iOS 10.1.x Certificate File Memory Corruption
Posted on 13 December 2016
iOS 10.1.x Remote memory corruption through certificate file Credit: Maksymilian Arciemowicz from https://cxsecurity.com -------------------------------------------------------------------------------------- 0. Short description Special crafted certificate file may lead to memory corruption of several processes and the vector attack may be through Mobile Safari or Mail app. Attacker may control the overflow through the certificate length in OCSP field -------------------------------------------------------------------------------------- 1. Possible vectors of attack - Apple Mail (double click on certificate) - Safari Mobile ( go to special crafted link eg https://cert.cx/appleios10/700k.php which will redirect you to CRT file ) - other unspecified -------------------------------------------------------------------------------------- 2. Symptoms of memory overflow By appropriate length of the certificate, an attacker can trigger crash of: - profiled - Preferences - other unexpected behaviors -------------------------------------------------------------------------------------- 3. Crash log: - profiled --------------------------------------------------------------- {"app_name":"profiled","app_version":"","bug_type":"109","timestamp":"2016-09-20 09:15:09.85 +0200","os_version":"iPhone OS 10.0.1 (14A403)","incident_id":"XXXXXXXXXXXXXX","slice_uuid":"XXXXXXXXXXXXXX","build_version":"","is_first_party":true,"share_with_app_devs":false,"name":"profiled"} Incident Identifier: XXXXXXXXXXXXXX CrashReporter Key: XXXXXXXXXXXXXX Hardware Model: iPhone6,2 Process: profiled [1595] Path: /System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled Identifier: profiled Version: ??? Code Type: ARM-64 (Native) Role: Unspecified Parent Process: launchd [1] Coalition: <none> [253] Date/Time: 2016-09-20 09:15:09.7892 +0200 Launch Time: 2016-09-20 09:15:01.1603 +0200 OS Version: iPhone OS 10.0.1 (14A403) Report Version: 104 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Subtype: KERN_INVALID_ADDRESS at 0x000000016e193ca0 Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] Triggered by Thread: 2 --------------------------------------------------------------- - Preferences --------------------------------------------------------------- {"app_name":"Preferences","timestamp":"2016-09-20 01:11:44.56 +0200","app_version":"1","slice_uuid":"XXXXXXXXXXX","adam_id":0,"build_version":"1.0","bundleID":"com.apple.Preferences","share_with_app_devs":false,"is_first_party":true,"bug_type":"109","os_version":"iPhone OS 10.0.1 (14A403)","incident_id":"XXXXXXXXXXX","name":"Preferences"} Incident Identifier: XXXXXXXXXXX CrashReporter Key: XXXXXXXXXXX Hardware Model: iPhone6,2 Process: Preferences [1517] Path: /Applications/Preferences.app/Preferences Identifier: com.apple.Preferences Version: 1.0 (1) Code Type: ARM-64 (Native) Role: Foreground Parent Process: launchd [1] Coalition: com.apple.Preferences [754] Date/Time: 2016-09-20 01:11:43.4478 +0200 Launch Time: 2016-09-20 01:10:54.3002 +0200 OS Version: iPhone OS 10.0.1 (14A403) Report Version: 104 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Subtype: KERN_INVALID_ADDRESS at 0x000000016fc6df90 Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] Triggered by Thread: 0 --------------------------------------------------------------- Logs: ============================== Sep 20 20:17:02 xscxsc com.apple.CoreSimulator.SimDevice.27D...8F.launchd_sim[1905] (com.apple.managedconfiguration.profiled[3085]): Service exited due to signal: Segmentation fault: 11 Sep 20 20:17:02 xscxsc MobileSafari[2870]: (Error) MC: Queue data for acceptance error. Error: NSError: Desc : Couldnat communicate with a helper application. Sugg : Try your operation again. If that fails, quit and relaunch the application and try again. Domain : NSCocoaErrorDomain Code : 4097 Extra info: { NSDebugDescription = "connection to service named com.apple.managedconfiguration.profiled"; } Sep 20 20:17:02 xscxsc profiled[3133]: (Note ) profiled: Service starting... ============================== -------------------------------------------------------------------------------------- 4. PoC https://cert.cx/appleios10/300k.php https://cert.cx/appleios10/500k.php https://cert.cx/appleios10/700k.php https://cert.cx/appleios10/900k.php or https://cert.cx/appleios10/expl.html just click on this link by using Safari. EDB Proofs of Concept Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40906.zip -------------------------------------------------------------------------------------- 5. Safari and sandbox How is possible that safari don't ask user before run 'Preferences' app to start process of importing certificate? Safari automatically start new process without asking user for acceptance of this operation what can be exploited through http redirect to untrusted content. -------------------------------------------------------------------------------------- 6. References CAPEC-44: Overflow Binary Resource File https://capec.mitre.org/data/definitions/44.html https://cert.cx/ https://cxsecurity.com/ Best Regards/Pozdrowienia/D! D1/2DdegD,D>>NNND,D1/4D, D?D3/4DPDuD>>DdegD1/2D,ND1/4D, Maksymilian Arciemowicz References: https://support.apple.com/HT207422 https://support.apple.com/HT207425 https://support.apple.com/HT207426 https://cert.cx/appleios10/300k.php https://cert.cx/appleios10/500k.php https://cert.cx/appleios10/700k.php https://cert.cx/appleios10/900k.php https://cert.cx/appleios10/expl.html https://capec.mitre.org/data/definitions/44.html