Apple iOS v9.1, 9.2 & 9.2.1 - Application Update Loop Pass Code Bypass

[Vulnerability Lab <research () vulnerability-lab com>]

Document Title:
===============
Apple iOS v9.1, 9.2 & 9.2.1 - Application Update Loop Pass Code Bypass


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1710

Apple Follow-up ID: 631627909

Video: http://www.vulnerability-lab.com/get_content.php?id=1711

Vulnerability Magazine: 
http://magazine.vulnerability-db.com/?q=articles/2016/02/04/apple-ios-v9x-application-update-loop-pass-code-bypass


Release Date:
=============
2016-02-04


Vulnerability Laboratory ID (VL-ID):
====================================
1710


Common Vulnerability Scoring System:
====================================
6


Product & Service Introduction:
===============================
iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 
2007 for the 
iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike 
Microsoft`s Windows 
Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of 
September 12, 2012, 
Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more than 30 
billion times. 
It had a 14.9% share of the smartphone mobile operating system units shipped in the third quarter of 2012, behind only 
Google`s Android.

In June 2012, it accounted for 65% of mobile web data consumption (including use on both the iPod Touch and the iPad). 
At the half of 2012, 
there were 410 million devices activated. According to the special media event held by Apple on September 12, 2012, 400 
million devices have been
sold through June 2012.

( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a pass code lock auth bypass vulnerability in the official 
Apple iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 & v9.2. 


Vulnerability Disclosure Timeline:
==================================
2015-10-22: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2015-10-23: Vendor Notification (Apple Product Security Team)
2015-01-22: Vendor Response/Feedback (Apple Product Security Team)
2016-**-**: Vendor Fix/Patch (Apple Product Developer Team)
2016-02-04: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Apple
Product: iOS - (Mobile Operating System) 9.1, 9.2 & 9.2.1


Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Technical Details & Description:
================================
An application update loop that results in a pass code bypass vulnerability has been discovered in the official Apple 
iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 & v9.2. 
The security vulnerability allows local attackers to bypass pass code lock protection of the apple iphone via an 
application update loop issue.
The issue affects the device security when processing to request a local update by an installed mobile ios 
web-application.

The vulnerability is located in the iPad 2 & iPhone 5 & 6 hardware configuration with iOS v8.2 - v9.2 when processing 
an update which results in a interface 
loop by the application slides. Local attacker can trick the iOS device into a mode were a runtime issue with unlimited 
loop occurs. This finally results in 
a temporarily deactivate of the pass code lock screen. By loading the loop with remote app interaction we was able to 
stable bypass the auth of an iphone after 
the reactivation via shutdown button. The settings of the device was permanently requesting the pass code lock on 
interaction. Normally the pass code lock is 
being activated during the shutdown button interaction. In case of the loop the request shuts the display down but does 
not activate the pass code lock like 
demonstrated in the attached poc security video. 

In case of exploitation the attack could be performed time-based by a manipulated iOS application or by physical device 
access and interaction with restricted 
system user account. In earlier cases of exploitation these type of loops were able to be used as jailbreak against 
iOS. The vulnerability can be exploited in 
non-jailbroken unlocked apple iphone mobiles.

The security risk of the local pass code bypass issue is estimated as high with a cvss (common vulnerability scoring 
system) count of 6.0. 
Exploitation of the local bug requires pending on the attack scenario local device access or a manipulated app 
installed to the device without user interaction. 
Successful exploitation of the security vulnerability results in unauthorized device access via pass code lock bypass.


Proof of Concept (PoC):
=======================
The new attack case of scenario can be exploited by local attackers with physical bank branch office service access and 
valid local banking card. 
For security demonstration or to reproduce the issue follow the provided information & steps below to continue.

Manual steps to reproduce the vulnerability ...
1. First fill up about some % of the free memory in the iOS device with random data
2. Now, you open the app-store choose to update all applications (update all push button)
3. Switch fast via home button to the slide index and perform iOS update at the same time
Note: The interaction to switch needs to be performed very fast to successfully exploit. In
the first load of the update you can still use the home button. Press it go back to index
4. Now, press the home button again to review the open runnings slides
5. Switch to the left menu after the last slide which is new and perform to open siri in the same
moment. Now the slide hangs and runs all time in a loop
6. Turn of via power button the ipad or iphone ....
7. Reactivate via power button and like you can see the session still runs in the loop and can be
requested without any pass code
Note: Normally the pass code becomes available after the power off button interaction to
stand-by mode
8. Successful reproduce of the local security vulnerability!

Video Demonstration:
In a video we demonstrate how to bypass with a unlimited loop in the interface the pass code lock settings of the iOS 
v9 iPad2. The issue is not 
limited to the device and can be exploited with iPhone as well. The power button on top activates with the stand-by 
mode the pass code lock for 
the iOS device. In case of the loop we tricked the device into a mode were we was able to bypass the pass code.

URL: https://www.youtube.com/watch?v=V-9lE1L3nq0


Solution - Fix & Patch:
=======================
The loop issue needs to be patched in the main interface by the dev team. The issue can be prevented by a locate of the 
stack with a restriction.


Security Risk:
==============
The security risk of the local iOS loop that results in a pass code bypass vulnerability is estimated as high. (CVSS 
6.0)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research () vulnerability-lab com) 
[www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or 
its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special 
damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody 
to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - 
www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com                     - admin () 
evolution-sec com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - 
evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit 
our material contact 
(admin () vulnerability-lab com or research () vulnerability-lab com) to get a permission.

                                Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com
PGP KEY: http://www.vulnerability-lab.com/keys/admin () vulnerability-lab com%280x198E9928%29.txt