Apple iOS 10/10.1 on iPad2 Lockscreen improper authentication

Summaryinfo

A vulnerability was found in Apple iOS 10/10.1 on iPad2. It has been classified as problematic. This vulnerability affects unknown code of the component Lockscreen. This manipulation causes improper authentication. The attack can only be executed locally. Furthermore, there is an exploit available. It is recommended to apply the suggested workaround.

Detailsinfo

A vulnerability was found in Apple iOS 10/10.1 on iPad2 (Smartphone Operating System). It has been declared as problematic. Affected by this vulnerability is an unknown code block of the component Lockscreen. The manipulation with an unknown input leads to a improper authentication vulnerability. The CWE definition for the vulnerability is CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was shared 11/17/2016 by Benjamin Kunz Mejri as VL-ID 2012 / 648680301 as confirmed advisory (Website). It is possible to read the advisory at vulnerability-lab.com. The vendor was not involved in the public release. The exploitation appears to be difficult. Attacking locally is a requirement. The exploitation doesn't need any form of authentication. Technical details are unknown but a public exploit is available. The advisory points out:

The vulnerability is located after installtion of the ios 10.x version to the incompatible apple ipad2 device. The website of the apple site showed us that imcompatible devices can cause on usage in unexpected behavoir, so we decided to install the version to one of our test environment devices. After the installation we have noticed that the dictionary function became available ahead to the desk. In our testings we used the function to trigger a glitch on accessing the more information button in the locked device mode. After processing the interaction manually in a loop, we was able to get ahead the passcode screen area a push magnifying glass preview.

A public exploit has been developed by Benjamin Kunz Mejri and been published immediately after the advisory. It is possible to download the exploit at vulnerability-lab.com. It is declared as proof-of-concept. We expect the 0-day to have been worth approximately $25k-$100k. The advisory illustrates:

Watching the bug displayed information of a restricted area that is located in `Device - Siri - About Sir & Data Security to Privacy`. Now i moved to the link by searching blind the location and pushed twice to receive the input menu bar like when marking a text. People that are aware of ios know that these function allows several options depending on the input and connected function. Now an attacker can use the share function that became visible ahead during the passcode lock screen via glitch and pushs the share button. Now the email opens. Then the attacker marks the email of the contact and pushs twice the contact plus a keyboard letter of an exisiting contact. Now the contact comes ahead, click the info button and move to the profil location. Add the information to a new contact, then press the image button and now the attacker is able to access the photo album of the device without any restrictions.

The best possible mitigation is suggested to be Workaround.

Additional details are provided at seclists.org. The entries VDB-93680, VDB-93681 and VDB-93682 are related to this item. Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Smartphone Operating System

Vendor

• Apple

Name

• iOS

Version

• 10
• 10.1

License

• commercial

Website

• Vendor: https://www.apple.com/

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

Video

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion