December 18, 2018

iOS 5.1.1 Fixes Address Bar Spoofing Vulnerability and WebKit Bugs

(LiveHacking.Com) – Apple have released iOS 5.1.1 for the iPhone, iPad and iPod Touch to add improvements and bug fixes while fixing a number of critical security vulnerabilities.

The first vulnerability fixed is the address bar spoofing bug which we reported on back in March. David Vieira-Kurz of MajorSecurity discovered an address bar spoofing vulnerability in WebKit  that allows an attacker to manipulate the address bar in the browser and take the user to a malicious site with a fake (but genuine looking) URL showing. The vulnerability is caused due to an error in the handling of URLs when using javascript’s window.open() method.

The next vulnerability fixed by Apple is the cross-site scripting issue found by Sergey Glazunov that earned him $60,000 from Google under its Pwnium: rewards for exploits contest. Details of the exact nature of Sergey’s exploit are still unavailable but it is known that WebKit doesn’t properly handle history navigation, which allows remote attackers to execute arbitrary code by leveraging a “Universal XSS (UXSS)” issue.

The final fix is also shrouded in mystery. CVE-2012-0672, which was found by Adam Barth and Abhishek Arya of the Google Chrome Security Team, is a memory corruption issue in WebKit that, if exploited, would allow an attacker to create a malicious website that could crash Safari or execute arbitrary code. However that is all that is known!

iOS 5.1.1 is available for the  iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad and iPad 2.

Address Bar Spoofing Vulnerability in Safari in iOS

(LiveHacking.Com) – David Vieira-Kurz of MajorSecurity has discovered an address bar spoofing vulnerability in the Safari web browser used in iOS. The vulnerability, which is actually in WebKit – the rendering engine used on mobile Safari, allows an attacker to manipulate the address bar in the browser and take the user to a malicious site with a fake (but genuine looking) URL showing.

The vulnerability is caused due to an error in the handling of URLs when using javascript’s window.open() method. This can be exploited to trick users into supplying sensitive information to a malicious web site, because the address bar shows the URL of a genuine and trusted site.

Proof of concept
David has created a special web page which demonstrates the vulnerability at http://majorsecurity.net/html5/ios51-demo.html

  1. Visit the POC site with an Apple iOS device
  2. Click the “demo” button
  3. Safari will open a new window with “http://www.apple.com” in the address bar, but in fact the Apple web site is being displayed inside an iframe and the actual site is http://www.majorsecurity.net
  4. Safari’s address bar is showing “http://www.apple.com” which makes the user believe they are currently visiting Apple.com but in fact they are on another website.

The advisory says the vulnerability is present in iOS 5.0 and iOS 5.1 and that Apple have been informed. Our internal testing here at LiveHacking.com has shown that the vulnerability also exists in iOS 4.3.1 which could mean that all iOS 4 and iOS 5 devices are vulnerable.


Apple Releases Security Updates for Apple iOS, Safari 5.1.1, OS X Lion v10.7.2, iWork 09, and Apple TV 4.4

(LiveHacking.Com) – With the launch of the much anticipated iOS 5, Apple has also issued a significant number of patches for a range of it products including some of its iOS applications, its Safari web browser, OS X 10.7, OS X 10.6 (via Security Update 2011-006) and Apple TV.

The full list along with links to the Apple knowledge base is as follows:

  • HT4999 – iOS 5 Software Update
  • HT5000 – Safari 5.1.1
  • HT5001 – Apple TV 4.4
  • HT5002 – OS X Lion v10.7.2 and Security Update 2011-006
  • HT5003 – Pages for iOS v1.5
  • HT5004 – Numbers for iOS v1.5

iOS 5
Apple are emphasizing the 200 new features in iOS 5, but it also contained multiples security fixes. Most of these are found in WebKit the HTML rendering engine at the heart of iOS’s version of Safari. Many of the issues fixed in Safari 5.1.1 are common with those in iOS 5, however the Safari 5.1.1 list is shorter due to the more frequent releases of Safari for the desktop.

Other iOS 5 fixes of interesting include:

  • A user’s AppleID password and username were logged to a file that was readable by applications on the system. This is resolved by no longer logging these credentials.
  • Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue existed in CoreFoundation’s handling of string tokenization.
  • Viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Multiple memory corruption existed in freetype, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font.
  • Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. A buffer overflow existed in libTIFF’s handling of CCITT Group 4 encoded TIFF images.

Safari 5.1.1
Along with the long list of WebKit fixes, some of which are common with the fixes in iOS 5 and iTunes 10.5, there are several fixes for bugs that allowed arbitrary code execution or a cross-site scripting attack if the user visited a maliciously crafted website.

Apple also say that JavaScript performance has been improved up to 13% over Safari 5.1.

OS X Lion v10.7.2 and Security Update 2011-006
The update to Lion and the release of Security Update 2011-006 (which is available for OS X 10.6.8) fixes a number of problems including:

  • Apache is updated to version 2.2.20 to address several vulnerabilities, the most serious of which may lead to a denial of service.
  • Executing a binary with a maliciously crafted name may lead to arbitrary code execution with elevated privileges. A format string vulnerability existed in Application Firewall’s debug logging.
  • Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. An out of bounds memory access issue existed in ATS’ handling of Type 1 fonts. This issue does not affect OS X Lion systems.
  • OS X 10.7: Multiple denial of service issues existed in BIND 9.7.3. These issues are addressed by updating BIND to version 9.7.3-P3.
  • OS X 10.6: Multiple denial of service issues existed in BIND. These issues are addressed by updating BIND to version 9.6-ESV-R4-P3.
  • Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.
  • Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue existed in CoreFoundation’s handling of string tokenization. This issue does not affect OS X Lion systems. This update addresses the issue through improved bounds checking.
  • Several updates for PHP, python, postfix and QuickTime.

Pages and Numbers for iOS
Opening a maliciously crafted Microsoft Word or Excel document may lead to an unexpected application termination or arbitrary code execution

Due to buffer overflow and memory corruption issues, opening a maliciously crafted Microsoft Word or Excel document may lead to an unexpected application termination or arbitrary code execution.

Has Skype for iOS Vulnerability Been Fixed?

(LiveHacking.Com) – A new version of Skype (3.5.84) for the iPhone and iPad appeared in the App Store yesterday with lots of new features like Bluetooth support and image stabilization. But the “What’s New” section also mentions “Bugfix for security vulnerability.” Currently Skype are keeping quiet about exactly which “security vulnerability” has been fixed, however it is most likely to be the Cross-Site Scripting vulnerability found in the “Chat Message” window which could allow an attacker to download a copy of the phone’s address book.

The vulnerability, which was found last week, can be exploited by simply sending a specially crafted chat message to a Skype user. Skype uses a locally stored HTML file to display chat messages from other users, however it doesn’t properly encode the incoming users “Full Name”. The result is that an attacker can create some  malicious JavaScript code that runs when the victim views the message.

Skype has a published a blog post about the new iOS version where it explains the new anti-shake feature and the support for Bluetooth, however it mentions nothing about the security fix.

It is recommended that every iPhone/iPad Skype user updates to this new version but it is also worth noting that there have been reports of problems with the new version including 1) Skype Credit not showing 2) Contacts slow to sync 3) Account settings (e.g. photo, name, profile) not appearing.

To remedy these, Skype suggest deleting your Skype app and starting a new installation from scratch. To delete the app, press and hold the app icon on your iPhone, and click the ‘X’. To re-install, return to the AppStore, and install.

Skype for iOS Vulnerability Allows Attacker to Steal Address Book Just By Sending a Chat Message

(LiveHacking.Com) – A Cross-Site Scripting vulnerability has been found in the “Chat Message” window of Skype for iOS. The vulnerability can be exploited by simply sending a specially crafted chat message to a Skype user. Skype uses a locally stored HTML file to display chat messages from other users, however it doesn’t properly encode the incoming users “Full Name”. The result is that an attacker can create some  malicious JavaScript code that runs when the victim views the message.

Because of the way Skype uses the built-in webkit browser any Javascript run via the Chat Message exploit can access the local user file system. Access to files on iOS devices is restricted by the underlying operating system but every iOS application has access to the users AddressBook. This has allowed Phil Purviance to create a proof of concept injection and attack that downloads an user’s address book to a remote server just by sending a Skype Chat Message.

Phil told Skype about the almost a month ago and was told that an update would be released early this month.

Skype says it is aware of the security issue, and had issued the following statement:

“We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.”

Phil also created a video showing the exploit in action:

iOS 4.3.5 Patches X.509 Certificate Validation Vulnerability

(LiveHacking.Com) – Less than two weeks ago Apple released iOS 4.3.4 to fix a PDF vulnerability and now it has issued iOS 4.3.5 to patch a X.509 certificate validation vulnerability.

According to Apple the vulnerability allows an attacker with a privileged network position to capture or modify data in sessions protected by SSL/TLS.

A certificate chain validation issue existed in the handling of X.509 certificates. This issue is fix through improved validation of X.509 certificate chains.

iOS 4.3.5 is available for the iPhone 3GS & iPhone 4 (GSM model), the iPod touch (3rd generation and later) and the iPad & iPad 2.

JailBreakMe 3.0 Source Code Released

(LiveHacking.Com)  Apple released iOS 4.3.4 a few days ago to close a vulnerability which allowed iOS devices to be jailbroken using a specially crafted PDF file. The most successful exploit of this hole was the JailBreakMe 3.0 web site which allowed users to jailbreak their iOS devices by visiting the site and downloading a PDF.

Comex the developer of the JailBreakMe 3.0 system has now released the source code to the system and so provide students and security professionals a valuable resource to study, learn and understand the nature of iOS jail breaking and in paticular PDF exploits.

Hosted by GitHub, a web-based source code repository that uses Git for revision control, the system is made up from a collection of higher level python code to manage the jailbreak (creation of the FreeType exploit file, packaging, delivery etc) and some low level C and assembler code to jail break the device.

Apple Releases iOS 4.3.4 to Fix Vulnerabilities – Jailbreakers Quick to React

(LiveHacking.Com) — Apple has released iOS 4.3.4 for the iPhone 3GS, the iPhone 4 (GSM model), the iPod touch (3rd generation and later) and for the iPad. The main purpose of iOS 4.3.4 is to close a hole in the PDF viewer which is used by JailBreakMe.com. It allowed users to jailbreak any iDevice (including iPad 2) through the website.

Specifically iOS 4.3.4 deals with the following security issues:

  • Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. – A buffer overflow exists in FreeType’s handling of TrueType fonts. Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.
  • Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. – A signedness issue exists in FreeType’s handling of Type 1 fonts. Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.
  • Malicious code running as the user may gain system privileges. – An invalid type conversion issue exists in the use of IOMobileFrameBuffer queueing primitives, which may allow malicious code running as the user to gain system privileges.
The update renders the JailBreakMe.com jail break useless. However users running 4.3.3 can still use the site to jailbreak their devices. However the Redmond Pie web site has posted details on a tethered jailbreak for iOS 4.3.4 using the PwnageTool. A tethered jailbreak means that if your device loses power or restarts then you would have to boot it into the jailbroken state again while connected to your desktop computer.

iOS Update to Fix PDF Vulnerability

(LiveHacking.Com) — Apple is set to fix a vulnerability in the way that iOS handles PDF documents and so close the hole which enables users to jailbreak their devices by using the JailbreakMe website.

Users of JailbreakMe point their iOS device mobile-Safari browser to jailbreakme.com and the hack is performed remotely, unlike most other tools that require a software download on your computer, such as PwnageTool and redsn0w.

JailbreakMe is an “untethered” jailbreak, meaning the user does not need to have their device plugged in to their computer while rebooting in order to keep the hack. Users may notice a line of colored pixels or other graphical glitches when rebooting. That’s because once the JailbreakMe hack is installed, it overloads the device framebuffer (i.e. loads itself into video memory) on startup, injecting jailbreak code early in the startup sequence. That graphical glitch is the jailbreak code itself!

Apple spokeswoman Trudy Millar says they are working on a fix. “Apple takes security very seriously. We’re aware of this reported issue and are developing a fix that will be available to customers in an upcoming software update.”

Apple Updates OS X, Safari and iOS

Microsoft released a bumper set of security fixes on Tuesday and today it was Apple’s turn with fixes for OS X, Safari and iOS. The update for OS X was to block the fraudulent SSL certificates stolen from Comodo (better late than never), Safari 5.0.5 fixes two vulnerabilities in WebKit and iOS has been updated to 4.3.2 to block the stolen Comodo certificates and to fix other vulnerabilities.

Security Update 2011-002 applies to Mac OS X v10.5.8 and Mac OS X v10.6.7 and does nothing else other than to blacklist the fraudulent Comodo certificates.

Safari has been updated to 5.0.5 for Mac OS X v10.5.8, Mac OS X v10.6.5 or later, Windows 7, Vista and XP. Two vulnerabilities have been fixed in WebKit:

  • An integer overflow issue existed in the handling of nodesets. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
  • A use after free issue existed in the handling of text nodes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

iOS 4.3.2 fixed the same to flaws listed above (as Safari on the desktop shares a lot of the same code as Safari that is built into iOS, blocked the Comodo certificates and fixed a vulnerability in libxslt and one in QuickLook:

  • libxslt’s implementation of the generate-id() XPath function disclosed the address of a heap buffer. Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap, which may aid in bypassing address space layout randomization protection. This issue is addressed by generating an ID based on the difference between the addresses of two heap buffers.
  • A memory corruption issue existed in QuickLook’s handling of Microsoft Office files. Viewing a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution.

The latter problem is likely to be the one used by Charlie Miller at this years Pwn20wn contest.