Sensitive Information Disclosure Due to Insufficent Auth Checking in Apple XPC Service

vuln mobile
Original Post:
Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program
We discussed this vulnerability during Episode 85 on 27 September 2021

Four vulnerabilities related to XPC services either not sufficiently checking application entitlements leading to disclosure of sensitive information

Gamed

The com.apple.gamed XPC service does not properly check for the calling app to have the com.apple.developer.game-center entitlement. This allows any app installed to retrieve several XPC proxy objects from the service that can be used to disclose sensitive information. If Game Center is enabled on the device then they will have access to information sensitive information such as the First and Last name of the Apple ID account, and an authentication token for interacting with gc.apple.com. Even if Game Center is disabled, it is still possible to read files from outside the sandbox like the Speed Dial and Address Book databases, and CoreDuet database containing contact information.

Nehelper - Enumerate Installed Apps

The Nehelper XPC service can be used to retrieve cached information about applications. This is done by providing a cache-signing-identifier which is the bundle id of the application, and cache-command set to 3. Any app can invoke this method and use it to determine if an application is installed based on whether or not it exists in the cache.

Nehelper - Wifi Information

The com.apple.nehelper XPC service will skip the com.apple.developer.networking.wifi-info entitlement check if the user-supplied sdk-version is less than or equal to 524288. Allowing any “qualified” app to retrieve Wifi information without the required entitlement. This is slightly mitigated by the presence of some authorization checking where the calling app must meet one of the following requirements (source: https://developer.apple.com/documentation/systemconfiguration/1614126-cncopycurrentnetworkinfo)

  • The app uses Core Location, and has the user’s authorization to use location information.
  • The app uses the NEHotspotConfiguration API to configure the current Wi-Fi network.
  • The app has an active VPN configuration installed.
  • The app has an active NEDNSSettingsManager configuration installed.

Analyticsd

The com.apple.analyticsd XPC service has a log-dump command that can be invoked by any user installed app and will provide analytics logs in response. This potentially includes fairly sensitive medical information along side device usage, screen time, crashes, and other information.