There is a major vulnerability in a library in iOS that allows an attacker to overwrite arbitrary files on a target device and, when used in conjunction with other techniques, install a signed app that the device will trust without prompting the user with a warning dialog.
The vulnerability lies in a library in both iOS and OS X, and Mark Dowd, the security researcher who discovered it, said he’s been able to exploit the flaw over AirDrop, the feature in OS X and iOS that enables users to send files directly to other devices. If a user has AirDrop set to allow connections from anyone—not just her contacts—an attacker could exploit the vulnerability on a default locked iOS device.
In fact, an attacker can exploit the vulnerability even if the victim doesn’t agree to accept the file sent over AirDrop.
[youtube https://www.youtube.com/watch?v=j3JODDmk2Hs&w=420&h=315]
Dowd, founder and director of Azimuth Security, was able to use the vulnerability, along with some other tactics to bypass the code-signing protections on iOS. To do this, he used his own Apple enterprise certificate to create a profile for his test app that allowed the app to run on any device. Under normal circumstances, when the app is first installed on a new device, the device would throw up a dialog asking the user if she trusts the app. However, Dowd is able to suppress this prompt by installing an enterprise provisioning profile on the device and marking it as trusted.
Dowd reported the vulnerability to Apple, which released a mitigation, but not a full patch, for it in iOS 9, which was released Wednesday. He said that while the user will see a notification when she receives a malicious package via AirDrop, it doesn’t matter whether she accepts or denies the AirDrop request.
“When you send a package via AirDrop, it comes up with a notification on the target phone asking the user if they want to accept the package. The user has to unlock the phone to accept or decline it. It does NOT matter whether they accept it or not to trigger this bug – the exploit has already happened by the time the notification is sent to the user,” Dowd said via email.
The vulnerability allows the attacker to execute a directory traversal attack, enabling him to write files to any location he chooses on the file system. The vulnerable library is installed by default in both iOS and OS X, and it’s not clear when Apple will have a full patch available for the flaw.
Unlike many other bugs in iOS and OS X, the vulnerability Dowd discovered does not rely on memory corruption in order to work and he said it has been completely reliable in practice.