exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

AppleiOS 13.5.1 Resource Exposure

AppleiOS 13.5.1 Resource Exposure
Posted Jul 3, 2020
Authored by Philipp Buchegger | Site syss.de

Apple iOS version 13.5.1 suffers from an issue where it is possible to circumvent the copy and paste restriction from the company profile to the private profile. Thus, it is possible to extract attachments that can be previewed ("Quick Look") in the native Mail client to any private app.

tags | exploit
systems | apple, ios
SHA-256 | 2010fb70717eed823f1bf4f1c9f8436da1844b077ea4ef32867f8306a4680a29

AppleiOS 13.5.1 Resource Exposure

Change Mirror Download
Advisory ID: SYSS-2020-011
Product: Apple iOS
Manufacturer: Apple Inc.
Affected Version(s): 13.3.1, 13.5.1
Tested Version(s): 13.3.1, 13.5.1
Vulnerability Type: Exposure of Resource to Wrong Sphere (CWE-668)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2020-03-23
Solution Date: -
Public Disclosure: 2020-07-02
CVE Reference: Not yet assigned
Author of Advisory: Philipp Buchegger, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

iOS (formerly iPhone OS) is a mobile operating system created and
developed by Apple Inc. exclusively for its hardware. It is the
operating system that presently powers many of the company's mobile
devices, including the iPhone.

On a company device with DEP (Device Enrollment Program), it is possible
to enforce certain restrictions in order to separate company from
private data.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

It is possible to circumvent the copy & paste restriction from the
company profile to the private profile. Thus, it is possible to extract
attachments that can be previewed ("Quick Look") in the native Mail
client to any private app.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The vulnerability can be demonstrated and reproduced in the following
way:

1. Receive a PDF document in the native Mail app via a managed Exchange
profile

2. On a managed and restricted device, copying this document is not
possible

3. Tap and hold the PDF document, select "Quick Look"/"Übersicht"

4. Open the "Share..." dialog

5. Copy the document - this was not permitted in the previous view

6. Paste it in any private app, for example in "Files";
for further demonstration, the Adobe Acrobat app was used

7. Access the file locally with any installed app

8. Download the digital document (no screen dump, a perfect digital copy
of the original document) as PDF via USB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH is not aware of a solution for this reported security
vulnerability.

Apple does not consider the described security issue to be a security
vulnerability and has not fixed it yet.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2020-03-22: Vulnerability discovered
2020-03-23: Vulnerability reported to manufacturer
2020-03-30: E-mail to manufacturer concerning status update
2020-04-14: E-mail from manufacturer concerning status update
2020-04-15: E-mail to manufacturer concerning status update
2020-04-17: E-mail from manufacturer concerning status update
2020-05-01: Product security of manufacturer responds that the reported
issue is not a security vulnerability, but it has been
passed along to the appropriate team
2020-05-08: E-Mail to manufacturer regarding status update from the
informed team and publication of the security issue
2020-05-12: E-mail to manufacturer concerning status update
2020-05-13: E-mail from manufacturer regarding publication
2020-05-14: Provided proof of concept video to manufacturer
2020-06-18: E-mail from manufacturer concerning status update
2020-07-02: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Apple iOS
https://www.apple.com/de/ios/ios-13/
[2] SySS Security Advisory SYSS-2020-011

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-011.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
[4] SySS Proof of Concept Video
https://www.youtube.com/watch?v=82jbJzdxPFY

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Philipp Buchegger of SySS GmbH.

E-Mail: philipp.buchegger@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Philipp_Buchegger.asc
Key ID: 0x065809F0BB6747E8
Key Fingerprint: 489F 34EE FA88 27DE 69A0 756B 0658 09F0 BB67 47E8

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close