Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-46718 PoC — Apple iOS 和 iPadOS 安全漏洞

Source
https://github.com/biscuitehh/cve-2022-46718-leaky-location
Associated Vulnerability
Title:Apple iOS 和 iPadOS 安全漏洞 (CVE-2022-46718)
Description:Apple iOS和Apple iPadOS都是美国苹果(Apple)公司的产品。Apple iOS是一套为移动设备所开发的操作系统。Apple iPadOS是一套用于iPad平板电脑的操作系统。 Apple iOS 15.7.2之前版本和iPadOS 15.7.2之前版本存在安全漏洞,该漏洞源于存在逻辑问题,应用程序可能能够读取敏感的位置信息。
Description
CVE-2022-46718: an app may be able to read sensitive location information.
Readme
# CoreParsecLocation

**tl;dr add an entitlement check to `parsecd`**

## Overview

CoreParsecLocation is a sample application demonstrating how a third-party app can access a user's precise location without a user's consent or permission. `parsecd`/`CoreParsec` also provides information such as localized search suggestions, knowledge cards, and a temporary user ID. Thankfully, I do not believe the user ID is persisted or recycled at this time.

## Timeline
- Discovered the information leak in November 2022 & reporting the finding to Apple.
- Apple patched the issue with iOS 16.2 in December 2022.
- Apple verified that the issue was fixed in January 2023, assigned the issue with CVE-2022-46718, and paid out a bug bounty of $35,000.
- *This part bugs me a bit* The public disclosure was added to the [iOS 16.2 Security Notes](https://support.apple.com/en-us/HT213530) on May 1st, 2023.

## How does it work?

During a routine Frameworks expedition, I noticed an active `NSXPCConnection` to `parsecd`. After a few days of tinkering, I discovered that `parsecd` would respond to search queries from any application as long as I spoofed the correct header information. In this case, I used the `SPPARSession` class, which sets up a session for Spotlight.

At first, I assumed that the `PARResponse` object would only return a GeoIP location (which isn't that useful on its own). However, after trying numerous search queries, I discovered that searching for "restaurants" would cause `parsecd` to grab the user's precise location. It then returned the location information to me via the `PARReponse` object.

`parsec` also returns additional information, such as localized news results & search suggestions. I do not believe these contain any user-identifiable information at this time. After submission, I plan to further explore the additional responses.

## Important Tidbits
- The user *IS NOT* notified that their location is currently in use. I'm unsure how often `parsecd` asks for a new location, but I did not see a location indicator in the status bar during my testing.
- The location updates every 100ft or so.
- Affects iOS 16/16.0.1.
- Makes use of the third-party library `Dynamic` (found here: https://github.com/mhdhejazi/Dynamic). This library is not required to exploit `parsecd`, but it does make it easier to use third-party APIs without exposed headers.
- Requires an internet connection, although I'm still testing to see if `parsecd` will return the location without one.
- I believe this falls under the "User-Installed App: Unauthorized Access to Sensitive Data" category on https://developer.apple.com/security-bounty/payouts/.
- This code is _not my best work_ but I was very excited to submit this and wrote it at 3AM. If ya'll have any questions/comments please don't hesitate to reach out.
File Snapshot

 [4.0K]  /data/pocs/0e2fb020aa78d3a026b3079bf26e1d6fcd31d6dd
├── [4.0K]  CoreParsecLocation
│   ├── [4.0K]  CoreParsecLocation
│   │   ├── [4.0K]  Assets.xcassets
│   │   │   ├── [4.0K]  AccentColor.colorset
│   │   │   │   └── [ 123]  Contents.json
│   │   │   ├── [4.0K]  AppIcon.appiconset
│   │   │   │   └── [ 177]  Contents.json
│   │   │   └── [  63]  Contents.json
│   │   ├── [ 367]  CoreParsecLocationApp.swift
│   │   ├── [1020]  RootView.swift
│   │   └── [3.8K]  SeemsLegitLocationManager.swift
│   ├── [4.0K]  CoreParsecLocation.xcodeproj
│   │   ├── [ 14K]  project.pbxproj
│   │   └── [4.0K]  project.xcworkspace
│   │       ├── [ 135]  contents.xcworkspacedata
│   │       └── [4.0K]  xcshareddata
│   │           └── [ 238]  IDEWorkspaceChecks.plist
│   └── [4.0K]  Third Party
│       └── [4.0K]  Dynamic
│           ├── [9.9K]  LICENSE
│           ├── [ 490]  Package.swift
│           ├── [ 14K]  README.md
│           ├── [4.0K]  Sources
│           │   └── [4.0K]  Dynamic
│           │       ├── [9.5K]  Dynamic.swift
│           │       ├── [8.7K]  Invocation.swift
│           │       ├── [2.7K]  Logger.swift
│           │       └── [5.2K]  TypeMapping.swift
│           └── [4.0K]  Tests
│               ├── [4.0K]  DynamicTests
│               │   └── [ 12K]  DynamicTests.swift
│               ├── [ 714]  LinuxMain.stencil
│               └── [ 637]  LinuxMain.swift
├── [1.1K]  LICENSE
└── [2.8K]  README.md

14 directories, 21 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.