Stories with Tag iOS Security

• Remote Code Execution in Marvel Rivals Game

  permalink

  Posted: 2025-02-03 18:02:42

  Verbose tl;dr

  A critical remote code execution (RCE) vulnerability was discovered in the now-defunct mobile game Marvel: Contest of Champions (also known as Marvel Rivals). The game's chat functionality lacked proper input sanitization, allowing attackers to inject and execute arbitrary JavaScript code within clients of other players. This could have been exploited to steal sensitive information, manipulate game data, or even potentially take control of affected devices. The vulnerability, discovered by a security researcher while reverse-engineering the game, was responsibly disclosed to Kabam, the game's developer. Although a fix was implemented, the exploit served as a stark reminder of the potential security risks associated with unsanitized user inputs in online games.

  This blog post details the discovery and exploitation of a remote code execution (RCE) vulnerability within the now-defunct mobile game "Marvel: Contest of Champions," also referred to as "MCOC" or "Rivals," developed by Kabam. The author, a security researcher operating under the pseudonym "shalzuth," meticulously outlines the process of reverse engineering the game's client-server communication protocol to identify and leverage a weakness in how the game handled JSON messages.

  Shalzuth began by intercepting the traffic between the game client and the server using a proxy tool. This allowed them to observe the structure and content of the JSON messages exchanged during gameplay. Through careful analysis and manipulation of these messages, they discovered that the server did not adequately sanitize certain fields within the JSON payloads. Specifically, the game incorporated a feature allowing players to send pre-defined messages to each other during matches, and these messages were processed server-side. Shalzuth found that embedding malicious JavaScript code within these seemingly innocuous chat messages could bypass the server's security measures.

  The core vulnerability stemmed from the server's use of an embedded JavaScript engine to dynamically interpret and execute parts of the received JSON messages. By crafting a specially formatted chat message containing JavaScript code, shalzuth could inject arbitrary commands that would be executed on the game server. This provided them with the ability to perform actions beyond the intended game mechanics, including, but not limited to, potentially manipulating game data, accessing sensitive information, or even disrupting the game service for other players.

  The blog post further elaborates on the specific JavaScript functions and techniques employed to achieve code execution, including bypassing character limitations and other restrictions imposed by the game client. Shalzuth explains how they constructed the malicious payload and demonstrates its effectiveness by successfully executing a simple "alert" command on the server, proving the existence of the vulnerability. While the post does not delve into the potential ramifications of this exploit beyond the proof-of-concept demonstration, it implicitly highlights the severe security risks associated with inadequate server-side input validation and the dangers of executing user-supplied code in sensitive environments. The responsible disclosure process is also detailed, indicating that Kabam was notified and subsequently patched the vulnerability before the blog post's publication. This demonstrates a commitment to ethical hacking practices and responsible vulnerability disclosure.

  • remote code execution
  • RCE
  • Game Exploit
  • Cybersecurity
  • Vulnerability
  • Marvel Rivals
  • Gaming
  • Exploit Development
  • Software Security
  • game hacking
  • Mobile Game Security
  • Android Security
  • iOS Security

  Summary of Comments ( 54 )
  https://news.ycombinator.com/item?id=42920962

  Verbose tl;dr

  Hacker News users discussed the exploit detailed in the blog post, focusing on the surprising simplicity of the vulnerability and the potential impact it could have had. Several commenters expressed amazement that such a basic oversight could exist in a production game, with one pointing out the irony of a game about superheroes being vulnerable to such a mundane attack. The discussion also touched on the responsible disclosure process, with users questioning why Kabam hadn't offered a bug bounty and acknowledging the author's ethical handling of the situation. Some users debated the severity of the vulnerability, with opinions ranging from "not a big deal" to a serious security risk given the game's access to user data. The lack of a detailed technical explanation in the blog post was also noted, with some users desiring more information about the specific code involved.

  The Hacker News post titled "Remote Code Execution in Marvel Rivals Game" (https://news.ycombinator.com/item?id=42920962) has a moderate number of comments, discussing various aspects of the linked blog post detailing a game exploit. Several commenters focus on the technical details of the exploit, while others discuss the broader implications for game security and the responsible disclosure process.

  One compelling comment thread revolves around the surprising simplicity of the vulnerability. Commenters express astonishment that such a basic oversight could exist in a production game, especially given the potential security implications. The discussion touches upon the possibility of this being a common issue in other games and the need for better security practices in game development.

  Another interesting thread focuses on the author's decision to withhold certain technical details of the exploit to prevent malicious actors from replicating it. Commenters generally agree with this approach, acknowledging the potential harm that could be caused if the exploit were to become widely known. Some discuss the ethical responsibilities of security researchers in disclosing vulnerabilities and the balance between transparency and protecting users.

  Some comments also delve into the specifics of the exploit, questioning the author's description of it as "Remote Code Execution (RCE)." They argue that while the exploit allows for manipulating game data and potentially impacting other players, it doesn't necessarily grant full control over the server or allow for arbitrary code execution in the traditional sense. This leads to a nuanced discussion about the definition of RCE and the different levels of severity associated with various types of exploits.

  Several users also share anecdotal experiences about encountering similar vulnerabilities in other games, highlighting the prevalence of such issues. They discuss the challenges of getting game developers to take security concerns seriously and the often slow response times in patching vulnerabilities.

  Finally, some comments express appreciation for the author's detailed write-up and the clear explanation of the exploit, even with the omission of sensitive details. They commend the author for responsible disclosure and for bringing attention to an important security issue in the gaming industry. Overall, the comments provide valuable insights into the technical aspects of the exploit, the ethical considerations of vulnerability disclosure, and the broader implications for game security.

• Susctl CVE-2024-54507: A particularly 'sus' sysctl in the XNU kernel

  permalink

  Posted: 2025-01-23 22:37:57

  Verbose tl;dr

  A vulnerability (CVE-2024-54507) was discovered in the XNU kernel, affecting macOS and iOS, which allows malicious actors to leak kernel memory. The flaw resides in the sysctl interface, specifically the kern.hv_vmm_vcpu_state handler. This handler failed to properly validate the size of the buffer provided by the user, resulting in an out-of-bounds read. By crafting a request with a larger buffer than expected, an attacker could read data beyond the intended memory region, potentially exposing sensitive kernel information. This vulnerability was patched by Apple in October 2024 and is relatively simple to exploit.

  The blog post by Jann Horn, titled "Susctl CVE-2024-54507: A particularly 'sus' sysctl in the XNU kernel," details a vulnerability (CVE-2024-54507) discovered in Apple's XNU kernel, impacting macOS and iOS. This vulnerability stems from improper handling of the kern.sysctlbyname sysctl, specifically when dealing with nested structures within sysctl MIBs (Management Information Bases).

  Horn explains that kern.sysctlbyname allows userspace programs to access kernel data structures by specifying a name-based path, akin to navigating a file system. The issue arises when a MIB entry points to a structure containing further nested structures or pointers. Normally, sysctlbyname should only allow access to the top-level structure specified in the MIB. However, the flawed implementation permitted traversing deeper into these nested structures by simply appending the names of the inner members to the sysctl name, even if those inner members weren't explicitly exposed by any MIB entry.

  This effectively bypassed intended access restrictions, granting access to kernel memory regions that should have been inaccessible to userspace. The specific example provided in the post demonstrates reading the version field of an embedded os_unfair_lock structure within another structure exposed via a sysctl. Although this example only disclosed kernel version information, Horn highlights that this vulnerability could potentially be exploited to leak more sensitive data or even achieve arbitrary memory read, depending on the structures accessible through vulnerable sysctl entries.

  The post delves into the technical details of the vulnerability, explaining how the kernel's internal sysctl_name function mishandled the traversal of these nested structures. It misinterprets the presence of a sub-structure within a returned buffer as an indicator that further traversal is permissible, even if no MIB entry exists for the sub-structure. This logic flaw allows an attacker to construct arbitrary paths by appending the names of nested members, essentially crafting a "fake" MIB entry on the fly.

  Horn's analysis includes a detailed breakdown of the vulnerable code path within the kernel, illustrating the faulty logic. He further illustrates the exploitation process by showcasing a proof-of-concept code snippet that successfully reads the version field of the nested os_unfair_lock structure. The post concludes by mentioning that Apple has addressed this vulnerability in their security updates and encourages users to update their systems. The fix likely involves restricting traversal beyond the top-level structure specified in the MIB, preventing access to nested members not explicitly exposed.

  • CVE-2024-54507
  • XNU
  • Kernel
  • macOS
  • iOS
  • Vulnerability
  • Security
  • Exploit
  • Sysctl
  • Privilege Escalation
  • Kernel Exploit
  • Mac Security
  • iOS Security

  Summary of Comments ( 8 )
  https://news.ycombinator.com/item?id=42808801

  Verbose tl;dr

  Hacker News commenters discuss the CVE-2024-54507 vulnerability, focusing on the unusual nature of the vulnerable sysctl and the potential implications. Several express surprise at the existence of a sysctl that directly modifies kernel memory, questioning why such a mechanism exists and speculating about its intended purpose. Some highlight the severity of the vulnerability, emphasizing the ease of exploitation and the potential for privilege escalation. Others note the fortunate aspect of the bug manifesting as a kernel panic rather than silent memory corruption, making detection easier. The limited practical impact due to System Integrity Protection (SIP) is also mentioned, alongside the difficulty of exploiting the vulnerability remotely. A few commenters also delve into the technical details of the exploit, discussing the specific memory manipulation involved and the resulting kernel crash. The overall sentiment reflects concern about the unusual nature of the vulnerability and its potential implications, even with the mitigating factors.

  The Hacker News post discussing the CVE-2024-54507 vulnerability in the XNU kernel, titled "Susctl CVE-2024-54507: A particularly 'sus' sysctl in the XNU kernel," has generated several comments.

  Many commenters focus on the unusual nature of the vulnerability and its exploitation. One commenter points out the irony of a vulnerability existing in a mechanism designed to improve security, specifically the sysctl interface intended for secure configuration adjustments. They express surprise that such a fundamental component could be susceptible to this type of issue.

  Another commenter delves into the technical details of the exploit, highlighting the unexpected behavior of the sysctl handler. They discuss how the vulnerability arises from an incorrect handling of specific input, leading to a kernel panic. The comment emphasizes the severity of the issue, as it can be triggered remotely, potentially allowing for denial-of-service attacks.

  Several commenters also discuss the implications of the vulnerability for Apple users. Some express concern about the potential impact on macOS and iOS devices, given the widespread use of the XNU kernel. Others raise questions about the timeline for a patch and the potential for exploitation in the wild.

  A few comments touch on the broader security implications of this type of vulnerability. One commenter notes the increasing complexity of modern operating systems and the challenges of ensuring their security. They suggest that this vulnerability highlights the need for more robust security testing and validation processes.

  Some of the more technically inclined comments delve into the specifics of the kernel code and the mechanisms that led to the vulnerability. These comments offer insights into the inner workings of the XNU kernel and provide a deeper understanding of the exploit's technical details.

  A couple of commenters also discuss the responsible disclosure process and commend the researchers for reporting the vulnerability to Apple before publicly disclosing it. They emphasize the importance of responsible disclosure in mitigating the potential impact of security vulnerabilities.

  Overall, the comments on the Hacker News post reflect a mixture of surprise, concern, and technical analysis. The commenters acknowledge the severity of the vulnerability and its potential impact on Apple users, while also delving into the technical intricacies of the exploit and its implications for kernel security.

• Homomorphic encryption in iOS 18

  permalink

  Posted: 2025-01-11 16:35:00

  Verbose tl;dr

  iOS 18 introduces homomorphic encryption for some Siri features, allowing on-device processing of encrypted audio requests without decrypting them first. This enhances privacy by preventing Apple from accessing the raw audio data. Specifically, it uses a fully homomorphic encryption scheme to transform audio into a numerical representation amenable to encrypted computations. These computations generate an encrypted Siri response, which is then sent to Apple servers for decryption and delivery back to the user. While promising improved privacy, the post raises concerns about potential performance impacts and the specific details of the implementation, which Apple hasn't fully disclosed.

  The blog post "Homomorphic Encryption in iOS 18" by Bastian Bohm details the introduction of homomorphic encryption capabilities within Apple's iOS 18 operating system, specifically focusing on the newly available APIs for performing calculations on encrypted data without requiring decryption. The author expresses excitement about this development, highlighting the potential for enhanced privacy and security in various applications.

  The post begins by explaining the concept of homomorphic encryption, emphasizing its ability to process encrypted information directly, thus preserving the confidentiality of sensitive data. It distinguishes between Fully Homomorphic Encryption (FHE), which supports arbitrary computations, and Partially Homomorphic Encryption (PHE), which is limited to specific operations like addition or multiplication. The post clarifies that iOS 18 implements PHE, specifically focusing on additive homomorphic encryption.

  The core of the post revolves around the newly introduced SecKeyEncryptedData class and its associated methods. The author provides a concise code example demonstrating how to create encrypted integers using this class and how to perform homomorphic addition on these encrypted values. The resulting sum remains encrypted, and only the holder of the decryption key can reveal its true value. The author meticulously breaks down the code snippet, explaining the role of each function and parameter. For instance, the post elucidates the process of generating a public key specifically designated for encrypted data operations and how this key is subsequently used to encrypt integer values. It also explains the significance of the perform method in executing homomorphic operations on these encrypted integers.

  Furthermore, the post discusses the underlying cryptographic scheme employed by Apple, revealing that it leverages a variant of the Paillier cryptosystem. This choice is deemed suitable for integer additions and is acknowledged for its established security properties. The post also touches upon the practical limitations of PHE, specifically noting the inability to perform other operations like multiplication or comparison directly on the encrypted data without decryption.

  Finally, the author speculates on the potential applications of this technology within the Apple ecosystem. The example given is privacy-preserving data collection, suggesting how homomorphic encryption could enable the aggregation of user statistics without compromising individual data privacy. This could be useful for applications like collecting usage metrics or accumulating health data while ensuring that the individual contributions remain confidential. The author concludes with an optimistic outlook on the future implications of homomorphic encryption within the iOS environment and expresses anticipation for further advancements in this field.

  • Homomorphic Encryption
  • iOS 18
  • iOS Security
  • Cryptography
  • privacy
  • Mobile Security
  • Data Security
  • Encryption
  • Apple
  • iOS Development
  • Data Privacy
  • App Security
  • Fully Homomorphic Encryption
  • FHE
  • Partially Homomorphic Encryption
  • PHE
  • Client-Side Encryption

  Summary of Comments ( 121 )
  https://news.ycombinator.com/item?id=42666959

  Verbose tl;dr

  Hacker News users discussed the practical implications and limitations of homomorphic encryption in iOS 18. Several commenters expressed skepticism about Apple's actual implementation and its effectiveness, questioning whether it's fully homomorphic encryption or a more limited form. Performance overhead and restricted use cases were also highlighted as potential drawbacks. Some pointed out that the touted benefits, like encrypted search and image classification, might be achievable with existing techniques, raising doubts about the necessity of homomorphic encryption for these tasks. A few users noted the potential security benefits, particularly regarding protecting user data from cloud providers, but the overall sentiment leaned towards cautious optimism pending further details and independent analysis. Some commenters linked to additional resources explaining the complexities and current state of homomorphic encryption research.

  The Hacker News post titled "Homomorphic encryption in iOS 18" spawned a modest discussion with a handful of comments focusing on the practicalities and limitations of the technology, rather than the announcement itself. No one expressed outright excitement or skepticism about the announcement, instead offering pragmatic observations.

  One commenter pointed out that the homomorphic encryption being utilized is limited to integer addition and multiplication, and thus isn't fully homomorphic encryption (FHE) in the broader, more powerful sense. They clarified that true FHE allows arbitrary computation on encrypted data, which is not what Apple is implementing. This comment served as an important clarification to distinguish the specific type of homomorphic encryption being employed.

  Another user expanded on this by mentioning that the specific technique used is called "additive homomorphic encryption" and likely leverages the Paillier cryptosystem. This added technical depth to the discussion, providing a potential underlying mechanism for Apple's implementation. They then speculated about its use case, suggesting it could be applied to scenarios like federated learning or aggregated metrics collection.

  A subsequent comment explored the performance limitations of homomorphic encryption. The commenter noted the significant computational overhead associated with these techniques, which makes them unsuitable for many real-time or performance-sensitive applications. This comment highlighted the trade-offs involved in using homomorphic encryption, emphasizing that while it offers enhanced privacy, it comes at the cost of performance.

  Finally, one commenter linked to a related project called "Concrete," further adding context to the types of operations and optimizations possible within the homomorphic encryption space. This provides an avenue for those interested in learning more about practical implementations and advancements in the field.

  Overall, the comments section offers a concise and informed discussion focusing on the technical nuances of Apple's implementation rather than broad speculation or hype. They provide valuable context and clarification regarding the specific type of homomorphic encryption being used and its inherent limitations.