Document Title:
===============
Apple iOS 8.0 - 8.0.2 - Controls Re Auth Bypass Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1322

Video: http://www.vulnerability-lab.com/get_content.php?id=1334


Release Date:
=============
2015-03-02


Vulnerability Laboratory ID (VL-ID):
====================================
1322


Common Vulnerability Scoring System:
====================================
5.2


Product & Service Introduction:
===============================
iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 2007 for 
the iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s 
Windows Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of 
September 12, 2012, Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more 
than 30 billion times. It had a 14.9% share of the smartphone mobile operating system units shipped in the third quarter of 2012, 
behind only Google`s Android. In June 2012, it accounted for 65% of mobile web data consumption (including use on both the iPod 
Touch and the iPad). At the half of 2012, there were 410 million devices activated. According to the special media event held by 
Apple on September 12, 2012, 400 million devices have been sold through June 2012.

The user interface of iOS is based on the concept of direct manipulation, using multi-touch gestures. Interface control elements 
consist of sliders, switches, and buttons. Interaction with the OS includes gestures such as swipe, tap, pinch, and reverse pinch, 
all of which have specific definitions within the context of the iOS operating system and its multi-touch interface. Internal 
accelerometers are used by some applications to respond to shaking the device (one common result is the undo command) or rotating 
it in three dimensions (one common result is switching from portrait to landscape mode).

iOS is derived from OS X, with which it shares the Darwin foundation. iOS is Apple`s mobile version of the OS X operating system 
used on Apple computers.

In iOS, there are four abstraction layers: the Core OS layer, the Core Services layer, the Media layer, and the Cocoa Touch layer. 
The current version of the operating system (iOS 6.1) dedicates 1-1.5 GB of the device`s flash memory for the system partition, 
using roughly 800 MB of that partition (varying by model) for iOS itself. iOS currently runs on iPhone, Apple TV, iPod Touch, and iPad.

( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )



Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered bypass vulnerability in the official Apple (iPhone) iOS v8.0 (12A365) - v8.0.2 mobile device system.


Vulnerability Disclosure Timeline:
==================================
2014-09-18: Researcher Notification & Coordination (Benjamin Kunz Mejri - VL Core Research Team)
2014-09-28: Vendor Notification (Apple Security Team - Acknowledgement Program)
2015-03-02: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Apple
Product: iOS 8.0


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
A local pass code (code lock) bypass and glitch has been discovered in the Apple iOS v8.0 (12A365) mobile device system.
The vulnerability allows to bypass or evade via glitch the regular pass code restriction of the embed iOS device system.

The local bypass vulnerability is located in the favorite contact preview function that can be used for imessages or phone calls. 
Local attackers with physical access can glitch the display by usage of siri to bypass since the end of a call the device system 
access restriction.

To exploit the attacker visit the favorite call function via the home button in the ios task favorite preview slideshow. He clicks 
a contact and uses siri to merge via glitch with the authorized call app. In the next step he locks the mobile device. The he 
hold the volume + button multiple times to keep the service since the call end ahead to the pass code logon screen. The issue 
is very tricky to exploit but affects at the end obviously secure pass code restriction. The attacker is able to multiple times 
push in the last moment the power button to deactivate the display and start the pass code lock. However the local attacker is 
able to bypass exactly this mechanism in the mentioned location.

During the tests the security researcher revealed a video that demonstrates the security issue and the glitch that affects the 
local device security. Like in the Samsung in 2010 the device allows to access the information as long as a call runs in 
the phone app. The local issue has been tested to verify with the default configured iphone 6 and 5s device.

The security risk of the local pass code bypass vulnerability is estimated as medium with a cvss (common vulnerability scoring 
system) count of 5.2. Exploitation of the local glitch bypass vulnerability requires a privileged web-application user account, 
multi user account or restricted physical device access without user interaction. Successful exploitation of the local pass code 
bypass vulnerability results in device compromise or information leaking.


Affected Device(s):
      [+] Apple > iPhone 5 & 6

Affected OS Version(s):
      [+] iOS v8.0 (12A365)

Tested Device(s):
      [+] Apple iPhone 5s & 6 > iOS v8.0 (12A365)


Proof of Concept (PoC):
=======================
The auth bypass vulnerability can be exploited by local attackers with physical device access without user interaction.
For security demonstration or to reproduce the issue follow the provided information and steps below to continue.

Requirement(s):
      [+] iOS v8.0 (default install)
      [+] Apple Device (iPad 2, iPhone 5s or iPhone 6)
      [+] Two healthy hands ;)


Manual Steps to reproduce the local vulnerability ...

1. Start your iOS device and install the new iOS v8.0 to your ipad2, iphone 5s or iphone 6 device
2. Start the mobile and login to the pass code
3. Now press the home button twice to see the app preview slide show and the new favorite contract slideshow above
4. move you finger over the favorite contact and two symboles become visible (Phone app and Message app)
5. Press now the home button two seconds to activate siri and push in the last second the private call button to the contact
Note: Be fast! After it the siri which is in default mode available glitches ahead to the phone call
6. Now you push the power button on top of the mobile and shortly after it you use the hardware volumen to reactivate
Note: The mobile now goes in the locked mode after the power button push but the siri is ahead glitched to the call that runs
7. In the call mask you can click the contacts button by pressing around the button because of the siri glitch
8. The contact list becomes available as long as the call runs with the glitch through siri
9. Successul bypass of the secure pass code restriction! 

Reference(s):
      ../poc-video.wmv

Picture(s):
      ../1.png
      ../2.png
      ../3.png
      ../4.png
      ../5.png
      ../6.png
      ../7.png
      ../8.png


Security Risk:
==============
The security risk of the local auth bypass issue and glitch in the iOS v8.0 is estimated as medium. (CVS 5.2)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com     - www.vuln-lab.com                 - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com   - research@vulnerability-lab.com              - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com  - vulnerability-lab.com/contact.php             - evolution-sec.com/contact
Social:      twitter.com/#!/vuln_lab     - facebook.com/VulnerabilityLab              - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php  - vulnerability-lab.com/rss/rss_upcoming.php       - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php  - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

        Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt