A Deep Dive into iOS Remote Mail Exploit

Media

2020-04-25

It is said that iOS operating system is relatively more secure and of less attack by hackers. However, a cybersecurity firm ZecOps discovered bug inside Apple’s Mail app on the iPhone which lets hackers install malware and control your phone without user’s knowledge.

Eric from UDomain has gone through the mail bug incident and shared with us. In the meantime, our Cyber Security Analyst Chris Chan has undergone a detailed analysis on this security flaw and the hacking techniques behind. Suggestions are recommended to protect us from this security threat as well.

Always have it in mind - Great loss can be done as a result of a seemingly insignificant bug.

Read the related article:

iPhone爆電郵程式大漏zero-click都中招﹖咪驚住…

(Image source: Sara Kurfeß @Unsplash)

Detailed Analysis

Affected Application:

Apple MobileMail (iOS 12) or maild (iOS 13)

Minimum tested vulnerable iOS version:

iOS 6 to iOS 13.4

Description:

Both vulnerabilities happen due to missing error checking on system call, which system triggers malicious code even when there is response error.
The attack might start from Jan 2018
Based on ZecOps research and Threat Intelligence, the suspected targets included:
- Individuals from a Fortune 500 organization in North America
- An executive from a carrier in Japan
- A VIP from Germany
- MSSPs from Saudi Arabia and Israel
- A Journalist in Europe
- Suspected: An executive from a Swiss enterprise

Affected Library:

/System/Library/PrivateFrameworks/MIME.framework/MIME

Vulnerable function:

[MFMutableData appendBytes:length:]

First Vulnerability - Out-of-band:

No error handle on ftruncate, resulted in out-of-band vulnerability.

Second vulnerability - Heap overflow:

Overwrite the heap memory region to trigger vulnerability.

What is observable when exploit happens (Symptoms):

Temporary slowdown of mobile mail application (both iOS 12/13)
Sudden crash of the Mail application on iOS 12
See the message “This message has no content” in email content (both iOS 12/13)

Successfully exploit those vulnerabilities require:

A way to predict heap memory region
A way to bypass Address Space Layout Randomization (ASLR), a security technique to prevent attacker from performing buffer-overflow or out-of-band access.
A payload which overwrites original data but doesn’t break the data structure.

Can it take full control of the mobile?

No. Attackers need another kernel exploit to take full control.

Recommendation:

A beta update on iOS 13.4.5 is released. If this version cannot be patched, disable MobileMail or maild first before Apple patch is released, if user use the mailbox for sensitive information exchange like personal information or confidential email. User can also use browser to log into their mailboxes or choose to use third party mail applications until the patch is released.

Please contact us for more about cybersecurity：

其他人也看了

What Is the AI Operating Model? How IBM Think 2026 Reframes Enterprise AI Strategy What Is Claude Multiagent Orchestration? A Deployment Guide for Enterprise IT Leaders What Is an AI Customer Service Agent? How Hong Kong SMEs Can Offer 24/7 Support How to Build Your First AI Agent Workflow with Make.com — No Code Required Sora Is Gone. Here's Which AI Video Tool to Use Instead — and for What

UD Blog

Unveiling Perspectives and Delivering Insights Related to Tech