Attackers have been exploiting a pair of dangerous vulnerabilities in the default mail app in Apple’s iOS software since at least January 2018 simply by sending specially formatted emails to target devices. The flaws are unpatched and have been present since iOS 6 was released in 2012.
The two vulnerabilities have been used in targeted attacks against a small subset of iOS users, mainly in Europe and Asia, but also in North America, according to researchers at ZecOps, a forensics and incident response firm that observed attacks against the bugs. The company reported the findings to Apple in February and Apple has included patches for the flaws in a beta version of iOS 13.4.5 last week. Apple has not announced a release date for a final version of the update software.
Many people rely on the iOS Mail app as the default email app on their iPhones and iPads because it offers the ability to combine multiple email accounts into one inbox. The separate apps for popular mail services such as Gmail and Outlook are not affected by the iOS vulnerabilities. One of the flaws is an out-of-bounds write and the other is a heap overflow, and attackers can exploit both of them remotely.
There have been rumors in the security community for several weeks about attackers targeting an iOS zero day, and these are the first concrete details.
The heap overflow is a zero-click vulnerability, meaning that it can be exploited without any user interaction. It’s important to note, though, that neither of the bugs gives an attacker full control of the device after exploitation, but they do grant the same permissions as the Mail app. So an attacker would have the ability to modify or delete emails.
“Additional kernel vulnerability would provide full device access – we suspect that these attackers had another vulnerability. It is currently under investigation,” the researchers said in a post on the flaws and related attacks.
The vulnerabilities are separate but related, and the researchers said that there are a couple of different methods for triggering them. The main exploitation vector involves sending a very large email to a target device that will consume huge amounts of memory and eventually trigger one of the vulnerabilities. This is the exploit behavior that the ZecOps researchers saw in their incident investigations. The researchers did not point to a specific group or groups of attackers who were exploiting the flaws, but said they are indicative of the activity of a nation-state threat actor.
”We are aware of remote triggers of both vulnerabilities in the wild in targeted attacks."
“ZecOps found that the implementation of MFMutableData in the MIME library lacks error checking for system call ftruncate() which leads to the Out-Of-Bounds write. We also found a way to trigger the OOB-Write without waiting for the failure of the system call ftruncate. In addition, we found a heap-overflow that can be triggered remotely,” the researchers said.
”We are aware of remote triggers of both vulnerabilities in the wild in targeted attacks. Both the OOB Write bug, and the Heap-Overflow bug, occurred due to the same problem: not handling the return value of the system calls correctly. The remote bug can be triggered while processing the downloaded email, in such scenario, the email won’t get fully downloaded to the device as a result.”
Much of the information that the ZecOps researchers gathered was gleaned from crash reports generated by the attackers' exploitation attempts, which can be quite valuable, especially on the iPhone, which is locked down and difficult to extract information from.
"When an attacker is exploiting a memory corruption vulnerability like a heap overflow, they’re highly unstable. Some percentage of the time they fail because the memory layout wasn’t in the correct state, or some other reason, which generates a crash report. Those are a wealth of information," said Patrick Wardle, a principal security research at Jamf who has done extensive offensive security research on iOS.
The crash report also has the stack trace, which has the functions that were called leading up to the instruction that crashed. An attacker could try this attack nine times and fail and then it works on the tenth time. From his point of view, that's totally fine. There's always some non-deterministic factor to it and very rarely do you get a heap overflow exploit to work the first time.
The attacks that the ZecOps researchers have seen were highly targeted and affected mainly executives and other high-value targets.
“Following a routine iOS Digital Forensics and Incident Response (DFIR) investigation, ZecOps found a number of remote attacks that were carried through the default Mail application on iOS dating as far back as Jan 2018. ZecOps analyzed these attacks and discovered an exploitable vulnerability affecting Apple’s iPhones and iPads. ZecOps detected multiple, yet targeted, attacks leveraging this vulnerability targeting enterprise users, VIPs, and MSSPs, over a prolonged period of time,” the researchers said.
“The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13.”
Apple has not made any public statements about the vulnerabilities yet.