OS X forensic acquisition: a basic workflow

OS X is, in effect, a *nix based system.
Therefore the forensic image acquisition processes are very similar to those used on Linux systems.
Today I’d like to share my personal acquisition workflow for Apple Mac systems, suitable for OSX before 10.11 (El Capitan) or any OSX version with SIP disabled.

Continue reading “OS X forensic acquisition: a basic workflow”

Reverse engineering and penetration testing on iOS apps: my own list of tools

After a post focused on Android, another list of tools useful for penetration testing and reverse engineering of iOS applications.
Also all this tools are OSS and freely available.

Continue reading “Reverse engineering and penetration testing on iOS apps: my own list of tools”

Yes, you can log into macOS “High Sierra” as root with no password

UPDATE – Apple released the security patch for the bug:

https://support.apple.com/en-us/HT208315


The security fate discovered in MacOS High Sierra by Lemi Orhan Ergin is so serious that it is hard to believe it’s real: you can become root without typing a password.

Continue reading “Yes, you can log into macOS “High Sierra” as root with no password”

A bug in Apple’s WebView allow an attacker to initiate phone calls without user confirm

Twitter and LinkedIn iOS apps are vulnerable!

The security researcher Collin Mulliner has discovered an exploitable vulnerability in Apple’s WebView that could allow phone calls to a number of the attacker’s choosing.

iOS WebViews can be used to automatically call an attacker controlled phone number. The attack can block the phone’s UI for a short amount of time and therefore prevent the victim from canceling the call. The bug is an application bug that likely is due to bad OS/framework defaults. One major issue with this vulnerability is that it is really easy to exploit. App developers have to fix their code as soon as possible.

Mulliner said the vulnerability is trivial to exploit, requiring at a minimum one line of HTML code and iOS developers who have embedded Apple’s WebView into mobile apps need to be aware.

https://gist.github.com/andreafortuna/50d68e9d109c25bc2cb84abee42463fa

The risks to the user include calls to to premium numbers or denial-of-service against telephone numbers of public services:

About a week agoI read an news post about a guy who got arrested for accidentally DoSing 911 by creating a web page that automatically dialed 911 when visited it from an iPhone. This was most likely due to a bug with the handling of TEL URI. I immediately thought about a bug I reported to Apple in late October 2008 . I couldn’t believe this bug has resurfaced so I investigated. The article said something about posting links on Twitter.

The researcher has also published two video demonstration of the exploit:

 


References

https://www.mulliner.org/blog/blosxom.cgi/security/ios_webview_auto_dialer.html