Bug in iOS and OSX Allows Writing of Arbitrary Files Via AirDrop
Posted on 09/16/2015 11:30:40 AM PDT by Swordmaker
There is a major vulnerability in a library in iOS that allows an attacker to overwrite arbitrary files on a target device and, when used in conjunction with other techniques, install a signed app that the device will trust without prompting the user with a warning dialog.
The vulnerability lies in a library in both iOS and OS X, and Mark Dowd, the security researcher who discovered it, said he’s been able to exploit the flaw over AirDrop, the feature in OS X and iOS that enables users to send files directly to other devices. If a user has AirDrop set to allow connections from anyone—not just her contacts—an attacker could exploit the vulnerability on a default locked iOS device.
In fact, an attacker can exploit the vulnerability even if the victim doesn’t agree to accept the file sent over AirDrop.
Dowd, founder and director of Azimuth Security, was able to use the vulnerability, along with some other tactics to bypass the code-signing protections on iOS. To do this, he used his own Apple enterprise certificate to create a profile for his test app that allowed the app to run on any device. Under normal circumstances, when the app is first installed on a new device, the device would throw up a dialog asking the user if she trusts the app. However, Dowd is able to suppress this prompt by installing an enterprise provisioning profile on the device and marking it as trusted.
Dowd reported the vulnerability to Apple, which released a mitigation, but not a full patch, for it in iOS 9, which is due out Wednesday. He said that while the user will see a notification when she receives a malicious package via AirDrop, it doesn’t matter whether she accepts or denies the AirDrop request.
“When you send a package via AirDrop, it comes up with a notification on the target phone asking the user if they want to accept the package. The user has to unlock the phone to accept or decline it. It does NOT matter whether they accept it or not to trigger this bug – the exploit has already happened by the time the notification is sent to the user,” Dowd said via email.
The vulnerability allows the attacker to execute a directory traversal attack, enabling him to write files to any location he chooses on the file system. The vulnerable library is installed by default in both iOS and OS X, and it’s not clear when Apple will have a full patch available for the flaw.
Unlike many other bugs in iOS and OS X, the vulnerability Dowd discovered does not rely on memory corruption in order to work and he said it has been completely reliable in practice.
To prevent this from ever happening, limit AirDrop to only people in your contacts list, or favorites list, or simply turn it off.
Therefore, while it is a vulnerability in both iOS and OS X, it will not be too much of a danger to the vast majority of users. Most users will not have a malicious developer's Certificate of Authenticity installed, not have Airdrop turned on, and also not have Enterprise mode turned on at all.
On iOS, according to the article, if one gets the notification out of the blue about a file needs an OK, the file has already been installed. However, that does not mean it will run or cannot be removed. Consider it a warning that you have been infected. To get rid of it, Sync your data to your computer through iTunes and Photos and then restore iOS and then re-sync. Done.
Another sword through the armor of IOS and OSX.
Thanks to dayglored for the PING!
If you want on or off the Mac Ping List, Freepmail me.
It's not. Read what I wrote in Reply #1, Okie. 99.9% of Mac OS X and iOS users are not at risk.
Nah...in reality more like a dandelion see floating through the air and bouncing off of Apple devices. Of course, in some folks’ fantasies it's an existential threat.
AirDrop works over WIFI or Bluetooth. . . but only over a distance of up to 30 meters. It is STILL limited by the requirements of UNIX™ permissions for installation, contrary to what this article implies about being able to put files anywhere on the target system.
So, 12mil macs and 75mil iphones sold per year. I guess those 87,000 people per year are statistically unimportant?
Your figures are way off by a lot Okie. Apple sells 12 million Macs in six months. And they sold 75 million iPhones in just one quarter of the last four! so you can add another 150 million to those iPhones in just the last year alone. But people don't just throw away Macs and iPhones after a year of use, Okie.
Try 100 million Macs and 1.2 Billion iOS devices in the wild, if which perhaps 800 million iPhones and iPads are vulnerable and 90% of the Macs might be vulnerable to this exploit IF they had AirDrop turned on, and IF they did not limit AirDrop to only trusted friends, and IF they had the malicious attacker's Apple Cert already installed. However, my off the cuff guesstimate of those who might meet those criteria, now that I consider it, was WAY TOO HIGH. . . especially when you add in the Apple Certificate. Now we are close to ZERO. The only way this researcher got HIS exploit to work was he had to install his certificate before it would install. Now we are looking at 99.99999999% of Mac users would NEVER run into this in the wild.
However, yes, they are a statistical non-entity when considering the overall picture since this is a LOCAL area exploit. First the stupid users who have their AirDrop wide open, would have to have set their Macs to BE vulnerable, then they have to have the malicious Cert on their device. . . and then they will, wonder of wonders, be within 30 meters of the very person who is the developer who was issued that certificate. Who happens to send them the attack. RIGHT, sure.
But the number of Macs ever hit by a one of the 67 known Trojans or exploit is always listed as fewer than 100 Macs in the wild.
The two times that Dr. Web, a Russian anti-virus publisher, claimed to have discovered a huge, MacBot constructed out of 640,000 infected Macs, and later a smaller 20,000 infected Macbot, both turned out to be HOAXES intended to sell Doctor Web's new Mac Anti-Virus products, first for its Business Mac A/V and then later for its Home version. Not a single infected Mac was ever found in the wild! Not one. Their claims of these massive MacBots were three day wonders, but as people checked the machines that Doctor Web claimed were "calling home" to the bot server and also being intercepted by their intercept honey pot, it was discovered that the UUID's of the Macs turned up non-infected computers, Computers that did not have the prerequisite Java installed on them which was required to even get infected, and, worse, more than half of the so-called infected Macs had neither been sold OR EVEN MANUFACTURED YET by Apple. What Doctor Web had was merely a list of UUIDs that had been generated that were in the series of UUIDs that were assigned to Apple for use in Macs. Two of the Macs in my office had UUIDs in the Honey Pot, but neither had ever had Java installed and one had never been connected to the Internet. So much for that hoax!
If it was such a hoax, why did Apple release a patch.
You think you have me in a "Gotcha" don't you, PJ. . . but I told you in a previous that you don't know everything and your Googling doesn't get you anywhere. You really do have a tendency to go off half-cocked without really researching anything, don't you. You should ask yourself why no one bothers to mention that sorry episode in history. It would have been the largest computer bot in history. . . if it were true. The average Windows bot rarely gets above 2000 machines before it is closed down. Too bad it is not true. It disappeared off the news cycle in less than two weeks, because it wasn't true. It was a Hoax intended to sell Anti-virus software published by the so-called discoverer and the ONLY reason it got the "legs" it did was because the pundits so-wanted it to be true.
Did you not bother to read what I wrote or the article you found and see how the link article coincided with what I wrote? Obviously not, because I had already COVERED the Dr. Web hoax because I KNEW someone like you would rise to the bait.
That was the one claimed to have been discovered by Doctor Web. . . but not a single one was found in the wild. Not one. And it wasn't from lack of trying and looking.
To get infected by this supposed FlashBack JAVA Trojan, which had been identified and the vulnerability CLOSED by Apple (who pushed out the fix six months earlier), of which 95% of the claimed 640,000 infected Macs were in the United States and the balance were in the UK, both of which are English speaking countries, one had to log into an obscure RUSSIAN LANGUAGE game website in Siberia and download one of several player profiles in RUSSIAN.
To even get infected by the FlashBack Trojan, the target Mac had to have JAVA installed which was required to play the game. Java was NOT A DEFAULT installation on Mac OS X since OS X.4 four years earlier. . . and was no longer even shipped with OS X since then. To get Java required the user to go to Oracle and download and install JAVA.
The game itself had sold under 20,000 copies, all in Russia or Eastern Europe. Yet the claim was that 640,000 Macs were infected by a download only Trojan that could not be spread any other way. . . from a single source website. RIGHT!
So tell me, PJ, how did a RUSSIAN LANGUAGE role playing game with fewer than 20,000 downloads somehow cause ENGLISH language speaking Mac users to contact a Russian Language Website in the Cyrillic alphabet and induce them to download 500,000 (actually 640,000) character definitions useable ONLY in this obscure game, which then infected their Macs (with a Trojan that the OS X system would automatically RECOGNIZE and block from being downloaded, installed or run, requiring an administrator name and password to continue)? Do you begin to see the logical problem???
In addition, PJ, these infections somehow occurred ONLY in English speaking countries where Dr. Web was marketing its new A/V for Business Mac, and NOT A SINGLE INFECTION was reported in Russia or Eastern Europe???? WOW, what a strange coincidence! How is this possible? Do you see the impossibility of this?
Incidentally, the game was a cross-platform game and only 2% of the so-called infections were claimed to have been on Windows, yet of the 20,000 games sold over 18,000 were for WINDOWS! So now we have 90% of the games are on a platform known for malware, yet one that isn't known for it, somehow is downloading all the malware? Yet there are only 2000 accounting for 640,000 supposed infections? Hold the phone!
Read what I wrote above. . . Then the news reports of the number of infected Macs suddenly and rapidly started SHRINKING. . . as no one EVER found an infected Mac in the wild, even with Dr. Web providing a resource for people to check if their Macs were infected by their UUID. The number reported shrank first to 270,000, then 186,000 then 120,000, then under 100,000, then fewer than 40,000 then the news reports completely disappeared out of the news cycle entirely, never to be heard about again. Not even a reference. Whoops, what's with that? Embarrassment, for falling for the hoax, that's what.
Not a single Mac whose ID was on Dr. Web's "Honey Pot intercepted database" EVER turned out to be infected. Not one.
Then it turned out that many of the UUIDs were for Macs that never had Java installed, so those Macs could NOT ever be infected. . . and then that some of the Macs were STILL IN THE BOX, unsold, and without ever having the chance to have Java installed by an end user, or ever being on the Internet, could never ever have connected to the Russian Game site, well, you get the idea. . . and then it was discovered many of the UUIDs belonged to Macs that had never yet even been assembled by Apple!
It became obvious that all Dr. Web had was a list of UUID's of Macs that had been assembled, were yet to be assembled, or had been sold . . . but were NOT ever part of any kind of Macbot. It was a HOAX intended to scare people into buying their AV software.
Two years later, when Dr. Web announced their Personal AV for Mac, they also simultaneously announced the "discovery" of a new 20,000 member Macbot also using a variant of Flashback. It got a couple of headlines and went "PLUNK!" as the punditry took the attitude of "Fool me once, shame on you!. Fool me twice, Shame on me!" and ignored them. Dr. Web's Personal AV also went "PLUNK!" as no member of that Macbot was ever found in the wild either.
Apple released the Trojan definition for FlashBack SIX MONTHS before Dr. Web's hoax. Your linked article is dated April 4, 2012, but Apple closed the Flashback Trojan in early November of 2011. It then added the definition of the Java Flashback Trojan to the malware files and from then on OS X will identify it and warn the user, require an Administrator name and password to all the user to continue downloading it, then do the same to install it, and then again to run it for the first time. It take industrial strength stupid to get one on a Mac system. Such definitions are pushed out daily or as needed on OS X so that EVERY Mac user gets it. When one is added, Apple OS X will also identify any variants in the same family. There are currently 67 known Trojans and variants for OS X in eight known Trojan families.
Apple, because of the numerous vulnerabilities in Java, had already banished Java as an included system in OS X in 2009.
Dr. Web latched onto Flashback's Trojan as a convenient Trojan that was in the public's mind to build their Hoax scare on.
Please provide your source.
PJ, you don't use Macs and I am not going to go into a host of Mac Tech forums and dig out all the posts of the techs who were looking into this and DID NOT FIND ANY INFECTED MACS. Read your own link about WHEN Flashback was discovered. I was one of them working in my cross platform consulting business. . .
Read your own link about WHEN Flashback was discovered. Look for the reports for the shrinking size of the MacBot, and then look for any reports at all as the press lost interest. You will find the listings as the numbers shrank, but no more reports after about three weeks. . . and NONE at all after that. Large installations of Macs found ZERO infections but did have Macs with their UUIDs in the Honey Pot. I had two in my office. Two of my clients had Macs with their UUIDs showing positive, but neither of them had Java installed.
I am not going to go around and around with you again. Again, your purpose is to through brickbats and spit wads for no informational purposes. This was all covered in depth on Freerepublic and i see NO PURPOSE in digging up ancient history from April of 2012 because YOU don't know anything about it. You are a time sink and I am not going to waste any more time on you.
I am done with you.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.