control panel to gain access to the non restricted clock app. The local attacker opens the app via
siri or via panel and opens then the timer to the end timer or Radar module. The developers of the app grant apple customers to buy more sounds for
alerts and implemented a link. By pushing the link a restricted appstore browser window opens. At that point it is possible to unauthorized switch
back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the
Alert - Tone (Wecker - Ton) & Timer (End/Radar) and is called "Buy more Tones". The vulnerability is exploitable in the Apple iPhone 5 & 6(s)
with iOS v9.0, v9.1 & v9.2.1.

1.3
In the third scenario the attacker opens via panel or by a siri request the clock app. After that he opens the internal world clock module. In the
buttom right is a link to the weather channel that redirects to the store as far as its deactivated. By pushing the link a restricted appstore
browser window opens. At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or
with siri again. The link to bypass the controls becomes visible in the World Clock (Weather Channel) and is an image as link. Thus special case is
limited to the iPad because only in that models use to display the web world map. In the iPhone version the bug does not exist because the map is
not displayed because of using a limited template. The vulnerability is exploitable in the Apple iPad2 with iOS v9.0, v9.1 & v9.2.1.

1.4
In the fourth scenario the attacker opens via siri the 'App & Event Calender' panel. After that the attacker opens under the Tomorrow task the
'Information of Weather' (Informationen zum Wetter - Weather Channel LLC) link on the left bottom. As far as the weather app is deactivated on the
Apple iOS device, a new browser window opens to the appstore. At that point it is possible to unauthorized switch back to the internal home screen
by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the App & Events Calender panel.
The vulnerability is exploitable in the Apple Pad2 with iOS v9.0, v9.1 & v9.2.1.

The security risk of the passcode bypass vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
Exploitation of the passcode protection mechanism bypass vulnerability requires no privileged ios device user account or low user interaction.
Physical apple device access is required for successful exploitation. Successful exploitation of the vulnerability results in unauthorized
device access, mobile apple device compromise and leak of sensitive device data like the address-book, photos, sms, mms, emails, phone app,
mailbox, phone settings or access to other default/installed mobile apps.

Vulnerable Module(s):
[+] PassCode (Protection Mechanism)

Affected Device(s):
[+] iPhone (Models: 5, 5s, 6 & 6s)
[+] iPad (Models: mini, 1 & 2)

Affected OS Version(s):
[+] iOS v9.0, v9.1 & v9.2.1

Proof of Concept (PoC):
=======================
The passcode protection mechanism bypass vulnerabilities can be exploited by local attackers with physical device access and without privileged or restricted device user account.
For Security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

1.1
Manual steps to reproduce the vulnerability ... (Siri Interface - App Store Link) iPhone (Models: 5, 5s, 6 & 6s)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds)
3. Ask Siri to open a non existing App
Note: "Open App Digital (Ã?ffne App Digital)
4. Siri responds to the non existing app and asks to search in the appstore
5. Now, and "open App store" button becomes visible to push (do it!)
6. A new restricted browser window opens with the appstore buttom menu links
7. Click to updates and open the last app or push twice the home button to let the task slide preview appear
8. Now choose the active front screen task
9. Successful reproduce of the passcode protection bypass vulnerability!

1.2
Manual steps to reproduce the vulnerability ... (Clock & Timer - Buy more Tones Link) iPhone (Models: 5, 5s, 6 & 6s)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds)
Note: "Open World Clock" (Ã?ffne App Weltuhr)
3. Push the 'Timer' module button on the buttom
4. Now, push the Radius or End Timer Button in the middle of the screen
Note: A listing opens with the sounds collection and on top is a web link commercial
5. Push the button and a new restricted browser window opens with the appstore buttom menu links
6. Click to updates and open the last app or push twice the home button to let the task slide preview appear
7. Now choose the active front screen task
8. Successful reproduce of the passcode protection bypass vulnerability!
Note: The vulnerability can also be exploited by pushing the same link in the Alerts Timer (Wecker) next to adding a new one.

1.3
Manual steps to reproduce the vulnerability ... (Clock World - Weather Channel Image Link) iPad (Models: 1 & 2)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds)
Note: "Open App Clock" (Ã?ffne App Uhr)
3. Switch in the buttom module menu to world clock
Note: on the buttom right is an image of the weather channel llc network
4. Push the image of the weather channel llc company in the world map picture
Note: Weather app needs to be deactivated by default
5. After pushing the button and a new restricted browser window opens with the appstore buttom menu links
6. Click to updates and open the last app or push twice the home button to let the task slide preview appear
7. Now choose the active front screen task
8. Successful reproduce of the passcode protection bypass vulnerability!
Note: The issue is limited to the iPad 1 & 2 because of the extended map template!

1.4
Manual steps to reproduce the vulnerability ... (Events Calender App - Weather Channel LLC Link) iPad (Models: 1 & 2) & iPhone (Models: 5, 5s, 6 & 6s)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds)
Note: "Open Events/Calender App" (Ã?ffne Events/Kalender App)
3.Now push on the buttom of the screen next to the Tomorrow(Morgen) module the 'Information of Weather Channel' link
Note: Weather app needs to be deactivated by default
4.After pushing the button and a new restricted browser window opens with the appstore buttom menu links
5. Click to updates and open the last app or push twice the home button to let the task slide preview appear
6. Now choose the active front screen task
7. Successful reproduce of the passcode protection bypass vulnerability!

Video Demonstration: In the attached video demonstration we show how to bypass the passcode of the iphone 6s via the siri App Store- & timer Buy more Tones link.
In the video we activated the passcode and setup to activate the control center by default to the locked mobile front screen. Siri was activated as well by default.

Solution - Fix & Patch:
=======================
The vulnerabilities can be temporarily patched by the end user by hardening of the device settings. Deactivate in the Settings menu the Siri module permanently.
Deactivate also the Events Calender without passcode to disable the push function of the Weather Channel LLC link. Deactivate in the next step the public control
panel with the timer and world clock to disarm exploitation. Aktivate the weather app settings to prevent the redirect when the module is disabled by default in
the events calender. Finally apple needs to issue a patch as workaround for the issue but since this happens a temp solution has bin published as well.

Security Risk:
==============
The security risk of the passcode protection mechanism bypass vulnerabilities in the apple ipad and iphone mobile devices are estimated as high. (CVSS 6.4)

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research (at) vulnerability-lab (dot) com [email concealed]) [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research (at) vulnerability-lab (dot) com [email concealed]) to get a ask permission.

Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]�

--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus