0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
iOS 10.1.x Remote memory corruption through certificate file Vulnerability
iOS 10.1.x Remote memory corruption through certificate file Credit: Maksymilian Arciemowicz from https://cxsecurity.com -------------------------------------------------------------------------------------- 0. Short description Special crafted certificate file may lead to memory corruption of several processes and the vector attack may be through Mobile Safari or Mail app. Attacker may control the overflow through the certificate length in OCSP field -------------------------------------------------------------------------------------- 1. Possible vectors of attack - Apple Mail (double click on certificate) - Safari Mobile ( go to special crafted link eg https://cert.cx/appleios10/700k.php which will redirect you to CRT file ) - other unspecified -------------------------------------------------------------------------------------- 2. Symptoms of memory overflow By appropriate length of the certificate, an attacker can trigger crash of: - profiled - Preferences - other unexpected behaviors -------------------------------------------------------------------------------------- 3. Crash log: - profiled --------------------------------------------------------------- {"app_name":"profiled","app_version":"","bug_type":"109","timestamp":"2016-09-20 09:15:09.85 +0200","os_version":"iPhone OS 10.0.1 (14A403)","incident_id":"XXXXXXXXXXXXXX","slice_uuid":"XXXXXXXXXXXXXX","build_version":"","is_first_party":true,"share_with_app_devs":false,"name":"profiled"} Incident Identifier: XXXXXXXXXXXXXX CrashReporter Key: XXXXXXXXXXXXXX Hardware Model: iPhone6,2 Process: profiled [1595] Path: /System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled Identifier: profiled Version: ??? Code Type: ARM-64 (Native) Role: Unspecified Parent Process: launchd [1] Coalition: <none> [253] Date/Time: 2016-09-20 09:15:09.7892 +0200 Launch Time: 2016-09-20 09:15:01.1603 +0200 OS Version: iPhone OS 10.0.1 (14A403) Report Version: 104 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Subtype: KERN_INVALID_ADDRESS at 0x000000016e193ca0 Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] Triggered by Thread: 2 --------------------------------------------------------------- - Preferences --------------------------------------------------------------- {"app_name":"Preferences","timestamp":"2016-09-20 01:11:44.56 +0200","app_version":"1","slice_uuid":"XXXXXXXXXXX","adam_id":0,"build_version":"1.0","bundleID":"com.apple.Preferences","share_with_app_devs":false,"is_first_party":true,"bug_type":"109","os_version":"iPhone OS 10.0.1 (14A403)","incident_id":"XXXXXXXXXXX","name":"Preferences"} Incident Identifier: XXXXXXXXXXX CrashReporter Key: XXXXXXXXXXX Hardware Model: iPhone6,2 Process: Preferences [1517] Path: /Applications/Preferences.app/Preferences Identifier: com.apple.Preferences Version: 1.0 (1) Code Type: ARM-64 (Native) Role: Foreground Parent Process: launchd [1] Coalition: com.apple.Preferences [754] Date/Time: 2016-09-20 01:11:43.4478 +0200 Launch Time: 2016-09-20 01:10:54.3002 +0200 OS Version: iPhone OS 10.0.1 (14A403) Report Version: 104 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Subtype: KERN_INVALID_ADDRESS at 0x000000016fc6df90 Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] Triggered by Thread: 0 --------------------------------------------------------------- Logs: ============================== Sep 20 20:17:02 xscxsc com.apple.CoreSimulator.SimDevice.27D...8F.launchd_sim[1905] (com.apple.managedconfiguration.profiled[3085]): Service exited due to signal: Segmentation fault: 11 Sep 20 20:17:02 xscxsc MobileSafari[2870]: (Error) MC: Queue data for acceptance error. Error: NSError: Desc : Couldn’t communicate with a helper application. Sugg : Try your operation again. If that fails, quit and relaunch the application and try again. Domain : NSCocoaErrorDomain Code : 4097 Extra info: { NSDebugDescription = "connection to service named com.apple.managedconfiguration.profiled"; } Sep 20 20:17:02 xscxsc profiled[3133]: (Note ) profiled: Service starting... ============================== -------------------------------------------------------------------------------------- 4. PoC https://cert.cx/appleios10/300k.php https://cert.cx/appleios10/500k.php https://cert.cx/appleios10/700k.php https://cert.cx/appleios10/900k.php or https://cert.cx/appleios10/expl.html just click on this link by using Safari. -------------------------------------------------------------------------------------- 5. Safari and sandbox How is possible that safari don't ask user before run 'Preferences' app to start process of importing certificate? Safari automatically start new process without asking user for acceptance of this operation what can be exploited through http redirect to untrusted content. # 0day.today [2024-05-20] #