The likelihood of such vulnerabilities being used in APT attacks is high, so it bears repeating the countermeasures you can take. In the case of FORCEDENTRY, this involved the use of other vulnerabilities: an infected PDF disguised as an innocent GIF file was slipped onto the target device through iMessage. An attacker still needs to somehow get into the victim’s device to be able to do anything with it. Keep in mind that, just being able to run scripts in iOS using NSPredicate is not enough for a successful hack. At any rate, in conversation with Wired, the researchers themselves were pretty sure that new vulnerabilities of this class will continue to appear. Perhaps workarounds will be found for these patches too. That said, we don’t know how well Apple has patched the vulnerabilities this time. Also, the iOS 16.3 and macOS Ventura 13.2 updates have patched them, so if you install them on time, you are, supposedly, safe. We should stress that the dangers posed by CVE-2023-23530 and CVE-2023-23531 are purely theoretical: there’ve been no recorded cases of in-the-wild exploitation. What this means for iOS and macOS security What’s more - it can completely wipe the device. For its part, SpringBoard has elevated privileges and multiple access rights - including to the camera, microphone, call history, photos and geolocation data. To demonstrate the capabilities of CVE-2023-23530 and CVE-2023-23531, the researchers shot a video showing how a malicious app can be made to execute code inside SpringBoard (the standard application that manages the home screen on iOS) on an iPad. In other words, CVE-2023-23530 and CVE-2023-23531 can be used to create FORCEDENTRY-type exploits. Attackers could use these vulnerabilities to gain access to user data and dangerous operating system features, and even install applications (including system ones). Simply put, the process of sending data can add to it a “contents verified” tag, then feed the receiving process a malicious script that uses the NSPredicate, which in some cases will be executed without verification.Īccording to the researchers, these two techniques for bypassing security checks allow exploitation of a number of other specific vulnerabilities. The second vulnerability, CVE-2023-23531, relates to how processes within iOS and macOS interact with each other, and how the data-receiving process filters incoming information. The catch is that, by using methods not included in the denylists, it’s possible to wipe these lists clean and then use the full set of methods and classes. Specifically, they drew up extensive denylists of classes and methods that pose an obvious security risk within NSPredicate. The first, CVE-2023-23530, stems from how exactly Apple addressed the problem. The CVE-2023-23530 and CVE-2023-23531 vulnerabilities have become new ways to bypass these restrictions. However, a new study shows that these are still easy to bypass. In the wake of both CodeColorist’s theoretical work and the hands-on study of the FORCEDENTRY exploit, Apple implemented a number of security measures and restrictions. The vulnerabilities within NSPredicate and NSExpression allowed this malware to perform a sandbox escape and gain access to data and functions outside the strictly defined boundaries within which all iOS apps work. March 2022 saw the release of a paper on the practical implementation of such an app - the FORCEDENTRY zero-click exploit - which was used to spread the infamous Pegasus malware. This makes it possible to write a malicious app that steals data (such as user’s correspondence or random photos from the gallery) from other apps. What’s key here in the context of what we’re telling you in this blogpost is that these tools allow to execute scripts on a device without verifying the digital signature of the code.ĬodeColorist’s main finding was that such scripts can help bypass Apple security mechanisms - including app isolation. As it happens, these classes are responsible for sorting and filtering data. The classes, protocols, and data types defined by Foundation are used throughout the macOS, iOS, watchOS, and tvOS SDKs.”Ī little over two years ago, in January 2021, an iOS security researcher known as CodeColorist published a report that showed how implementation of the NSPredicate and NSExpression classes (which both make up part of the Foundation framework) can be exploited to execute arbitrary code. “The Foundation framework provides a base layer of functionality for apps and frameworks, including data storage and persistence, text processing, date and time calculations, sorting and filtering, and networking.
0 Comments
Leave a Reply. |