Source:
https://cxsecurity.com/issue/
------------------------------
0. Short description
Special crafted certificate file may lead to memory corruption of several processes and the vector attack may be through Mobile Safari or Mail app. Attacker may control the overflow through the certificate length in OCSP field
------------------------------
1. Possible vectors of attack
- Apple Mail (double click on certificate)
- Safari Mobile ( go to special crafted link eg https://cert.cx/appleios10/
- other unspecified
------------------------------
2. Symptoms of memory overflow
By appropriate length of the certificate, an attacker can trigger crash of:
- profiled
- Preferences
- other unexpected behaviors
------------------------------
3. Crash log:
- profiled
------------------------------
{"app_name":"profiled","app_
Incident Identifier: XXXXXXXXXXXXXX
CrashReporter Key: XXXXXXXXXXXXXX
Hardware Model: iPhone6,2
Process: profiled [1595]
Path: /System/Library/
Identifier: profiled
Version: ???
Code Type: ARM-64 (Native)
Role: Unspecified
Parent Process: launchd [1]
Coalition: <none> [253]
Date/Time: 2016-09-20 09:15:09.7892 +0200
Launch Time: 2016-09-20 09:15:01.1603 +0200
OS Version: iPhone OS 10.0.1 (14A403)
Report Version: 104
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x000000016e193ca0
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [0]
Triggered by Thread: 2
------------------------------
- Preferences
------------------------------
{"app_name":"Preferences","
Incident Identifier: XXXXXXXXXXX
CrashReporter Key: XXXXXXXXXXX
Hardware Model: iPhone6,2
Process: Preferences [1517]
Path: /Applications/Preferences.app/
Identifier: com.apple.Preferences
Version: 1.0 (1)
Code Type: ARM-64 (Native)
Role: Foreground
Parent Process: launchd [1]
Coalition: com.apple.Preferences [754]
Date/Time: 2016-09-20 01:11:43.4478 +0200
Launch Time: 2016-09-20 01:10:54.3002 +0200
OS Version: iPhone OS 10.0.1 (14A403)
Report Version: 104
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x000000016fc6df90
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [0]
Triggered by Thread: 0
------------------------------
Logs:
==============================
Sep 20 20:17:02 xscxsc com.apple.CoreSimulator.
Sep 20 20:17:02 xscxsc MobileSafari[2870]: (Error) MC: Queue data for acceptance error. Error: NSError:
Desc : Couldn’t communicate with a helper application.
Sugg : Try your operation again. If that fails, quit and relaunch the application and try again.
Domain : NSCocoaErrorDomain
Code : 4097
Extra info:
{
NSDebugDescription = "connection to service named com.apple.
}
Sep 20 20:17:02 xscxsc profiled[3133]: (Note ) profiled: Service starting...
==============================
------------------------------
4. PoC
https://cert.cx/appleios10/
https://cert.cx/appleios10/
https://cert.cx/appleios10/
https://cert.cx/appleios10/
or https://cert.cx/appleios10/
just click on this link by using Safari.
------------------------------
5. Safari and sandbox
How is possible that safari don't ask user before run 'Preferences' app to start process of importing certificate? Safari automatically start new process without asking user for acceptance of this operation what can be exploited through http redirect to untrusted content.
------------------------------
6. References
Source:
https://cxsecurity.com/issue/
CAPEC-44: Overflow Binary Resource File
https://capec.mitre.org/data/
https://cert.cx/
https://cxsecurity.com/
Komentarų nėra:
Rašyti komentarą