See https://thehackernews.com/2020/04/zero-day-warning-its-possible-to-hack.html.
April 22 2020: Watch out Apple users! The default mailing app pre-installed on millions of iPhones and iPads has been found vulnerable to two critical flaws that attackers are exploiting in the wild, at least, from the last two years to spy on high-profile victims.
The flaws could eventually let remote hackers secretly take complete control over Apple devices just by sending an email to any targeted individual with his email account logged-in to the vulnerable app.
According to cybersecurity researchers at ZecOps, the bugs in question are remote code execution flaws that reside in the MIME library of Apple’s mail app—first, due to an out-of-bounds write bug and second, is a heap overflow issue
Though both flaws get triggered while processing the content of an email, the second flaw is more dangerous because it can be exploited with ‘zero-click,’ where no interaction is required from the targeted recipients.
As experts from a systems safety list put it:
A hint to the world’s second most valuable corporation: there is a technique called strong typing; it is over half a century old; you might want to check it out.
Apple should have heard of strong typing. They developed Apple Pascal for the Apple II. Pascal was selected as the main programming language for the Apple Lisa. Apple collaborated with Niklaus Wirth to develop Object Pascal for the Apple Macintosh. They abandoned Object Pascal for C++ when they moved from the Motorola 68000 to PowerPC in 1994. Apple must be one of the few software companies to have gone backwards in the last 25 years.
#include <iostream>
int main( void )
{
int authentication = 0;
char cUsername[ 10 ];
char cPassword[ 10 ];
std::cout << "Username: "; std::cin >> cUsername;
std::cout << "Pass: "; std::cin >> cPassword;
if( std::strcmp( cUsername, "admin" ) == 0 && std::strcmp( cPassword, "adminpass" ) == 0 )
{
authentication = 1;
}
if( authentication )
{
std::cout << "Access granted\n";
std::cout << ( char )authentication;
}
else
{
std::cout << "Wrong username and password\n";
}
return ( 0 );
}
Now lets’s compile and execute the program on my OSX workstation with the latest Xcode, and with the latest C++ compiler (C++20 coming soon).
% g++ -std=c++17 overflow2.cpp -fno-stack-protector % ./a.out Username: 0123456789 Pass: whatever Wrong username and password % ./a.out Username: 0123456789a Pass: whatever Access granted
The C++ code works ok up to a point. However, with user names 10 characters or more, problems begin. The program overwrites the authentication variable. This means that authentication is positive even before the code checks the username and password. The long username is copied, by strcpy, into cUsername. That variable cUsername is immediately after authentication and hence it is overwritten by the overly-long username.
So, a malicious user now gains access without knowing the credentials. You have been hacked.
Stack buffer overflows are a longstanding problem for C and C++ programs that leads to all manner of ills, many of which are security vulnerabilities. The biggest problems have typically been with string buffers on the stack coupled with bad or missing length tests. A programmer who mistakenly leaves open the possibility of overrunning a buffer on a function’s stack may be allowing attackers to overwrite the return pointer pushed onto the stack earlier. Since the attackers may be able to control what gets written, they can control where the function returns—with potentially dire results.
G++, like many compilers, offers features to help detect buffer overflows with stack protection. In the above example, I have turned off stack protection. Although this mechanism keeps improving it is not yet sound and complete.
Update April 24, 2020
In a statement today, Apple said it “thoroughly investigated” a recent report about hackers exploiting three iOS vulnerabilities but “found no evidence they were used against customers.” However, the details have not been made clear and bug fixes are promised (At this point 13.4.5 is not yet released):
Responding to a Reuters report today, ZecOps issued a statement promising to release more information on the bug once a patch is available to the entire iOS userbase.
The bugs have been patched in iOS 13.4.5 beta, and the fix is expected to reach the general iOS stable channel in the coming weeks.
The full ZecOps statement is below:
“According to ZecOps data, there were triggers in-the-wild for this vulnerability on a few organizations. We want to thank Apple for working on a patch, and we’re looking forward to updating our devices once it’s available. ZecOps will release more information and POCs once a patch is available.”
The “existence” of the bugs was never questioned, neither by Apple or the security community, and installing the iOS 13.4.5 release is recommended when it comes out.
https://www.zdnet.com/article/apple-disputes-recent-ios-zero-day-claim/