Google Researchers Detail Critical iMessage Vulnerability

Google Project Zero security researchers have published technical details on an iMessage vulnerability addressed last year, which could be exploited remotely to achieve arbitrary code execution. 

Tracked as CVE-2019-8641, the vulnerability is considered Critical, featuring a CVSS score of 9.8, and was discovered by Google Project Zero security researchers Samuel Groß and Natalie Silvanovich. 

In September 2019, Apple announced that the release of iOS 12.4.2 for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation addressed this vulnerability: “An out-of-bounds read was addressed with improved input validation.”

The vulnerability, which was also addressed in macOS Mojave 10.14.6, watchOS 5.3.2, and tvOS 12.4, could be exploited by a remote attacker to cause unexpected application termination or arbitrary code execution. 

According to Project Zero’s security researchers, Apple actually started pushing patches for it in August 2019, with the release of iOS 12.4.1, which included hardening to prevent the remote exploitation of the bug. 

Groß has now provided further details on the vulnerability, explaining that exploitation could allow an attacker who knows the user’s Apple ID (mobile phone number or email address) to gain control over an iOS device within a few minutes. 

The attacker would then be able to exfiltrate files, passwords, authentication codes, emails, SMS and other messages, and other data. Moreover, they could spy on the user using the device’s microphone and camera, all without user interaction or visual indicator.

By exploiting CVE-2019-8641, the attack bypasses ASLR, then executes code on the device outside of the sandbox, Groß explains. Proof-of-concept (PoC) code targeting the iPhone XS on iOS 12.4 was published on the Project Zero issue 1917 discussion board.

To prevent abuse, the PoC deliberately alerts the victim of the ongoing attack and does not achieve native code execution, but skilled attackers will likely have no difficulties tailoring it to their needs (likely, they already have the capacity to target the flaw, the researcher says). 

iMessages, Groß explains, pass through multiple services and frameworks before the user is notified and the messages written to database. The remote attack surface includes the iMessage data format and the NSKeyedUnarchiver API, which can be triggered both sandboxed (imagent) and unsandboxed (SpringBoard). 

CVE-2019-8641 resides in the NSKeyedUnarchiver component and an attacker can trigger it by sending a crafted payload via an iMessage. On the receiver’s device, the data in the ati field is decoded using the NSKeyedUnarchiver API and the flaw is triggered during the unarchiving of an NSSharedKeyDictionary. 

The security researchers discovered that, during unarchiving, cyclic object graphs can be decoded, meaning that an object can be referenced while being unarchived further up in the callstack. With the object not yet fully initialized when it is referenced, a memory corruption appears during deserialization. 

To address the flaw, Apple first made the vulnerable code unreachable over iMessage (in iOS 12.4.1), but then fully addressed the vulnerability in subsequent updates. As of iOS 13, the decoding of NSKeyedUnarchiver only happens in the sandboxed IMDPersistenceAgent, but not in SpringBoard. 

In a talk a SecurityWeek’s 2019 CISO Forum, Presented by Intel, Silvanovich discussed Project Zero’s research into iMessage and their research methodology, along with what there is to learn from vulnerabilities in commonly-used software.