XARA data stealing flaws affect Apple iOS, OSX

A team of researchers from Indiana University discovered a number of XARA vulnerabilities in both Apple’s OS X and iOS that allows Apple Keychain crack.

A team of researchers from Indiana University (Luyi Xing, Xialong Bai, XiaoFeng Wang, and Kai Chen lead by Tongxin Li, of Peking University, and Xiaojing Liao, of Georgia Institute of Technology) discovered a number of vulnerabilities in both Apple’s OS X and iOS, by exploiting one of them they succeeded in cracking of the Apple Keychain service.

The vulnerabilities are mainly related to the weak authentication implementation that could allow an attacker to steal authentication tokens, iCloud passwords, and user password saved on Google Chrome. The researchers classified the weaknesses as unauthorized cross-app resource access (XARA) and documented them in a study titled “Unauthorized Cross-App Resource Access on MAC OS X and iOS.”

The researchers discovered security issues related to the access-control list (ACL) implementation and problems in inter-app interaction services like Keychain, WebSocket on OS X, and URL Scheme on OS X and iOS. In short words, an attacker can exploit the flaws to modify Keychain entries to allow apps to perform several operations.

“An app within the sandbox has only limited privileges. By default, it can only read and write files within its container and some public directories. This policy is enforced by checking the developer’s signature on the app against an access-control list (ACL) associated with each directory (see Section 3.2). Also, it is not allowed to access network sockets, built-in camera, microphone, printer and other resources. Whenever use of such resources becomes necessary, the app explicitly requires them by declaring a set of entitlements within its property file (called plist file, very much like the Android manifest file)” reads the paper.

Due to the presence of the flaws, a sandboxed malicious app installed in the Apple system could gain access to sensitive data managed by other mobile apps. The researchers claim that the app can steal data from popular mobile apps like Facebook and Dropbox, the team also explained that they were able to steal information from the messaging app WeChat and even vaulted passwords from 1Password.

“Looking into the root cause of those security flaws, we found that in the most cases, neither the OS nor the vulnerable app properly authenticates the party it interacts with,” the paper says. 

The researchers designed a tool for automatically inspecting the source of the mobile apps and verify the presence of XARA flaws.

“To understand the scope and magnitude of this new XARA threat, we developed an analyzer for automatically inspecting Apple apps’ binaries to determine their susceptibility to the XARA threat, that is, whether they perform security checks when using vulnerable resource-sharing mechanisms and IPC channels, a necessary step that has never been made clear by Apple. “

The researchers published a video PoC demo to demonstrate how to steal an iCloud token from the Keychain:PoC demo to demonstrate how to steal an iCloud token from the Keychain:

The researchers highlighted the existence of another XARA weakness in the unique BID-based separation design in OS X that could be exploited for “container cracking.”

When apps’ container directories are disclosed, it makes it easy for other apps find them, and in turn, easy to hijack information from sandboxed apps like Evernote, Tumblr, and WeChat.

“Once the attack app is launched, whenever the OS finds out that the container directory bearing the sub-target’s BID (as its name) already exists, the sub-target is automatically added onto the directory’s ACL. As a result, the malicious app gains the full access to other apps’ containers, which completely breaks its sandbox confinement.”

Apple was informed of the XARA issues in October  and is still working to fix the issue, the researchers claim the only the iCloud issue appears to have been resolved.

Pierluigi Paganini

(Security Affairs – Apple, XARA vulnerabilities)