Fri. May 29th, 2020

Multiple vulnerabilities in MobileMail/Maild let attacker take control iOS devices

3 min read

The relatively closed iOS system has always been known for its security, but strictly speaking, there is no absolute security in the field of information security, and even iOS will have loopholes.

For example, the security company ZECOPS announced the latest security vulnerability of the iOS system. The security vulnerability exists from iOS 6 to the latest version, iOS 13.4.1.

After evaluation, the researchers believe that vulnerability is extremely harmful, so they have urgently contacted Apple to repair it.

The vulnerability allows remote code execution and an attacker can remotely infect the target device by spamming emails, and the user has no obvious perception when being attacked. The attacker does not need the user to perform any interactive operation when trying to attack and infect.

The attack principle is mainly to trigger the vulnerability through the mail exhausting the memory of the target device. There are many ways to exhaust the memory, such as mail bombing or malicious code.

iCloud Windows download
Image: Apple

Stack overflow vulnerabilities are widely used, and attackers can use the vulnerabilities to trigger and even secretly infect the target device without even downloading the complete email from the target device.

The content of the email can be exploited without remaining on the device, so it is difficult to find anomalies, and the attacker may also automatically clear the email by other means.

On the iOS 13.x series, as long as the system’s own mail application runs in the background, the attacker can be penetrated without user interaction under this condition.

On the iOS 12.x series, the attacker needs the user to open the spam email to exploit the vulnerability, but the user will not find any abnormalities when opening the email.

If the attacker has the ability to control the mail server, even the iOS 12.x series does not require user operation, that is, direct mail can be infected.

The vulnerability appeared in the iOS 6.0 version released when the iPhone 5 was released in 2012, and the vulnerability still exists in the latest iOS 13.4.1 version.

According to researchers, Apple has fixed the vulnerability in the iOS 13.4.5 Beta version, but this version has not yet been pushed to the official channel.

Before receiving the push, users are advised not to use the mail application that comes with the iOS system. The use of third-party mail applications such as Outlook and Gmail will not be affected.

In addition, Apple has deployed mitigation measures on the back-end server should be able to intercept targeted malicious mail, but this is only a temporary solution.

The purchase price of vulnerabilities that can be infected by iOS systems without user interaction is usually around 1 million US dollars. This time it is found that this type of non-interactive vulnerability.

Unfortunately, after a long investigation, the security company discovered that the vulnerability has been exploited since at least January 2018, and it has formed a fairly extensive attack.

The targets of the hackers include Fortune 500 entrepreneurs in North America, executives from a Japanese airline, VIPs from Germany, security companies in Saudi Arabia and Israel, and European journalists.

In addition, the security company’s investigation also revealed that a Swiss company executive may also be the target of hackers, but at this stage, there is insufficient evidence to determine whether the attack was successful.

Judging from the above attack targets, the value of this vulnerability has far exceeded one million US dollars, and it is even no exaggeration to believe that the application value of this vulnerability has exceeded 100 million.

After a targeted analysis, security researchers found that the Apple Mail vulnerability was mainly due to a library lacking the necessary error checking process for system-level calls.

Vulnerabilities can cause out-of-bounds writes and there is also a remotely triggered stack overflow problem, so in fact, this is composed of two vulnerabilities and both are exploited.

For security reasons, researchers have not disclosed more details of the vulnerability, but the researchers share what happens to the iPhone when it is attacked.

If an email sent by an attacker is received on the iOS 12.x series, the mail application may crash. This is the only abnormal performance known so far.

Users receiving emails on the iOS 13.x series may suddenly find that the system is slightly stuck while opening the email, they will find that the system prompts that the message has no content.

Users interested in code-level analysis can click here to view. After Apple completely fixes the vulnerability, the researchers should announce more details.