Advisory ID: SYSS-2020-011 Product: Apple iOS Manufacturer: Apple Inc. Affected Version(s): 13.3.1, 13.5.1 Tested Version(s): 13.3.1, 13.5.1 Vulnerability Type: Exposure of Resource to Wrong Sphere (CWE-668) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2020-03-23 Solution Date: - Public Disclosure: 2020-07-02 CVE Reference: Not yet assigned Author of Advisory: Philipp Buchegger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that presently powers many of the company's mobile devices, including the iPhone. On a company device with DEP (Device Enrollment Program), it is possible to enforce certain restrictions in order to separate company from private data. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: It is possible to circumvent the copy & paste restriction from the company profile to the private profile. Thus, it is possible to extract attachments that can be previewed ("Quick Look") in the native Mail client to any private app. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The vulnerability can be demonstrated and reproduced in the following way: 1. Receive a PDF document in the native Mail app via a managed Exchange profile 2. On a managed and restricted device, copying this document is not possible 3. Tap and hold the PDF document, select "Quick Look"/"Übersicht" 4. Open the "Share..." dialog 5. Copy the document - this was not permitted in the previous view 6. Paste it in any private app, for example in "Files"; for further demonstration, the Adobe Acrobat app was used 7. Access the file locally with any installed app 8. Download the digital document (no screen dump, a perfect digital copy of the original document) as PDF via USB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for this reported security vulnerability. Apple does not consider the described security issue to be a security vulnerability and has not fixed it yet. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-03-22: Vulnerability discovered 2020-03-23: Vulnerability reported to manufacturer 2020-03-30: E-mail to manufacturer concerning status update 2020-04-14: E-mail from manufacturer concerning status update 2020-04-15: E-mail to manufacturer concerning status update 2020-04-17: E-mail from manufacturer concerning status update 2020-05-01: Product security of manufacturer responds that the reported issue is not a security vulnerability, but it has been passed along to the appropriate team 2020-05-08: E-Mail to manufacturer regarding status update from the informed team and publication of the security issue 2020-05-12: E-mail to manufacturer concerning status update 2020-05-13: E-mail from manufacturer regarding publication 2020-05-14: Provided proof of concept video to manufacturer 2020-06-18: E-mail from manufacturer concerning status update 2020-07-02: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Apple iOS https://www.apple.com/de/ios/ios-13/ [2] SySS Security Advisory SYSS-2020-011 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-011.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ [4] SySS Proof of Concept Video https://www.youtube.com/watch?v=82jbJzdxPFY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Philipp Buchegger of SySS GmbH. E-Mail: philipp.buchegger@syss.de Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Philipp_Buchegger.asc Key ID: 0x065809F0BB6747E8 Key Fingerprint: 489F 34EE FA88 27DE 69A0 756B 0658 09F0 BB67 47E8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en