An Apple iMessage security vulnerability meant that researchers from Google's Project Zero team could remotely access files on a victim's iPhone. Here's how they did it.
The iMessage vulnerability
iPhone users were alerted that an iMessage security vulnerability had been uncovered, and a proof of concept exploit developed, back in July. That vulnerability armed an attacker with the ability to remotely read the files from an iPhone with no physical access required. The proof of concept exploit showed how by sending a specially constructed "hack" iMessage to an iPhone it was possible to reveal leaked bytes of memory from the SpringBoard application that manages the iOS home screen, in the output of the attacking server. Google Project Zero researcher Natalie Silvanovich disclosed the vulnerability, who earlier in the year had shown how an iMessage text attack could effectively "brick" an iPhone, and explained how it could also be used to read files remotely from an iPhone.
Silvanovich first disclosed the vulnerability (CVE-2019-8646) to Apple in May and produced the proof-of-concept exploit in June. As is the case with all such Google Project Zero vulnerability finds, Apple was given a 90-day deadline to make a patch available before public disclosure. Apple did, indeed, respond commendably quickly by making a fix available as part of the iOS 12.4 update. Now Silvanovich has published a deep dive technical post to the Project Zero blog that precisely reveals how an attacker could have exploited the vulnerability.
Exploiting the iPhone iMessage vulnerability
Before reading the deep dive posting, Silvanovich recommends that readers familiarize themselves with the "fully remote attack surface of the iPhone" first. This provides a still technical, but perhaps slightly more accessible, overview of the "several attack surfaces of the iPhone." If you survive that relatively intact, then head for the deep-dive.
Alternatively, the tl;dr of it is that Silvanovich found a particular class could be "deserialized by iMessage in a remote context," which brought with it the potential for a process to access a file without authorization.
Commentaires