Data map (from:appleOfficial website)
Silvanovich only completed his own vulnerability testing on iOS 12 or higher devices, and his tests were just to demonstrate the vulnerability's accessibility on Springboard.In other words, the consequences of this vulnerability may be much more serious than expected.
Silvanovich pointed out that this iMessage problem is caused by _NSDataFileBackedFuture, that is, using the secure code, the hacker can still complete the serial-to-parallel conversion. Once the attacker calls NSData, the local file can be loaded into memory.
On Project Zero's bug tracker, Silvanovich described the problem as:
First, if a code string appears and is converted and shared, it may allow uninvited guest access to local files (the most serious of which is the part that uses serialized objects for local communication).
Second, it allows the generation of NSData objects that differ in length from the byte alignment, which violates the original underlying features, causing out-of-bounds reads and even throwing out-of-bounds writes.
With this, an attacker can generate a large NSData object, which is never possible if the buffer has a backup.
In the iOS 12.4 update that was pushed on the 22nd of this month, Apple successfully blocked the vulnerability. In addition to measures to prevent attackers from decoding, Apple has also applied more powerful file URL filtering technology.
The iOS update file shows that the problem of cross-border reading has appeared in the Siri and iOS core data sections, and its coverage coversiPhone5s,iPadAir and sixth generationiPodTouch and later Apple products.
Due to the wide impact of this vulnerability, we strongly recommend that users upgrade to iOS 12.4 as soon as possible.
What iMessage vulnerability has been fixed in iOS 12.4?
Working with colleagues at Google Project Zero, Silvanovich also discovered two other iMessage vulnerabilities. In the iOS 12.4 update, Apple also fixed it.
The first vulnerability is a memory bug in the iOS core data section, codenamed CVE-2019-8660. A remote attacker can use this vulnerability to suddenly "kill" an application or execute arbitrary code, with the same impact as the above vulnerability.
The second vulnerability, codenamed CVE-2019-8647, allows remote attackers to execute arbitrary code on iPhone 5s, iPad Air, and the sixth generation iPod Touch and later Apple devices.
In the research work, Silvanovich captured a total of five iMessage vulnerabilities. Two of them did not elaborate on the input authentication problem. It can use the malformed information to attack the device to make your device brick (the iOS 12.3 upgrade has been fixed).
The last one is a memory leak caused by an out-of-bounds read (watchOS 5.3 released on the 22nd of this month has been fixed).