Remote exploitation can be achieved with no user interaction.
Five bugs in Apple’s iMessage service for the iPhone have been uncovered that require no user interaction to exploit, including one that would allow remote attackers to access content stored on iOS devices.
First discovered by Google Project Zero security researcher Natalie Silvanovich, Apple has fully patched four of the flaws as part of the 12.4 iOS update.
CVE-2019-8646 is the bug that allows an attacker to read files off a remote device with no user interaction. An exploit could leak the SMS database, binary files like images and more. Silvanovich has made a proof-of-concept public for the flaw.
In the bug description, the researcher explained where the issue lies: “The class _NSDataFileBackedFuture can be deserialized even if secure encoding is enabled. This class is a file-backed NSData object that loads a local file into memory when the [NSData bytes] selector is called.”
This presents two problems, she added: opening up access to local files if the code deserializing the buffer ever shares it; and, it allows an NSData object to be created with a length that is different than the length of its byte array.
In the latter case, “this violates a very basic property that should always be true of NSData objects,” Silvanovich explained. “This can allow out-of-bounds reads, and could also potentially lead to out-of-bounds writes, as it is now possible to create NSData objects with very large sizes that would not be possible if the buffer was backed.”
Since the potential for information exfiltration is significant, iOS users should take care to upgrade to the latest version as soon as possible.
“Apple publishes less granular details about the distribution of iOS versions than Google does for Android,” OneSpan senior product marketing manager Sam Bakken told Threatpost in an email interview. “Apple data from May 2019 reports that 85 percent of all devices use iOS 12. But, depending on what minor version of iOS 12 they are on (12.0, 12.1, 12.2, 12.3, etc.) a lot of those users will be vulnerable to this seemingly very dangerous vulnerability.”
Other Bugs
As for the other issues, CVE-2019-8647 is a remote, interactionless use-after-free vulnerability that can crash SpringBoard, the standard application that manages the iOS home screen, with no user interaction.
Silvanovich explained in the bug description that when deserializing a class with initWithCoder, subclasses can also be deserialized “so long as they do not override initWithCoder and implement all methods that require a concrete implementation.”
When_PFArray, which is a subclass of NSArray, is deserialized that way, it eventually calls [_PFArray initWithObjects:count:].
“This method initializes the array with the objects provided by the NSKeyedUnarchiver, but does not retain references to these objects, so when the NSKeyedUnarchiver is released, the objects in the array will also be released, even though the user of the deserialized objects could still be using them,” she explained.
The third bug is CVE-2019-8660 – a remote, interactionless memory corruption flaw that crops up when decoding an object of class NSKnownKeysDictionary1.
“This class decodes an object of type NSKnownKeysMappingStrategy1, which decodes a length member which is supposed to represent the length of the keys of the dictionary,” said Silvanovich, in the bulletin. “However, this member is decoded before the keys are decoded, so if a key is an instance of NSKnownKeysDictionary1 which also uses this instance of NSKnownKeysMappingStrategy1, the mapping strategy will be used before the length is checked.”
This is a problem because the NSKnownKeysDictionary1 instance uses this length to allocate a buffer, and the length is multiplied by eight during that allocation, without an integer overflow check. The code will then attempt to copy the values array (another decoded parameter) into the buffer using the unmultiplied length.
However, she said the issue would be fairly difficult to exploit due to the uncontrolled nature of the copies.
As for the other two, the researcher said that CVE-2019-8662 is similar to CVE-2019-8647, but access to the bug description is restricted. And, the team is withholding CVE-2019-8641 for now because Apple’s initial fix did not resolve the vulnerability, according to Silvanovich.
Overall, OneSpan’s Bakken noted that the finds highlight the fact that the mobile environment should be treated as “hostile.”
“Consider the mobile device a hostile environment and apply multiple controls and measures to keep your app safe and your users’ data secure,” he noted.
He added that developers should also take note.
“Mobile app developers and publishers need to constantly remind themselves that even if they think their mobile app is completely buttoned-up in terms of security (keeping in mind that 100 percent secure is impossible anyway), vulnerabilities in the OS, or other apps or malware on a users’ device can put their app and users at risk,” he said.