Detailed analysis and utilization of Masque Attack

Detailed analysis and utilization of Masque Attack
I. Vulnerability Overview

Two vulnerabilities recently exposed on Apple's iOS mobile phone system, WireLurker and Masque Attack, affect the latest version of iOS to version 8.1.1 beta, and are not restricted by jailbreak and non-Jailbreak environments.

In terms of security, WireLurker is mainly used to steal user device identification information, or install malicious programs in a jailbreaking environment to steal user privacy data, including sensitive data such as calls and text messages. The latter uses the same bundle ID to replace the app that has been downloaded and installed from the APP store on the mobile phone. The replaced APP can obtain the user sensitive data of the app, for example, the mail information under a third-party email application can also be used as a stepping stone to bypass sandbox protection at the application layer through known vulnerabilities and attack the system layer.

Ii. analysis and utilization of Masque Attack Vulnerability

This vulnerability was first submitted by FireEye mobile security personnel in July 2014. By using an enterprise account to install an APP, the APP installed through Apple's official APPStore was replaced, if the replaced application uses the same bundle identifier as the application installed in the appstore, the IPA installer can be replaced.

1. Impact coverage:

This vulnerability has been confirmed to be affected in jailbreak and non-Jailbreak iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta versions. Our tested environments are 7.0.2, 7.1.1, 8.1, it can basically kill all current iOS versions.

2. hazards:

1 ). by inducing the user to replace the APP downloaded from the APPStore, the user can obtain the account and password for logging on to the APP, such as the email account password or bank account password.

2). Private Data under the APP, such as configuration information, cache files, and local sqlite Database

3) Although Apple uses sandbox protection, it can only obtain sensitive data under the application, but it can use existing vulnerabilities to bypass the sandbox protection mechanism to attack the system layer.

3. attack path:

You can install the APP through a USB connection or wireless network:

1 ). the USB connection method uses the PC to communicate with the mobile phone's underlying driver libimobiledevice, and installs the replaced APP to the mobile phone without jailbreak, the WireLurker Trojan program of mac osx system platform mentioned above is implemented in this way.

2) In the wireless network environment, users can be induced to install APPs by using a link in text message, iMessage, and email, which leads to the replacement of apps downloaded from the original APPStore. This method has a wider audience.

4. Attack conditions:

1). the replaced APP requires the enterprise certificate to be re-signed and re-packaged. Of course, the jailbreak mobile phone does not need to be re-signed and can be directly issued for installation (appsync has been installed)

2) Only apps installed in APPStore can be replaced. For example, apps installed in the system, such as Safari, cannot be replaced in this way.

 

5. Vulnerability exploitation process:

1). decrypt the APP downloaded from the APPStore using ipa decryption tools such as clutch.

This is Apple's security protection mechanism. Apps released through APPStore all have code signature protection mechanism, which is a form of Digital Rights Management (DRM, you can use the clutch tool to decrypt and repackage on the jailbreaking mobile phone. The logic is that the program extracts the decrypted content during the running state to overwrite the original encrypted address segment.

2) modify the binary program of the APP

Find some functions called in the program through IDA reverse or dynamic debugging, re-encapsulate the functions, modify the logic execution, and execute the rewritten functions.

3). re-sign and Package

Re-package the APP with the enterprise certificate, and confirm that the re-package APP uses the same bundle identifier

6. Vulnerability principle reproduction:

Here we use the vulnerability principle to reproduce how to replace the app downloaded by the appstore, and use the same bundle identifier to replace the app in the original APPStore.

1) read the bundle ID first. For example, a social APP can read the bundle ID in libileledevice mode.

2 ). decompress and analyze the original APP, modify and replace the original APP, and re-sign and package the app through the enterprise account. Here we replace the APP execution file. You can directly install the APP without the enterprise account signature in the jailbreak environment.

3). induce users to download and install the APP of the website provided by us, and install the replacement package:

4) after the installation is complete, open the original social APP and find that it has become a bank APP:

7. How to defend:

Because Apple's default non-jailbreaking environment and APP installed through APPStore are used to ensure its security mechanism, but it ignores the method of Trojan propagation through enterprise accounts. There is no good defense method yet, however, there are some ways to circumvent Similar malicious programs.

1) do not install apps developed by apps not official apple App Store or third-party users.

2). Do not click to install the app on a third-party webpage popped up via SMS, iMessage, or email.

3) if the installer shows "Untrusted Application Development", install it with caution.

Iii. Summary

This article analyzes the detailed analysis, formation principle, and utilization of the Masque Attack vulnerability that has been exposed on iOS recently. The latest version of iOS to version 8.1.1beta is affected, and it is not restricted by jailbreak and non-Jailbreak environments.