Merge pull request #32 from telekom-security/add_missing_ios_posts

add missing ios/apple posts
telekom-security · Jun 26, 2024 · 5bb917e · 5bb917e
2 parents e806cd1 + ad150b3
commit 5bb917e
Show file tree

Hide file tree

Showing 3 changed files with 137 additions and 0 deletions.
diff --git a/_posts/2022-09-12-iox-macos-contacts-priv-pref-bypass.md b/_posts/2022-09-12-iox-macos-contacts-priv-pref-bypass.md
@@ -0,0 +1,53 @@
+---
+title: Apple's iOS & macOS Contacts Vulnerability - Privacy Preferences Bypass
+header: Apple's iOS & macOS Contacts Vulnerability - Privacy Preferences Bypass
+tags: ['advisories']
+cwes: ['Improper Input Validation (CWE-20)']
+affected_product: 'Apple iOS/iPadOS, macOS'
+vulnerability_release_date: '2022-09-12'
+---
+
+A vulnerability has been identified in iOS/iPadOS < 15.7 / < 16.0 and macOS Big Sur < 11.7 that allows an app to bypass Privacy preferences, posing a significant risk. The vulnerability, classified as Improper Input Validation affects the Contacts component. <!--more-->Users are strongly encouraged to update their devices to the latest version to protect their data.
+
+### Details
+
+* **Product:** Apple iOS/iPadOS, macOS
+* **Affected Version:**  iOS/iPadOS < 15.7 / < 16.0, macOS Big Sur < 11.7
+* **Vulnerability Type:** Improper Input Validation (CWE-20)
+* **Risk Level:** Medium
+* **Vendor URL:** https://www.apple.com
+* **Vendor acknowledged vulnerability:** Yes
+* **Vendor Status:** Fixed
+* **CVE:** CVE-2022-32854
+
+The vulnerability exists because the `CNContactPickerViewController` class allows the selection of contacts without prompting the user for access permissions. By exploiting a specific predicate (`predicateForEnablingContact`) with a custom selector, it is possible to inject Objective-C method calls into a internal service component. This can lead to serious breaches, such as a malicious app accessing sensitive data without user consent.
+
+### Exploitation
+
+The vulnerability was demonstrated using two exploits:
+
+1. **Control Program Flow**:
+    - By calling `indexOfObjectPassingTest:` on an NSArray object with an NSData object as a parameter, a type confusion occurs. The NSData object is used as a block, where its content is treated as a function pointer. This exploit can access various data such as Calendar, Contacts, Photos, and Camera.
+
+2. **Send Conditional HTTP Requests**:
+    - By calling `initWithContentsOfURL:` on an NSData object, the app can send HTTP requests. This can extract contact data from a local app using HTTP requests as a feedback mechanism.
+
+### Impact
+
+Exploitation of this vulnerability by an attacker could have serious privacy implications. Accessing Calendar, Contacts, Photos, and Camera data without user consent can lead to data leakage and unauthorized data manipulation.
+
+### References
+
+- [https://support.apple.com/en-us/102838](https://support.apple.com/en-us/102838)
+- [NVD - CVE-2022-32854](https://nvd.nist.gov/vuln/detail/CVE-2022-32854)
+- [https://developer.apple.com/documentation/contactsui/cncontactpickerviewcontroller](https://developer.apple.com/documentation/contactsui/cncontactpickerviewcontroller)
+
+### Timeline
+
+* **Mid 2022:** Vulnerability reported to the vendor.
+* **2022-09-12:** Vendor has fixed the vulnerability.
+* **2024-06-26:** This blog post was published.
+
+### Credits
+
+* Holger Fuhrmannek ([[email protected]](mailto:[email protected]))
diff --git a/_posts/2023-12-21-quicklook-buffer-overflow.md b/_posts/2023-12-21-quicklook-buffer-overflow.md
@@ -0,0 +1,48 @@
+---
+title: Apple's macOS Quick Look Vulnerability - Buffer Overflow
+header: Apple's macOS Quick Look Vulnerability - Buffer Overflow
+tags: ['advisories']
+cwes: ['Buffer Copy without Checking Size of Input (CWE-120)']
+affected_product: 'Apple iOS/iPadOS, macOS and more'
+vulnerability_release_date: '2023-06-23'
+---
+
+A  vulnerability has been identified in Apple's Quick Look feature that affects Apple's macOS. The vulnerability, classified as a classic buffer overflow, was addressed with improved bounds checking. <!--more-->Users are strongly encouraged to update their devices to the latest version to protect their data.
+
+### Details
+
+* **Product:** macOS
+* **Affected Version:** macOS < 12.6.6, macOS < 11.7.7, macOS < 13.4
+* **Vulnerability Type:** Buffer Copy without Checking Size of Input (CWE-120)
+* **Risk Level:** High
+* **Vendor URL:** https://www.apple.com
+* **Vendor acknowledged vulnerability:** Yes
+* **Vendor Status:** Fixed
+* **CVE:** CVE-2023-32401
+
+The vulnerability exists due to improper bounds checking when parsing an office document in Quick Look.
+
+### Exploitation
+
+The vulnerability can be exploited by crafting a malicious office document that triggers the buffer overflow when parsed by the Quick Look component. This could allow an attacker to execute arbitrary code on the affected device, leading to a potential compromise of the system.
+
+### Impact
+
+Exploitation of this vulnerability by an attacker could have serious security implications. Arbitrary code execution could allow the attacker to take control of the affected system, access sensitive information, and perform unauthorized actions.
+
+### References
+
+- [https://support.apple.com/en-us/HT213758](https://support.apple.com/en-us/HT213758)
+- [NVD - CVE-2023-32401](https://nvd.nist.gov/vuln/detail/CVE-2023-32401)
+- [https://developer.apple.com/documentation/quicklook](https://developer.apple.com/documentation/quicklook)
+
+### Timeline
+
+* **2022**:  Vulnerability reported to the vendor.
+* **2023-05-18:** Vendor has fixed the vulnerability.
+* **2023-12-21:** Vendor has reported that the vulnerability has been fixed.
+* **2024-06-26:** This blog post was published.
+
+### Credits
+
+* Holger Fuhrmannek ([[email protected]](mailto:[email protected]))
diff --git a/_posts/2024-03-05-ios-uikit-sandbox-escape.md b/_posts/2024-03-05-ios-uikit-sandbox-escape.md
@@ -0,0 +1,36 @@
+---
+title: Apple's UIKit Vulnerability - Sandbox Escape
+header: Apple's UIKit Vulnerability - Sandbox Escape
+tags: ['advisories']
+cwes: ['Improper Input Validation (CWE-20)']
+affected_product: 'Apple iOS/iPadOS, macOS and more'
+vulnerability_release_date: '2024-03-05'
+---
+
+A vulnerability has been identified in various Apple devices, including iPhones, posing a significant risk. The vulnerability affects the UIKit component. <!--more-->Users are strongly encouraged to update their devices to the latest version to protect their data.
+
+### Details
+
+* **Product:** Various Apple Systems
+* **Affected Version:** iOS/iPadOS < 17.4, iOS/iPadOS < 16.7.6, macOS Sonoma < 14.4, visionOS < 1.1, watchOS < 10.4, tvOS < 17.4
+* **Vulnerability Type:** Improper Input Validation (CWE-20)
+* **Risk Level:** Medium
+* **Vendor URL:** https://www.apple.com
+* **Vendor acknowledged vulnerability:** Yes
+* **Vendor Status:** Fixed
+* **CVE:** CVE-2024-23246
+
+The vulnerability exists because the UIKit component contains code that, if exploited, can allow an application to escape its sandbox.
+
+### Impact
+
+Exploitation of this vulnerability by an attacker could have serious security implications. Breaking out of the sandbox could allow a malicious app to access sensitive data and potentially control other parts of the system, compromising the overall security of the device.
+
+### References
+
+- [https://support.apple.com/en-us/HT214081](https://support.apple.com/en-us/HT214081)
+- [NVD - CVE-2024-23246](https://nvd.nist.gov/vuln/detail/CVE-2024-23246)
+
+### Credits
+
+* Holger Fuhrmannek ([[email protected]](mailto:[email protected]))