Home Articles How the Critical iMessage Vulnerability was Decoded By Google Researchers

How the Critical iMessage Vulnerability was Decoded By Google Researchers

44
0

Recently, Google researchers published the technical details of critical iMessage vulnerability. Read on to know more…

Recently, Project Zero security researchers published the technical details of critical iMessage vulnerability that was addressed last year. In September 2019, Apple announced that the release of iOS 12.4.2 for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation addressed this vulnerability: “An out-of-bounds read was addressed with improved input validation.”

iMessage Vulnerability
According to Google researchers, Samuel Groß and Natalie Silvanovich — tracked as CVE-2019-8641, the vulnerability is considered ‘critical’ and has a CVSS score of 9.8. The vulnerability only affects the devices that are running iOS 12 or later versions. The security vulnerability, which was also addressed in macOS Mojave 10.14.6, watchOS 5.3.2, and tvOS 12.4, could be exploited by a remote attacker to cause unexpected application termination or arbitrary code execution.

One of the security researchers Samuel Groß said on the details on the exploitation process that the security flaw can allow an attacker who knows the user’s Apple ID (mobile phone number or email address) to gain control over an iOS device within a few minutes. This would further allow the attackers to exfiltrate files, passwords, authentication codes, emails, SMS messages, and other data. Moreover, they could spy on the user using the device’s microphone and camera, all without user interaction or visual indicator. A Proof-of-concept (PoC) code exploit targeting the iPhone XS on iOS 12.4 was published on the Project Zero issue 1917 discussion board.

According to Project Zero’s security researchers, Apple actually started pushing patches for it in August 2019, with the release of iOS 12.4.1, which included hardening to prevent the remote exploitation of the bug.

Key Observations
To prevent abuse, the PoC deliberately alerts the victim of the ongoing attack and does not achieve native code execution, but skilled attackers will likely have no difficulties tailoring it to their needs (likely, they already have the capacity to target the flaw, the researcher says). iMessages, Groß explains, pass through multiple services and frameworks before the user is notified and the messages written to database. The remote attack surface includes the iMessage data format and the NSKeyedUnarchiver API, which can be triggered both sandboxed (imagent) and unsandboxed (SpringBoard).

CVE-2019-8641 resides in the NSKeyedUnarchiver component and an attacker can trigger it by sending a crafted payload via an iMessage. On the receiver’s device, the data in the ati field is decoded using the NSKeyedUnarchiver API and the flaw is triggered during the unarchiving of an NSSharedKeyDictionary.

The security researchers discovered that, during unarchiving, cyclic object graphs can be decoded, meaning that an object can be referenced while being unarchived further up in the callstack. With the object not yet fully initialized when it is referenced, a memory corruption appears during deserialization.

To address the flaw, Apple first made the vulnerable code unreachable over iMessage (in iOS 12.4.1), but then fully addressed the vulnerability in subsequent updates. As of iOS 13, the decoding of NSKeyedUnarchiver only happens in the sandboxed IMDPersistenceAgent, but not in SpringBoard.

Mitigation
Apple has addressed the security vulnerability with the release of iOS 12.4.2 for iPhone 5S, iPhone 6, iPhone 6 Plus, iPad Air, iPad Mini 2, iPad Mini 3, and iPod Touch 6th generation. The vulnerability has also been patched in macOS Mojave 10.14.6, watchOS 5.3.2, and tvOS 12.4.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

62 + = 69