Wednesday, April 22, 2020

iOS Mail Vulnerabilities in MFMutableData

Thomas Reed:

On Monday, ZecOps released a report about a couple concerning vulnerabilities with the Mail app in iOS. These vulnerabilities would allow an attacker to execute arbitrary code in the Mail app or the maild process that assists the Mail app behind the scenes. Most concerning, though, is the fact that even the most current version of iOS, 13.4.1, is vulnerable.

The way the attack works is that the threat actor sends an email message designed to cause a buffer overflow in Mail (or maild).


As for precautions to avoid infection, there are a couple things you can do. One would be to install the iOS 13.4.5 beta, which contains a fix for the bug.

ZecOps (Hacker News):

ZecOps found that the implementation of MFMutableData in the MIME library lacks error checking for system call ftruncate() which leads to the Out-Of-Bounds write. We also found a way to trigger the OOB-Write without waiting for the failure of the system call ftruncate. In addition, we found a heap-overflow that can be triggered remotely.

We are aware of remote triggers of both vulnerabilities in the wild.

Both the OOB Write bug, and the Heap-Overflow bug, occurred due to the same problem: not handling the return value of the system calls correctly.


Update (2020-04-23): Thom Holwerda:

This can be easily mitigated - just uninstall the Apple mail client and set another mail client as the default mail handler.

Oh wait.


Update (2020-04-24): Ben Lovejoy:

Bloomberg reports that Apple not only says it can find no evidence to support this claim, but that the vulnerabilities are not sufficient to allow the reported attacks to succeed.

ZecOps had said “with high confidence” that the vulnerabilities were “widely exploited in the wild” and stands by that.

Update (2020-05-28): TheHackersNews:

Apple is rolling out #iOS 13.5 & iPadOS 13.5 with patches for recently disclosed MailDemon flaws (under active attack), which, if exploited, could let attackers hijack devices just by sending emails.

Comments RSS · Twitter

Leave a Comment