Security analysts from Google’s Project Zero investigated the remote attack surface of the iPhone and reviewed SMS, MMS, VVM, Email, and iMessage. They found several serious zero-day vulnerabilities in the remote, interaction-less attack surface of the iPhone. The majority of vulnerabilities occurred in iMessage due to its broad and difficult to enumerate attack surface. Visual Voicemail also had a large and unintuitive attack surface that likely led to a single serious vulnerability being reported in it.
Vulnerability in Visual Voicemail
Visual Voicemail (VVM) is a feature of mobile devices that allows voicemail to be read in an email-like format. It informs devices of the location of the IMAP server by sending a specially formatted SMS message containing the URL of the IMAP server.
Any device can send a message that causes Visual Voicemail to query an IMAP server specified in the message. So an attacker can force a device to query an IMAP server they control without the user interacting with the device in any way.
This results in an object lifetime issue in the iPhone IMAP client. It happens when a NAMESPACE command response contains a namespace that cannot be parsed correctly. It leads to the mailbox separator being freed, but not replaced with a valid object. This leads to a selector being called on an object that is not valid. This vulnerability was assigned id CVE-2019-8613. This issue was fixed on Tuesday, May 14.
Vulnerabilities in iMessage
CVE-2019-8624: A bug was found in the Digital Touch extension which led to a crash in SpringBoard requiring no user interaction. This extension allows users to send messages containing drawings and other visual elements. This bug was fixed in Apple’s July 24 update.
CVE-2019-8663: This vulnerability was found in deserializing the SGBigUTF8String class, which is a subclass of NSString. The initWithCoder: implementation of this class deserializes a byte array that is then treated as a UTF-8 string with a null terminator, even if it does not have one. This can lead to a string that contains out-of-bounds memory being created.
CVE-2019-8661: This vulnerability is present in [NSURL initWithCoder:] and affects Mac only. It results in a heap overflow in [NSURL initWithCoder:] that can be reached via iMessage and likely other paths. It also results in a crash in soagent requiring no user interaction. This issue can be resolved by removing CarbonCore from the NSURL deserialization path. It was fixed on Saturday, Aug 3, 2019.
CVE-2019-8646: This vulnerability allows deserializing in the class _NSDataFileBackedFuture even if secure encoding is enabled. Classes do not need to be public or exported to be available for deserialization. This issue was fixed in iOS 12.4 by preventing this class from being decoded unless it is explicitly added to the allow list. Better filtering of the file URL was also implemented.
CVE-2019-8647: It occurs when deserializing class _PFArray, which extends NSArray and implements [_PFArray initWithObjects:count:], which is called by[NSArray initWithCoder:]. This vulnerability results in NSArray deserialization invoking a subclass that does not retain references. This issue can be reached remotely via iMessage and crash Springboard with no user interaction. This issue was fixed in 12.4 by implementing [_PFArray classForKeyedUnarchiver] and similar that returns NSArray.
CVE-2019-8660. This vulnerability involved cycles in serialized objects. There is a memory corruption vulnerability when decoding an object of class NSKnownKeysDictionary1. It was fixed in iOS 12.4 with improved length checking.
They found another vulnerability CVE-2019-8641, which they are not yet disclosing because its fix did not fully remediate the issue.
The analysts concluded that reducing the remote attack surface of the iPhone would likely improve its security. You can read their complete analysis on Project Zero’s blog.