what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Apple iPhone 4 Passphrase Disclosure

Apple iPhone 4 Passphrase Disclosure
Posted Mar 7, 2011
Site tehtri-security.com

Apple iPhone 4 with iOS 4.3 (8F190) suffers from a passphrase disclosure vulnerability that allows all local processes access to it.

tags | advisory, local
systems | apple, iphone
SHA-256 | 50b3289c4489d4defcfdf5ed6c483a646482853dbb3b0aa3477ed046497aa078

Apple iPhone 4 Passphrase Disclosure

Change Mirror Download

Platform: iPhone 4

Operating System: iOS 4.3 (8F190)

Application: com.apple.wifi.hostapd

Impact for customers: Low (?)

Description:

The new iPhone option called “Personal Hotspot” uses a passphrase to protect the WPA2 Personal wireless hotspot created. A WPA PSK is derived from this passphrase.

While processing those functions, the iPhone writes the passphrase in clear text in the console of the iPhone device.

This area is readable by all local processes through the official Apple API. Here is the list of things written in clear text through the console: the Group Master Key, the Group Transient Key, the PSK, the passphrase.

Example of clear text keys and passwords caught from on an iOS 4.3 device:


Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.357484: PSK (ASCII passphrase) - hexdump_ascii(len=10):

Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 66 61 63 65 74 73 31 34 36 37 facets1467

Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.733079: PSK (from passphrase) - hexdump(len=32): cf f6 0d 2a 1a a2 d8 29 6d 58 cc 6f 49 55 34 47 22 b7 9c 5c 76 86 be 17 57 b0 d3 5c 6e ad 2a 65

Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.870472: WPA: group state machine entering state GTK_INIT (VLAN-ID 0)

Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.870522: GMK - hexdump(len=32): f9 69 7e c4 d1 fa 41 10 e2 b9 a1 78 0e 50 fa 47 5b 18 4a 86 75 8d a1 64 c7 c9 fc 7d b2 98 d5 b3

Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.870580: GTK - hexdump(len=16): 8d 3f 27 be 0c 21 e2 5e fb 92 fb 15 b2 69 eb cd

Note: This can easily be patched, by putting hostapd in a silent mode, avoiding this security issue. We evaluated the risk to be low (?), but a combined remote attack against an iPhone device could help a nearby attacker at targeting the devices hidden behind the iPhone on the 3G link (and most of the time, people don't want their passwords to be written in clear text somewhere). There are more relevant data on those devices, compared to the iPhone itself.


GOING FURTHER...

If you're interested about our findings, our techniques and our tools (*), feel free to join us during our next sessions of trainings, so that we can have direct interactions and sharing with 0days, exploits, attack/defense concepts, so that you can fight the bad guys beyond the Matrix:

- Asia / April 2011: during next SyScan Singapore Conference, Training Advanced PHP Hacking

- Europe / May 2011: during next HITB Amsterdam Conference, Training Hunting Web Attackers


(*) Examples of vulnerabilities found by TEHTRI-Security in 2010:

* Vulnerability in iPhone: CVE-2010-1752
* Vulnerability in BlackBerry: CVE-2010-2599
* Vulnerabilities in PHP tools used by attackers


We wish you happy updates of your devices this week…

@tehtris
http://www.tehtri-security.com/

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close