Exploit the possiblities

Apple iPhone 4 Passphrase Disclosure

Apple iPhone 4 Passphrase Disclosure
Posted Mar 7, 2011
Site tehtri-security.com

Apple iPhone 4 with iOS 4.3 (8F190) suffers from a passphrase disclosure vulnerability that allows all local processes access to it.

tags | advisory, local
systems | apple, iphone
MD5 | 5806a00d78c413e35d82e31be0490810

Apple iPhone 4 Passphrase Disclosure

Change Mirror Download

Platform: iPhone 4

Operating System: iOS 4.3 (8F190)

Application: com.apple.wifi.hostapd

Impact for customers: Low (?)

Description:

The new iPhone option called “Personal Hotspot” uses a passphrase to protect the WPA2 Personal wireless hotspot created. A WPA PSK is derived from this passphrase.

While processing those functions, the iPhone writes the passphrase in clear text in the console of the iPhone device.

This area is readable by all local processes through the official Apple API. Here is the list of things written in clear text through the console: the Group Master Key, the Group Transient Key, the PSK, the passphrase.

Example of clear text keys and passwords caught from on an iOS 4.3 device:


Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.357484: PSK (ASCII passphrase) - hexdump_ascii(len=10):

Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 66 61 63 65 74 73 31 34 36 37 facets1467

Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.733079: PSK (from passphrase) - hexdump(len=32): cf f6 0d 2a 1a a2 d8 29 6d 58 cc 6f 49 55 34 47 22 b7 9c 5c 76 86 be 17 57 b0 d3 5c 6e ad 2a 65

Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.870472: WPA: group state machine entering state GTK_INIT (VLAN-ID 0)

Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.870522: GMK - hexdump(len=32): f9 69 7e c4 d1 fa 41 10 e2 b9 a1 78 0e 50 fa 47 5b 18 4a 86 75 8d a1 64 c7 c9 fc 7d b2 98 d5 b3

Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.870580: GTK - hexdump(len=16): 8d 3f 27 be 0c 21 e2 5e fb 92 fb 15 b2 69 eb cd

Note: This can easily be patched, by putting hostapd in a silent mode, avoiding this security issue. We evaluated the risk to be low (?), but a combined remote attack against an iPhone device could help a nearby attacker at targeting the devices hidden behind the iPhone on the 3G link (and most of the time, people don't want their passwords to be written in clear text somewhere). There are more relevant data on those devices, compared to the iPhone itself.


GOING FURTHER...

If you're interested about our findings, our techniques and our tools (*), feel free to join us during our next sessions of trainings, so that we can have direct interactions and sharing with 0days, exploits, attack/defense concepts, so that you can fight the bad guys beyond the Matrix:

- Asia / April 2011: during next SyScan Singapore Conference, Training Advanced PHP Hacking

- Europe / May 2011: during next HITB Amsterdam Conference, Training Hunting Web Attackers


(*) Examples of vulnerabilities found by TEHTRI-Security in 2010:

* Vulnerability in iPhone: CVE-2010-1752
* Vulnerability in BlackBerry: CVE-2010-2599
* Vulnerabilities in PHP tools used by attackers


We wish you happy updates of your devices this week…

@tehtris
http://www.tehtri-security.com/

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    4 Files
  • 19
    Nov 19th
    2 Files
  • 20
    Nov 20th
    9 Files
  • 21
    Nov 21st
    15 Files
  • 22
    Nov 22nd
    23 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close