Apple iOS 7.1.2 Device allows local attackers to merge apps ahead to the Pass Code Screen

Editorial_Staff_Team's picture

Apple iOS 7.1.2 Device allows local attackers to merge apps ahead to the Pass Code screen!

The vulnerability researcher Benjamin Kunz Mejri discovered last year already an issue in the emergency call function to the apple product security team. Today Benjamin discovered a local glitch that allows to merge the last used service ahead to the pass code screen of iOS v7.1.2. The issue definitly impact a risk for exploitation because of multiple user account and multi device users. A local attacker is able to merge any installed application ahead to the pass code of iOS. During the beginning of the research the hacker merged apps like mail, emergency call or addressbook ahead to the pass code screen by usage of a glitch in combination with apples siri. The issue has been reported to the apple product security team as pdf report about 2 month ago. Since today there  is no reaction by the apple product security team and the issue got marked as full disclosure in the vulnerability laboratory.

The local bypass vulnerability is located in the pass code module of the Apple iOS v7.1.2. Local attackers with physical access can merge local installed apps and default services via glitch ahead to the pass code module of the apple iphone device. Regular the security policy of the device disallows to merge services ahead to the logon screen (pass code).

Local attackers without restricted physcial account can merge apps with functions ahead to the pass code module to compromise the device. Local attackers with user account can prepare (manipulate) a mobile device to access later the restricted context. During the tests we revealed that the exploitation is only possible (merge apps ahead to pass code) when the siri edit command context has been involved to save temporarily context.

If the exploitaiton through the glitch was successful the attacker is able to prepare calls via app, write emails or access other last used apps to compromise the iOS device.

The security risk of the local pass code bypass vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.9. Exploitation of the local glitch bypass vulnerability requires a privileged web-application user account, multi user account or restricted physical device access without user interaction. Successful exploitation of the local pass code bypass vulnerability results in device compromise or information leaking.

Manual steps to reproduce the issue ...

1. Login to your iPhone device and update it to the newst iOS version (7.1.2 - 11D257)
2. Go to settings > Code (Code Lock Settings) and ensure siri service is activated (service activated by default)
3. Lock the iphone or ipad by usage of the power button, slide the to the pass code
4. Press the siri button 2 seconds and in the last second the emergency call button too
Note: The siri opens and the emergency call site is in the background. It is not allowed to use siri in the emergency call mask!
5. Start siri in the locked iphone/ipad mode
6. Use the command "Open/Call Contact Hacker A A"
Note: The contact you call needs more then 3 entries with the same letter to be saved
7. In our tests it opens after the command the siri mask and shows us the visible contacts of the phone with the same name
8. Go on top of the mask were the user is able to edit manually the input of the command
9. Click to Edit the input field of the siri command on top and save the all the input temporarily
10. Now we press 3 seconds the power button and in the third second we press also the "Others (Contacts)" button
Note: The contact button allowed in the last version to access the addressbook but the issue is patched yet
11. Now we hold the home and siri button together and stop holding the power button same time
12. The website with the temp saved content allows to move modules ahead to the logon mask with represents a stable security risk
Note: The policy disallows to use any function ahead to the pass code (lock-screen) of iOS devices

Case Scenario:
During the security test we used the new iphone 5s of a lab member in our office to verify. We included the messages, face-time and mail service in front on top of the iOS login mask. The local attacker is able to save through the evil glitch any program which is available at the phone ahead to the login screen (pass code) module. At the end we made jokes by writing messages ahead to the phone pass code (lock screen) module. The glitch has been reproduced when the watch of the login screen becomes visible in all backgrounds of the used app. (watch video!)

Advisory: http://www.vulnerability-lab.com/get_content.php?id=1280

Video: https://www.youtube.com/watch?v=9gBtJ5tyRgI

Rate this article: 
Average: 3.7 (6 votes)

Comments

custom iOS app developers's picture

Good to know that Apple iOS7.1.12 device allows local attackers merge apps ahead pass code screen. I have once question is same thing works on its upgraded version or not..

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.