Menu

Improved exploit search engine. Try it out

"Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free"

Author

"Google Security Research"

Platform

ios

Release date

2019-05-23

Release Date Title Type Platform Author
2019-05-23 "Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free" dos ios "Google Security Research"
2019-05-06 "iOS 12.1.3 - 'cfprefsd' Memory Corruption" dos ios ZecOps
2018-11-06 "FaceTime - RTP Video Processing Heap Corruption" dos ios "Google Security Research"
2018-01-08 "Photos in Wifi 1.0.1 - Path Traversal" webapps ios Vulnerability-Lab
2017-02-21 "Lock Photos Album&Videos Safe 4.3 - Directory Traversal" webapps ios Vulnerability-Lab
2017-02-20 "Album Lock 4.0 iOS - Directory Traversal" webapps ios Vulnerability-Lab
2016-04-25 "C/C++ Offline Compiler and C For OS - Persistent Cross-Site Scripting" webapps ios Vulnerability-Lab
2016-01-27 "Secure Item Hub 1.0 iOS - Multiple Vulnerabilities" webapps ios Vulnerability-Lab
2015-09-28 "Photos in Wifi 1.0.1 iOS - Arbitrary File Upload" webapps ios Vulnerability-Lab
2015-09-28 "My.WiFi USB Drive 1.0 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2015-09-22 "Air Drive Plus 2.4 - Arbitrary File Upload" webapps ios Vulnerability-Lab
2015-08-12 "Printer Pro 5.4.3 IOS - Persistent Cross-Site Scripting" webapps ios "Taurus Omar"
2015-07-05 "WK UDID 1.0.1 iOS - Command Injection" webapps ios Vulnerability-Lab
2016-02-22 "InstantCoder 1.0 iOS - Multiple Vulnerabilities" webapps ios Vulnerability-Lab
2015-06-06 "WiFi HD 8.1 - Directory Traversal / Denial of Service" webapps ios "Wh1t3Rh1n0 (Michael Allen)"
2015-05-18 "Wireless Photo Transfer 3.0 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2015-05-07 "Album Streamer 2.0 iOS - Directory Traversal" webapps ios Vulnerability-Lab
2015-05-06 "PDF Converter & Editor 2.1 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2015-05-06 "vPhoto-Album 4.2 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2015-05-04 "PhotoWebsite 3.1 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2015-04-21 "Photo Manager Pro 4.4.0 iOS - Code Execution" webapps ios Vulnerability-Lab
2015-04-21 "Mobile Drive HD 1.8 - Local File Inclusion" webapps ios Vulnerability-Lab
2015-04-21 "Photo Manager Pro 4.4.0 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2015-04-21 "Wifi Drive Pro 1.2 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2015-01-13 "Foxit MobilePDF 4.4.0 iOS - Multiple Vulnerabilities" webapps ios Vulnerability-Lab
2014-10-27 "Folder Plus 2.5.1 iOS - Persistent Cross-Site Scripting" webapps ios Vulnerability-Lab
2014-10-27 "WebDisk+ 2.1 iOS - Code Execution" webapps ios Vulnerability-Lab
2014-10-22 "File Manager 4.2.10 iOS - Code Execution" webapps ios Vulnerability-Lab
2014-10-22 "iFunBox Free 1.1 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2014-10-15 "Indeed Job Search 2.5 iOS API - Multiple Vulnerabilities" webapps ios Vulnerability-Lab
Release Date Title Type Platform Author
2019-06-20 "Linux - Use-After-Free via race Between modify_ldt() and #BR Exception" dos linux "Google Security Research"
2019-06-05 "Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free" dos multiple "Google Security Research"
2019-05-29 "Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL" dos android "Google Security Research"
2019-05-29 "Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation" dos multiple "Google Security Research"
2019-05-29 "Spidermonkey - IonMonkey Leaks JS_OPTIMIZED_OUT Magic Value to Script" dos multiple "Google Security Research"
2019-05-23 "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation" local windows "Google Security Research"
2019-05-23 "Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free" dos ios "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free" dos multiple "Google Security Research"
2019-05-13 "Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write" dos multiple "Google Security Research"
2019-04-30 "Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification" dos linux "Google Security Research"
2019-04-26 "systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process" dos linux "Google Security Research"
2019-04-24 "Google Chrome 72.0.3626.121 / 74.0.3725.0 - 'NewFixedDoubleArray' Integer Overflow" remote multiple "Google Security Research"
2019-04-24 "VirtualBox 6.0.4 r128413 - COM RPC Interface Code Injection Host Privilege Escalation" local windows "Google Security Research"
2019-04-23 "Linux - 'page->_refcount' Overflow via FUSE" dos linux "Google Security Research"
2019-04-23 "Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition" dos linux "Google Security Research"
2019-04-23 "systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit" dos linux "Google Security Research"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID" dos multiple "Google Security Research"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4" dos multiple "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV NtSetCachedSigningLevel Device Guard Bypass" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV LuafvCopyShortName Arbitrary Short Name Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cross Process Handle Duplication Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 / 1709 - CSRSS SxSSrv Cached Manifest Privilege Escalation" local windows "Google Security Research"
2019-04-03 "Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion" remote multiple "Google Security Research"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46913/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46913/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46913/41326/visual-voicemail-for-iphone-imap-namespace-processing-use-after-free/download/", "exploit_id": "46913", "exploit_description": "\"Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free\"", "exploit_date": "2019-05-23", "exploit_author": "\"Google Security Research\"", "exploit_type": "dos", "exploit_platform": "ios", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Visual Voicemail (VVM) is a feature of mobile devices that allows voicemail to be read in an email-like format. Carriers set up a Visual Voicemail server that supports IMAP, and the device queries this server for new email. Visual Voicemail is configured over SMS, and carriers inform devices of the location of the IMAP server by sending a specially formatted SMS message containing the URL of the IMAP server.

SMS messages are determined to be VVM-related based on their PID field as well as their contents. Both of these fields can be set by a device sending SMS messages, so any device can send a message that causes Visual Voicemail to query an IMAP server specified in the message. This means that an attacker can force a device to query an IMAP server they control without the user interacting with the device in any way.

There is an object lifetime issue in the iPhone IMAP client that can be accessed in this way. It happens when a NAMESPACE command response contains a namespace that cannot be parsed correctly. It leads to the mailbox separator being freed, but not replaced with a valid object. This leads to a selector being called on an object that is not valid.

To reproduce this issue:

1) Run testcrash.py on a remotely accessible server. To run on port 993, this will need to be on a server that has a domain name, and a certificate that verifies correctly. Replace the "YOUR KEY HERE" fields in testcrash.py with the location of the cert files. On some carriers, it is possible to use port 143 without SSL instead.

2) Send the attached SMS messages to the device, first statepdu.txt and then mboxupdatepdu.txt. Replace the destination number and server location in the messages with the location of your target device and server before sending.

3) The device will connect to the server, and then crash

Note that this attack depends somewhat on the carrier the device is on. I tested this issue on an AT&T SIM. I was not able to reproduce this issue on a T-Mobile SIM, because their network does not allow VVM connections to outside servers. It might be possible to bypass this by hosting the server on a peer device on the network, but I didn't try this. The PID used for VVM SMS messages also varies based on carrier.

I've attached a crash log for this issue. I've also attached decoded.txt, which describes the contents of the SMS pdus, and NAMESPACE.zip, which is a non-minimized PoC that leaders to a wider variety of crashes.

When retrieving a message, the VVM client calls [IMAPAccount _updateSeparatorAndNamespaceWithConnection:] to get the server separator and namespace prefix. This method first retrieves the server separator by calling [MFIMAPConnection separatorChar] which causes the LIST command to be sent to the server, and returns the separator. The method also stores the separator as a member of the connection object, which gives the separator its sole reference. [IMAPAccount _updateSeparatorAndNamespaceWithConnection:]  then calls [MFIMAPConnection serverPathPrefix] to get the prefix,  which in turn calls [MFIMAPConnection _doNamespaceCommand] to perform the NAMESPACE command over the network. If this command fails for any reason (for example, malformed response, LOGOUT command, etc.), it will call [MFIMAPConnection disconnectAndNotifyDelegate:], which removes the separator from the connection object, removing its only reference. The rest of [IMAPAccount _updateSeparatorAndNamespaceWithConnection:]  will then use a separator object that has been freed.

This issue was resolved by adding a lock to [IMAPAccount _updateSeparatorAndNamespaceWithConnection:]  and [MFIMAPConnection disconnectAndNotifyDelegate:] so that they cannot run at the same time for the same connection.

This issue was fixed on Tuesday, May 14


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46913.zip