June 14, 2021

iOS 5.1.1 Fixes Address Bar Spoofing Vulnerability and WebKit Bugs

(LiveHacking.Com) – Apple have released iOS 5.1.1 for the iPhone, iPad and iPod Touch to add improvements and bug fixes while fixing a number of critical security vulnerabilities.

The first vulnerability fixed is the address bar spoofing bug which we reported on back in March. David Vieira-Kurz of MajorSecurity discovered an address bar spoofing vulnerability in WebKit  that allows an attacker to manipulate the address bar in the browser and take the user to a malicious site with a fake (but genuine looking) URL showing. The vulnerability is caused due to an error in the handling of URLs when using javascript’s window.open() method.

The next vulnerability fixed by Apple is the cross-site scripting issue found by Sergey Glazunov that earned him $60,000 from Google under its Pwnium: rewards for exploits contest. Details of the exact nature of Sergey’s exploit are still unavailable but it is known that WebKit doesn’t properly handle history navigation, which allows remote attackers to execute arbitrary code by leveraging a “Universal XSS (UXSS)” issue.

The final fix is also shrouded in mystery. CVE-2012-0672, which was found by Adam Barth and Abhishek Arya of the Google Chrome Security Team, is a memory corruption issue in WebKit that, if exploited, would allow an attacker to create a malicious website that could crash Safari or execute arbitrary code. However that is all that is known!

iOS 5.1.1 is available for the  iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad and iPad 2.

ElcomSoft Breaks iOS 4 Encryption – Offers New Forensic Service

ElcomSoft have succeeded in decrypting the iPhone’s encrypted file system under iOS 4 and are making it available exclusively to law enforcement, forensic and intelligence agencies.

This is a major feat as since the launch of the iPhone 3GS, Apple have included hardware encryption in all of its devices (including the iPhone 4 and iPad). iOS 4 enabled this hardware-based encryption to encrypt all user data stored using AES-256. This encryption was thought to be strong enough to resist even the best equipped adversaries, including forensic analysts and law enforcement agencies.

ElcomSoft have found a way to decrypt bit-to-bit images of iOS 4 devices. Decrypted images are perfectly usable, and can be analyzed with forensic tools. But decryption is only possible with the actual device available because the decryption relies on getting the keys that are stored on it.

What is interesting (and worrying) is what ElcomSoft found stored inside the iPhone. According to them “iPhone devices store or cache humungous amounts of information about how, when, and where the device has been used. The amount of sensitive information collected and stored in Apple smartphones is beyond what had previously been imaginable. Pictures, emails and text messages included deleted ones, calls placed and received are just a few things to mention. A comprehensive history of user’s locations complete with geographic coordinates and timestamps. Google maps and routes ever accessed. Web browsing history and browser cache, screen shots of applications being used, usernames, Web site passwords and the password to iPhone backups made with iTunes software, and just about everything typed on the iPhone is being cached by the device.”

Web sites can launch iPhone applications without prompting

Specially crafted web sites can launch iPhone and iPod Touch apps without the Safari browser asking the user for permission when certain URL protocol handlers (URL schemes) are called. For instance, according to security researcher Nitesh Dhanjani, a web site can use the iFrame <iframe src=”skype://14085555555?call”></iframe> to launch a Skype app and automatically call a number – provided that the user has saved Skype access data. Criminals would also be able to play around with a number of other applications. For a list of the protocols currently used in the iPhone, see the URL scheme index.

Read the full story here.


Apple iPhone, iPad, iPod Code Execution and Sandbox Bypass

According to VUPEN, two vulnerabilities  have been identified in Apple iOS for iPhone, iPad and iPod, which could be exploited by remote attackers to take complete control of a vulnerable device.

The first vulnerability is the memory corruption error when processing Compact Font Format (CFF) data within a PDF document, which could be exploited by attackers to execute arbitrary code by tricking a user into visiting a specially crafted web page using Mobile Safari.

The second vulnerability is caused by an error in the kernel, which could allow attackers to gain elevated privileges and bypass sandbox restrictions.

Note: These flaws are currently being exploited by jailbreakme to remotely jailbreak Apple devices. The website redirects the browser to the appropriate PDF exploit file depending on the device model and version and then executes a first stage payload. Once done, a second stage payload is executed to gain root privileges on the device by exploiting the kernel vulnerability.

Source: [VUPEN]