An iMessage vulnerability patched by Apple as part of the 12.4 iOS update allows potential attackers to read contents of files stored on iOS devices remotely with no user interaction, as user mobile with no sandbox.
The security flaw tracked as CVE-2019-8646 was discovered by Google Project Zero security researcher Natalie Silvanovich who reported it to Apple during May.
The proof of concept Silvanovich created works only on devices running iOS 12 or later and it is designed as “a simple example to demonstrate the reach-ability of the class in Springboard. The actual consequences of the bug are likely more serious.”
CVE-2019-8646 allows an attacker to read files off a remote device with no user interaction, as user mobile with no sandboxhttps://t.co/uGXHYjOXBe
— Natalie Silvanovich (@natashenka) July 29, 2019
The Google security researcher says that the iMessage issue is caused by the _NSDataFileBackedFuture class which can be “deserialized even if secure encoding is enabled. This class is a file-backed NSData object that loads a local file into memory when the [NSData bytes] selector is called.”
Silvanovich describes the issue in detail on Project Zero’s bug tracker:
First, it could potentially allow undesired access to local files if the code deserializing the buffer ever shares it (this is more likely to cause problems in components that use serialized objects to communicate locally than in iMessage). Second, it allows an NSData object to be created with a length that is different than the length of its byte array. This violates a very basic property that should always be true of NSData objects. This can allow out of bounds reads, and could also potentially lead to out-of-bounds writes, as it is now possible to create NSData objects with very large sizes that would not be possible if the buffer was backed.
The issue was patched by Apple in the iOS 12.4 release issued on July 22 “by preventing this class from being decoded unless it is explicitly added to the allow list. Better filtering of the file URL was also implemented.”
According to the iOS release notes, the out-of-bounds read flaw was present in the Siri and Core Data iOS components and it impacts all iPhone 5s or later, iPad Air or later, and iPod touch 6th generation or later devices.
As a proof-of-concept is now publicly available for this vulnerability and iOS 12.4 was only recently released, it is strongly advised that users upgrade to the latest version of iOS as soon as possible.
More iMessage flaws patched in iOS 12.4
Silvanovich found two other iMessage vulnerabilities in collaboration with Google Project Zero’s Samuel Groß, flaws that also got patched in the iOS 12.4 update.
The first one is a memory vulnerability in Core Data tracked as CVE-2019-8660 fixed with improved length checking and it enables remote attackers to potentially cause unexpected app termination or arbitrary code execution on iPhone 5s or later, iPad Air or later, and iPod touch 6th generation or later iOS devices.
The second, a Core Data use after free issue tracked as CVE-2019-8647, may allow a remote attacker to cause arbitrary code execution on iPhone 5s or later, iPad Air or later, and iPod touch 6th generation or later iOS devices.
On the whole, five iMessage bugs were found by Silvanovich, with the last two being an input validation issue which could brick devices with a malformed message (patched in iOS 12.3 released on May 13) and an out-of-bounds read leading to a memory leak (fixed in watchOS 5.3 issued on July 22).