Apple iMessage Flaw Lets Remote Attackers Read Files on iPhones

guest · Jul 29, 2019

Apple iMessage Flaw Lets Remote Attackers Read Files on iPhones
July 29, 2019
https://www.bleepingcomputer.com/ne...-lets-remote-attackers-read-files-on-iphones/

An iMessage vulnerability patched by Apple as part of the 12.4 iOS update allows potential attackers to read contents of files stored on iOS devices remotely with no user interaction, as user mobile with no sandbox.
The security flaw tracked as CVE-2019-8646 was discovered by Google Project Zero security researcher Natalie Silvanovich who reported it to Apple during May.

The Google security researcher says that the iMessage issue is caused by the _NSDataFileBackedFuture class which can be "deserialized even if secure encoding is enabled. This class is a file-backed NSData object that loads a local file into memory when the [NSData bytes] selector is called."
Silvanovich describes the issue in detail on Project Zero's bug tracker

The issue was patched by Apple in the iOS 12.4 release issued on July 22 "by preventing this class from being decoded unless it is explicitly added to the allow list. Better filtering of the file URL was also implemented."
Click to expand...

guest · Jul 30, 2019

Google researchers disclose exploits for 'interactionless' iOS attacks
July 30, 2019
https://www.zdnet.com/article/google-researchers-disclose-exploits-for-interactionless-ios-attacks/

Two members of Project Zero, Google's elite bug-hunting team, have published details and demo exploit code for five of six "interactionless" security bugs that impact the iOS operating system and can be exploited via the iMessage client.
FOUR BUGS LEAD TO NO-USER-INTERACTION RCES
According to the researcher, four of the six security bugs can lead to the execution of malicious code on a remote iOS device, with no user interaction needed. All an attacker needs to do is to send a malformed message to a victim's phone, and the malicious code will execute once the user opens and views the received item.

The four bugs are CVE-2019-8641 (details kept private), CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662.
The fifth and sixth bugs, CVE-2019-8624 and CVE-2019-8646, can allow an attacker to leak data from a device's memory and read files off a remote device --also with no user interaction.
BUGS WORTH WELL OVER $5 MILLION
Until today, no-user-interaction iOS bugs were usually found in the arsenal of exploit vendors and makers of legal intercept tools and surveillance software.
Click to expand...

guest · Jul 30, 2019

Update to iOS 12.4 right away
July 30, 2019
https://www.kaspersky.com/blog/ios-critical-vulnerabilities-124/27778/

But this time it might be even more crucial: iOS 12.4 fixes severe vulnerabilities in iMessage that can be exploited without any user interaction.
As for the rest of the details on these bugs and proof of concept of how they can be exploited by attackers, Silvanovich and Groß are going to reveal them in a talk at the upcoming Black Hat USA security conference.

In any case, the best and most practical thing for each and every iOS user to do now is install iOS 12.4 right away. Do not hesitate with the next version of iOS, either; it will probably polish off the remaining issues related to these vulnerabilities.
Click to expand...

guest · Aug 2, 2019

90% of Enterprise iPhone Users Open to iMessage Spy Attack
Vast majority of Apple iOS users haven’t updated to iOS 12.4, leaving themselves wide open to a public exploit
August 2, 2019
https://threatpost.com/90-enterprise-iphone-users-imessage-spy-attack/146899/

Over 90 percent of Apple iPhone users — consumer and enterprise — are still vulnerable to bugs in iOS that can be remotely exploited without any user interaction via the iMessage client. These could reveal pictures, videos, notes, PDFs and so on stored on the phone.
“[This] is very easy for any bad actors to execute. Unlike the recent WhatsApp vulnerability, anyone with intermediate to advanced computing skills can use this code to hack any iPhone which hasn’t been updated.”

he patch for iOS was released on July 22, but user notifications haven’t rolled out; iPhone owners need to manually visit the “software update” section in the settings area and initiate the download.
“According to the data in our network of enterprise devices, only 9.6 percent of devices have been updated to iOS 12.4, as of August 1 – 10 days after the patch was released on July 22 and three days after the vulnerability was disclosed to the public on July 29,” Cuddeford said.
Click to expand...

guest · Aug 5, 2019

Apple iMessage flaw stokes concerns over iPhone sandbox security
August 5, 2019
https://www.scmagazineuk.com/apple-...cerns-iphone-sandbox-security/article/1592998

Flaws allowing remote exploits on iOS calls into question effectiveness of platform security for those users who have not yet upgraded to iOS 12.4 - sandbox deemed 'defeatable'.

According to a blog post by researchers at Wandera, this vulnerability "calls into question the integrity of iOS sandboxing, which is one of the most significant fundamentals of the entire iOS security model".
Dan Cuddeford, senior director of systems engineering at Wandera, said that there "is a general mentality that iOS devices are secure so security software is not required, but the reality is, the sandbox that is built into iOS can be defeated".

"For a persistent, malicious actor who knows the iOS file system well, and knows what they’re looking for, it is likely they could gain access to sensitive files outside of iMessage due to the sandbox compromise," he added.
Naaman Hart, cloud services security architect at Digital Guardian, told SC Media UK that it is unlikely that a company will turn around and replace all their devices for something more secure.

"The general view should be that mobile devices aren’t trusted and unless you can adequately ring-fence them with mobile device management they shouldn’t be allowed near sensitive information," he said.
Click to expand...

Minimalist · Aug 22, 2019

The Many Possibilities of CVE-2019-8646

CVE-2019-8646 is a somewhat unusual vulnerability I reported in iMessage. It has a number of consequences, including information leakage and the ability to remotely read files on a device. This blog post discusses the ways that an attacker could use this bug. It is a good example of how the large number of classes available for NSKeyedArchiver deserialization can make a bug more versatile. It’s also a good example of how minor functional bugs can make a vulnerability more useful.
Click to expand...

https://googleprojectzero.blogspot.com/2019/08/the-many-possibilities-of-cve-2019-8646.html

guest · Jan 9, 2020

mood said: ↑

Google researchers disclose exploits for 'interactionless' iOS attacks
July 30, 2019
https://www.zdnet.com/article/google-researchers-disclose-exploits-for-interactionless-ios-attacks/
Click to expand...

Google researcher beefs up iMessage security by demonstrating clickless exploit
January 9, 2020
https://www.cyberscoop.com/google-imessage-clickless-ios-exploit-project-zero/

Software exploits that don’t require a victim to click a link to be compromised are an intriguing and growing area of research for white-hat hackers. So it is no surprise that Google’s elite team of hackers, Project Zero, has dug into this stealthy mode of attack in recent months.

On Thursday, Samuel Gross laid out how, armed with only a target’s Apple ID, he could remotely compromise an iPhone within minutes to steal passwords, text messages and emails, and activate the camera and microphone.
Click to expand...

Google Project Zero
Blog post series about the interactionless iPhone exploit over iMessage:

Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641
This is the first blog post in a three-part series that will detail how a vulnerability in iMessage can be exploited remotely without any user interaction on iOS 12.4 (fixed in iOS 12.4.1 in August 2019). It is essentially a more detailed version of my 36C3 talk from December 2019.
The first part of the series provides an in-depth discussion of the vulnerability, the second part presents a technique to remotely break ASLR, and the third part explains how to gain remote code execution afterwards.

Remote iPhone Exploitation Part 2: Bringing Light into the Darkness -- a Remote ASLR Bypass
This post is the second in a series about a remote, interactionless iPhone exploit over iMessage.
Remote iPhone Exploitation Part 3: From Memory Corruption to JavaScript and Back -- Gaining Code Execution
This is the third and last post in a series about a remote, interactionless iPhone exploit over iMessage.
Click to expand...

Conclusion
This blog post series demonstrated that, despite numerous exploit mitigations being deployed, it is still possible to exploit memory corruption vulnerabilities in a non-interactive setting such as mobile messaging services and without an additional remote infoleak vulnerability as is commonly deemed necessary.

The exploited vulnerability has been fixed by Apple and a few further hardening measures have already been deployed. A key insight of this research was that ASLR, which in theory should offer strong protection in this attack scenario, is not as strong in practice.

My hope is that this research will ultimately help all vendors by highlighting how small design decisions can have significant security consequences and to hopefully better protect their users from these kinds of attacks.
Click to expand...

Log in or Sign up

Apple iMessage Flaw Lets Remote Attackers Read Files on iPhones

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

Log in or Sign up

Apple iMessage Flaw Lets Remote Attackers Read Files on iPhones

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

Useful Searches