One Article Review
Accueil - L'article:
Source Google.webp ProjectZero
Identifiant 8221928
Date de publication 2022-08-24 11:58:33 (vue: 2022-11-25 18:05:33)
Titre The curious tale of a fake Carrier.app
Texte Posted by Ian Beer, Google Project Zero NOTE: This issue was CVE-2021-30983 was fixed in iOS 15.2 in December 2021.  Towards the end of 2021 Google's Threat Analysis Group (TAG) shared an iPhone app with me: App splash screen showing the Vodafone carrier logo and the text My Vodafone. App splash screen showing the Vodafone carrier logo and the text "My Vodafone" (not the legitimate Vodadone app) Although this looks like the real My Vodafone carrier app available in the App Store, it didn't come from the App Store and is not the real application from Vodafone. TAG suspects that a target receives a link to this app in an SMS, after the attacker asks the carrier to disable the target's mobile data connection. The SMS claims that in order to restore mobile data connectivity, the target must install the carrier app and includes a link to download and install this fake app. This sideloading works because the app is signed with an enterprise certificate, which can be purchased for $299 via the Apple Enterprise developer program. This program allows an eligible enterprise to obtain an Apple-signed embedded.mobileprovision file with the ProvisionsAllDevices key set. An app signed with the developer certificate embedded within that mobileprovision file can be sideloaded on any iPhone, bypassing Apple's App Store review process. While we understand that the Enterprise developer program is designed for companies to push "trusted apps" to their staff's iOS devices, in this case, it appears that it was being used to sideload this fake carrier app. In collaboration with Project Zero,
Envoyé Oui
Condensat #alocaliphone13d@pageoff #artkitios182640@pageoff $299 && args &retval &v54  &metadisp  &req  &resp  //  0  0x00  0x14  0x20  1  2  3; pg  4 * controlled  5  = *  = 70; //  = a  a1  a3  and  args  blha  block  caller  context  controlled  cputype  disp  extra  first  gate  indirect  metadispatcher  remaining  rpc  second  struct block  struct blockhandler *  struct blockhandler *handler  struct blockhandler *the  structinput  structure  structureinput  task*  this  uint32  uint64  unsigned int  unsigned long long  unsigned long long*  unsigned long*  void *remaining  x8  x9 *context *disp *dispatcher *drop *dtor *extra *getclassname *handler *handlers *holder; *inner *iomfb::instancetracker::instance *pointer *remaining *struct *structure *structureinput; *take *task *this *unk + 0xe584 + 0xe584; + 16 + 2; + 32 + 48 + addr + size +0x24 +0x8584 will +0xe57c in += 0x100; += 0x4000; += 4 * controlled /*vft*/; 08x 0x00000001 0x100 each 0x100000c 0x105cu 0x1448 in 0x24 0x24 so 0x24=0xc5e4 bytes 0x34 bytes 0x378 0x380 bytes 0x4000 byte 0x40000001ll 0x46 0x46 loop 0x4618 bytes 0x5f4 0x5f8 0x5f8 and 0x600 0x600 correspond 0x600 tell 0x8000 and 0xc000  0xc000 sized 0xc608 0xc608 allocation 0xc608 byte 0xc608ll 0xc610 0xc63c bytes; 0xe5b0 bytes 0xfeedfacf 112ll 146; 16; 16k 1826 1c1308; 2021 2021 and 2021 updates 2021/ 2240 24: 24; 28; 3*0x46*0x46*4 300 30983 341 36; 3b8d18; 64  7 and 7000 76; 78 and 7mb 8 metadata 96; ::map on ::prepare and ;  ;dcp ;exploit =  = &off = &unk = * = 0; = 0; i = 0; pg = 0ll; = 0x40000000ll; = 0xd20; = 1; = 24; = a = a1; = address = args = blha = callback = cnt = compensator = compensator; = convert = cxxnew = handler = holder; = lookup = meta = pages; = remaining = retval; = structure = this = vtable == 2  >= 2  >ap >back >block >blockhandler >can >cnt >cntextrascalars >cntstructinput >compensator >controlled >dispatcher >expected >field >framebuffer >gate >getblock >handlers >inline >inner >instance >refcnt >remaining >scalar >scalarinput >scalarinputcount >set >setblock >some >structinput >structure >structureinput; >structureinputsize >task >the >typeid = typeid; >uppipedcp >vtable @alyssarzg a dart a to a000 a001 a001; a002 a002; a003 a003; a004 a004; a005 a005; a14 a435 able aborting about above abstracted access accordingly across actor actual actually adam add added additional address addresses adds after again agent ago ahead air aligned all allocate allocated allocation allocation; allowing allows almost along also alss alss::send although amfid bypasses amount analysis another answer any anything anyway ap: api app app available app with appear appears apple appleclcd seems appleclcd2 service appleclcd2 the appleclcd2 user appledcplinkservice::rpc then appledcplinkservice::rpc to application approach: apps arbitrary are arg args args; argument arguments arm64 arm64  armv8 around array array; asahi ascii asks aslr associated attack attacker attackers attempting attempts attribute august authentication autoanalysis autogenerated available back backwards bad base base64 based basic because been beer before behalf behind being beniamini beta between binary bit blha blha  blha 19: block block external block
Tags Vulnerability Threat Guideline
Stories
Notes
Move


L'article ne semble pas avoir été repris aprés sa publication.


L'article ne semble pas avoir été repris sur un précédent.
My email: