Very Low
Unknown iOS Mail.App RCE ZecOps
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very Low
(2 users assessed)Very Low
(2 users assessed)Unknown
Unknown
Unknown
Unknown iOS Mail.App RCE ZecOps
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
To quote the Reuters report: “To execute the hack, Avraham said victims would be sent an apparently blank email message through the Mail app forcing a crash and reset. The crash opened the door for hackers to steal other data on the device, such as photos and contact details.”
So, it sounds like a font or other kind of render thing in Mail.App. No clicks required other than opening the email.
Add Assessment
Ratings
-
Attacker ValueVery Low
-
ExploitabilityVery Low
Technical Analysis
Update April 24, 2020
Turns out, Apple and HD are both of the opinion that the vulnerability doesn’t exist. See the reporting at Ars:
What’s the lesson here? PoC||GTFO, and let the vendors do their jobs as part of coordinated vulnerability disclosure. Updating the high-value/low-value indicators here.
Original Report Below
It technically “requires user interaction” but that interaction is merely opening a malicious email. It doesn’t sound like you need to click on anything.
According to the report, Apple has confirmed the existence, but we haven’t seen a patch or a CVE or anything like that.
This is super-duper high value, IMO. Million dollar bug. Own any-ish iPhone, assuming they’re using Mail.app, which most are (there are 3rd party email applications, like Gmail and Yahoo! Mail, but they are somewhat rare in the iPhone / iPad ecosystem).
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
Technical Analysis
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportNote, Apple is refuting the bug.
where you find the code?
General Information
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Also, there are a /lot/ of unknowns about this, like “Easy to exploit,” who knows? All we know is 1) A researcher rediscovered this after analyzing in-the-wild attacks, and 2) there are in-the-wild attacks.
Final reply for now: There is also no evidence verified outside of the claims made by https://twitter.com/zecops . It’s unclear if Reuters could verify the bug.
If there are already cases of exploitation, then it is already for sale and or available on the dirtball web. If the code is injected, which is becoming more and more prevalent. Whenever I see RCE I think serious. RCE is gold, no matter how difficult it is to reproduce. If the target is worth it, someone will hit it, and probably be paid to do it. Remember the Saudi Prince “hacking” Bezos? Iphones are used by many with the illusion they are safer than the rest.
It will be interesting to see how this plays out. I’m looking forward to more expert analysis, my opinion is just from experience. I have not had a chance to get into this exploit.
Not sure if here or a new eval is the place but @todb-r7 mentioned this eval/PoC on Twitter and it has IoCs so we shld prbly have it be here along for the AKB ride: https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/ (yes, Tod incl
zecops
Twitter handle link, but direct blog link is prbly useful.For good measure, I’ll add an archive.org link of it as well: https://web.archive.org/web/20200423020023/https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/
Updated my original assessment due to the lies.
I wholeheartedly disagree with you. Our job is to check the vendors. If we were misled by a researcher who made a mistake, that happens. Furthermore if you figured this out it’s on you to present your findings in a more professional manner than what I’ve just read.
Todb-r7… Come on. This is not Reddit. Be better than your latest edit. We’re here to discuss, not act like idiots because we are embarrassed by a mistake. Be a leader not someone that needs a new hobby. I hope to see something better than his in the future my friend. I know you can do it