Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Researchers Detail Critical iMessage Vulnerability

Google Project Zero security researchers have published technical details on an iMessage vulnerability addressed last year, which could be exploited remotely to achieve arbitrary code execution. 

Google Project Zero security researchers have published technical details on an iMessage vulnerability addressed last year, which could be exploited remotely to achieve arbitrary code execution. 

Tracked as CVE-2019-8641, the vulnerability is considered Critical, featuring a CVSS score of 9.8, and was discovered by Google Project Zero security researchers Samuel Groß and Natalie Silvanovich

In September 2019, Apple announced that the release of iOS 12.4.2 for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation addressed this vulnerability: “An out-of-bounds read was addressed with improved input validation.”

The vulnerability, which was also addressed in macOS Mojave 10.14.6, watchOS 5.3.2, and tvOS 12.4, could be exploited by a remote attacker to cause unexpected application termination or arbitrary code execution. 

According to Project Zero’s security researchers, Apple actually started pushing patches for it in August 2019, with the release of iOS 12.4.1, which included hardening to prevent the remote exploitation of the bug. 

Groß has now provided further details on the vulnerability, explaining that exploitation could allow an attacker who knows the user’s Apple ID (mobile phone number or email address) to gain control over an iOS device within a few minutes. 

The attacker would then be able to exfiltrate files, passwords, authentication codes, emails, SMS and other messages, and other data. Moreover, they could spy on the user using the device’s microphone and camera, all without user interaction or visual indicator.

By exploiting CVE-2019-8641, the attack bypasses ASLR, then executes code on the device outside of the sandbox, Groß explains. Proof-of-concept (PoC) code targeting the iPhone XS on iOS 12.4 was published on the Project Zero issue 1917 discussion board.

Advertisement. Scroll to continue reading.

To prevent abuse, the PoC deliberately alerts the victim of the ongoing attack and does not achieve native code execution, but skilled attackers will likely have no difficulties tailoring it to their needs (likely, they already have the capacity to target the flaw, the researcher says). 

iMessages, Groß explains, pass through multiple services and frameworks before the user is notified and the messages written to database. The remote attack surface includes the iMessage data format and the NSKeyedUnarchiver API, which can be triggered both sandboxed (imagent) and unsandboxed (SpringBoard). 

CVE-2019-8641 resides in the NSKeyedUnarchiver component and an attacker can trigger it by sending a crafted payload via an iMessage. On the receiver’s device, the data in the ati field is decoded using the NSKeyedUnarchiver API and the flaw is triggered during the unarchiving of an NSSharedKeyDictionary. 

The security researchers discovered that, during unarchiving, cyclic object graphs can be decoded, meaning that an object can be referenced while being unarchived further up in the callstack. With the object not yet fully initialized when it is referenced, a memory corruption appears during deserialization. 

To address the flaw, Apple first made the vulnerable code unreachable over iMessage (in iOS 12.4.1), but then fully addressed the vulnerability in subsequent updates. As of iOS 13, the decoding of NSKeyedUnarchiver only happens in the sandboxed IMDPersistenceAgent, but not in SpringBoard. 

In a talk a SecurityWeek’s 2019 CISO Forum, Presented by Intel, Silvanovich discussed Project Zero’s research into iMessage and their research methodology, along with what there is to learn from vulnerabilities in commonly-used software.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.