Fnut, 2015/07/28 10:01
FireEye, a foreign security company, has translated some of its blog posts. (The video part needs to climb the wall)
The original link: www.fireeye.com/blog/threat…
0 x01 preface
In the latest version of IOS8.4, apple fixed several vulnerabilities that allow attackers to deploy two new types of masquerade attacks (cve-2015-3722/3725, and cve-2015-3725). We call these two exploiting methods Manifest Masque and Extension Masque, and they can be used to destroy apps, including system applications (e.g., Apple Watch, Health, Pay, etc.), and destroy the application’s data container. In this article, we won’t go into the details of the vulnerabilities we’ve patched before, but instead focus on a Masque vulnerability that hasn’t been exposed: Plugin Masque, which bypassed IOS’s mandatory permissions and hijacked VPN traffic. Our survey also shows that one-third of IOS devices are still not updated to 8.1.3 or higher five months after release, and these devices are still vulnerable to mask attacks.
We summarize five methods of mask attack, as shown in the following table:
The name of the | Hazards discovered so far | State of repair |
App Masque | * Replace a known application * Access to private data |
Fixed in IOS 8.1.3 [6] |
URL Masque | * Bypass the trust prompt * Hijacking intra-application communication |
Partially fixed in IOS 8.1.3 [11] |
Manifest Masque | * Destroy other applications during wireless installation (including. Apple Watch, Health, Pay, etc.) | Partially fixed in iOS 8.4 |
Plugin Masque | * Bypass the trust prompt * Bypass VPN plug-in permissions * Replace an existing VPN plug-in * Hijacking device communications * Prevents device restart * Exploit more kernel vulnerabilities |
Fixed in iOS 8.1.3 |
Extension Masque | * Get other application data * Or prevent another application from getting its own data |
Partially fixed in iOS 8.4 |
The Manifest Masque attack exploits the CVE-2015-3722/3725 vulnerability to destroy applications that already exist in IOS when the victim wirelessly installs an internal IOS application from a web page using an enterprise profile. A destroyed App (the target of an attack) can be a regular App downloaded from the official App Store, or a more important system App, such as Apple Watch, Apple Pay, App Store, Safari, profile, etc. The bug affects all versions of IOS7 and prior to IOS8.4. We first notified Apple of the vulnerability in August 2014.
Extension Masque can break the constraints of the application data container. A malicious extension application installed with an internal IOS application can acquire all of the target application’s data containers, or it can organize the target application to acquire its own data containers. On June 14th, security researchers Luyi, Xiaofeng et al revealed several problems on OS X, including a similar problem 5 to Extension Masque. They did great research, but they missed the bug in IOS. “This security risk does not exist on IOS,” their report states. However, the data container issue does not affect all versions of IOS8 but prior to IOS8.4, and can be used by attackers to steal all data from the data container of a target application. We independently discovered this vulnerability in IOS and notified Apple before report 5 was released, and Apple fixed the issue as part of CVE-2015-3725.
In addition to these two vulnerabilities, which have been patched in IOS8.4, we have also discovered another untrusted code injection Attack by replacing VPN plugins, the Plugin Masque Attack. We submitted this vulnerability to apple in September 2014, and apple fixed the plugin Masque vulnerability in IOS8.1.3 when they patched the original App Masque [6,11]. However, this vulnerability is much more serious than the original mask attack vulnerability. This malicious code can be injected into the NeAgent process and can perform privileged operations, such as monitoring all VPN traffic without the user noticing. We first analyzed this approach at the Jailbreak Security Summit 7 in April 2015. We classify these attacks as Plugin Masque attacks.
We will discuss the technical details and analyze the three masquerade attacks.
0x02 Manifest Masque
In order to use the company profile to distribute applications within IOS wirelessly, you must create a Web page that contains a hyperlink redirected to the XML Manifest file, which is stored on an HTTP server. The XML manifest file also contains metadata for the internal application, including its bound identifier, bound version, and download links to the.ipA file, as shown below. When installing this internal IOS application wirelessly, IOS first downloads the manifest file and parses metadata for the installation process.
<a href="itms-services://? action=downloadmanifest&url=https://example.com/manifest. plist">Install App</a> <plist> <array> <dict> ... <key>url</key> <string>https://XXXXX.com/another_browser.ipa</string> ... < key > bundle - identifier < / key > < string >. Com. Google chrome. Ios < / string >... <key>bundle-version</key> <string>1000.0</string> </dict> <dict>... Entries For Another App </dict> <array> </plist>Copy the code
According to Apple document 1, the scope of the bound identifier should be “your application’s bound identifier, specifically as defined in your Xcode project.” However, we found that IOS did not verify the consistency between the binding identifier in the web XML manifest file and the binding identifier inside the application. If the XML manifest file on a web page has the same binding identifier as the real application on another device, and the version number bound in the MANIFEST file is higher than the version of the real application, the original application is unloaded to a virtual placeholder. The internal application, however, continues to install using its built-in binding ID. The virtual placeholder disappears when the victim reboots the device. Also, as shown in the code above, a manifest file can contain metadata entries for different applications to distribute multiple applications at the same time, which means the vulnerability can cause multiple applications to be uninstalled with a single click by the victim.
By exploiting this vulnerability, an application developer can uninstall other applications (such as a competitor’s) while installing his own. In this way, attackers can carry out Dos or phishing attacks in IOS.
Figure 1. Phishing by installing “Malicious Chrome” and uninstalling the original Chrome
Figure 1 shows an example of a phishing attack. When a user clicks on a URL within the Gmail application, the URL is rewritten using a “Googlechrom-x-callback ://” strategy, which is then processed by Chrome on the device. However, an attacker can exploit the Manifest Masque vulnerability to uninstall the original Chrome and install a malicious Chrome that records the same strategy. Unlike the original masquerade attack, which requires the same binding identifier to replace an original application, the malicious Chrome program in this phishing attack uses a different binding identifier to authenticate the bypass installer’s binding identifier. Then, when a victim clicks on a URL within Gmail, a malicious Chrome program can take over and rewrite URL policies and carry out more sophisticated attacks.
Even worse, an attacker could exploit this vulnerability to destroy all system applications (Apple Watch, Apple Pay UIService, App Store, Safari, Health, InCallService, Settings, etc.). Once destroyed, these system applications can no longer be used by the victim, even if the victim restarts the device.
Here we demonstrate a DoS attack in IOS8.3 that destroys all system applications as well as an App store application (Gmail) when the victim wirelessly installs an in-system application with a single click.
Demo: iOS Manifest Masque Attack – YouTube Links:www.youtube.com/embed/tR9U1…
0x03 Extension Masque
Apple introduced extended app feature 2 in IOS8. Different types of extension apps offer developers a variety of new ways to extend the functionality of apps on IOS8. For example, apps could appear as widgets on today’s screens, add new buttons to the Action table, provide photo filters for the IOS photos app, or showcase a new system-style keyboard 3. In addition, the Watch Extension 4 on the iPhone represents the logic for all watch-like apps in ios 8.2/8.3. An extension application can execute code and is limited to access data from its own data container. Extensions are distributed as part of an IOS application, which can be exploited by attackers as a potential means of attack.
We independently discovered that extensions within IOS applications can not only gain full access to other applications’ data containers, but also prevent other applications from obtaining their own data containers. As long as the extender and the target application use the same binding identifier. An attacker can lure a victim to install an internal application by using a company profile on the page, and can also ensure that malicious extensions are on the victim’s device.
The impact of such attacks is related to the order in which the harmful extensions are installed and the target application. Note that an extension cannot be installed separately; it must be distributed as part of the application. So in the following, when we install an extension, we are installing an application with the extension.
- If a malicious extension is installed in front of the target application, the malware can destroy the data container and gain access to the target application’s data container without the user noticing, and the target application will work properly.
- If a malicious extension is installed after the target application, the target application can no longer access its own data container. As a result, the functionality of the target application can be severely disrupted, crashing at its worst (resulting in denial of service attacks). In this environment, if the victim tries to reinstall the target application, the target application is restored. But that’s going to be the case again.
Here is a demo of an attack that destroys data containers. In this demo, a malicious extension could get all the data in Gmail’s data container and upload it to the attacker’s server.
Demo: iOS Extension Masque Attack – YouTube Links:www.youtube.com/embed/rmIp2…
0x04 Plugin Masque
Unlike IOS extensions, VPN plug-ins are a different type that is bound in an. Ipa file. And don’t need any permissions can be embedded into any IOS8 than the extension application of VPN application and VPN plug-in needs to be assigned “com.apple.net working. VPN. The configuration” permission to provide VPN service system. So far only a handful of IOS developers have been able to release such VPN clients on IOS (Cisco Anyconnect, Junos Pulse, OpenVPN, etc.). After installation, the VPN plug-in is loaded through a privileged system process (NeAgent8) without any user interface.
Figure 2 shows the directory structure of the. Ipa file of Junos Pulse. VPN plug-in (sslVpnjuniper. vpnPlugin) locates the Payload directory and provides the interface for users to authenticate VPN together with the application (Junos Pulse.
Figure 2 Directory structure of Junos Pulse application
We found that if an internal application embedded a malicious VPN plug-in with the same binding ID as the legitimate VPN plug-in on the victim’s IOS system, the malicious VPN plug-in could be successfully installed and replaced with the legitimate VPN plug-in. Don’t need any special permission (such as “com.apple.net working. VPN. The configuration”). Then, when the victim launches the normal VPN program to obtain the VPN service, the untrusted code in the malicious VPN plug-in is loaded by the NeAgent process and performs permission operations, such as hijacking/monitoring VPN traffic. Injecting code into the NeAgent process to escape the sandbox was also a key exploit used in the Pangu 8[8,12] jailbreak tool. By exploiting a VPN plugin vulnerability, you can jailbreak any 8.1.2 or older device wirelessly using another kernel EXP. This vulnerability is related to cve-2014-4493 and was fixed in IOS8.1.3. We first discovered and analyzed this vulnerability at Jailbreak Security Summit 7 in April 2015.
Here is a demo of an untrusted code execution attack. In this demo, an internal application containing a malicious VPN plug-in was installed on the victim’s device. After the user authenticates the VPN using the original Junos Pulse application, the POC code of the malicious VPN plug-in is loaded and executed by the Neagent process.
while(1) {
syslog(LOG_ERR, "[+] ========= ****** PoC DYLIB LOADED ****** ==========");
sleep(3);
}
Copy the code
POC code of the malicious VPN Plugin
Note that the successful execution of this attack does not require the user to click/trust the internal application. Even if a user forcibly uninstalls the VPN application, the application will still be reinstalled after a restart. This means that users cannot uninstall the application easily. Even if the user tries to shut down the phone by holding down the power button, the Neagent process running the attacker’s code continues to run in the background and prevents the device from actually restarting. The screen will be completely black and it will look like it’s being rebooted. However, neAgent processes with attacker code can continue to run in the background.
Demo: Plugin Masque Attack – youtube
Links:www.youtube.com/embed/alfkk…
0x05 IOS Update blank in enterprise network
IOS8.1.3 was released (App Masque, URL Masque, and Plugin Masque were all fixed or partially fixed) in January 2015, and IOS is known to adopt new versions quickly. However, our recent monitoring of IOS Web traffic on several of the more prominent networks showed surprising results. As Figure 3 shows, nearly one-third of IOS traffic we monitor is still on devices below version 8.1.3, even five months after the release. After data communication, these devices are still vulnerable to all types of Masque attacks, including App Masque, URL Masque, and Plugin Masque. We urge everyone, especially enterprise users, to make a complete update to IOS.
Figure 3 Proportion of IOS versions of network communication monitored by FireEye
0 x06 conclusion
To summarize, although apple has fixed or partially fixed the original mask attack vulnerability in IOS8.1.3 [6,11], there are still other types of attacks that exploit vulnerabilities in the IOS installation process. In this article we have overlooked three variations of masquerade attacks to help users understand the risks and better protect themselves. We also recommend that all IOS users keep their versions up to date.
Reference:
1 https://manuals.info.apple.com/MANUALS/1000/MA1685/en_US/ios_deployment_reference.pdf
2 https://developer.apple.com/app-extensions/
3 https://developer.apple.com/library/prerelease/ios/documentation/General/Conceptual/ExtensibilityPG/NotificationCenter.h tml
4 https://developer.apple.com/library/ios/documentation/General/Conceptual/WatchKitProgrammingGuide/DesigningaWatchKitApp. html
5 https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view
6 https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html
7 http://thecyberwire.com/events/docs/nsmail.pdf
8 https://cansecwest.com/slides/2015/CanSecWest2015_Final.pdf
[9] https://itunes.apple.com/us/app/cisco-anyconnect/id392790924?mt=8
[10] https://itunes.apple.com/us/app/junos-pulse/id381348546?mt=8
[11] https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html
[12] http://en.pangu.io/