Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-40429 PoC — Apple iOS 和 iPadOS 安全漏洞

Source
https://github.com/biscuitehh/cve-2023-40429-ez-device-name
Associated Vulnerability
Title:Apple iOS 和 iPadOS 安全漏洞 (CVE-2023-40429)
Description:Apple iOS和Apple iPadOS都是美国苹果(Apple)公司的产品。Apple iOS是一套为移动设备所开发的操作系统。Apple iPadOS是一套用于iPad平板电脑的操作系统。 Apple iOS 17 和 iPadOS 17 存在安全漏洞,该漏洞源于应用或许能够访问敏感用户数据。
Description
CVE-2023-40429: An app may be able to access sensitive user data.
Readme
# HostName

## Overview

HostName is a sample application demonstrating how a third-party app can access a user's device name without the `com.apple.developer.device-information.user-assigned-device-name` entitlement.

## Details

In iOS 16, Apple added the `com.apple.developer.device-information.user-assigned-device-name` entitlement to prevent third-party applications from fingerprinting a user by device name. However, the `ProcessInfo.processInfo.hostName` API broke in the process, which allowed a third-party developer to get the network hostname of the device without an entitlement. While the hostname is not a percent 1:1 copy of the device name, it's close. For example, my device is named `Astronaut Sloth`, which gives me a hostname of `Astronaut-Sloth`.

When a third-party developer accesses the `ProcessInfo.processInfo.hostName` API, the user gets presented with a "Allow <X> to communicate with Local Network Devices" prompt. In iOS 15, the `ProcessInfo.processInfo.hostName` API would return `localhost` if the user denied this API. However, in iOS 16 this also broke - a device name was always returned regardless of user input.

## Timeline
- Discovered & reported this entitlement leak/bypass in August 2022 during the iOS 16 beta period.
- Apple patched the issue with iOS 17.0 in September 2023.
- Apple verified that the issue was fixed with iOS 17.0 in September 2023. This issue was not eligible for a bug bounty.
- The public disclosure was added to the [iOS 17.0 Security Notes](https://support.apple.com/en-us/HT213938) in September 2023.

## Final Thoughts
- I can't blame Apple for not wanting to pay a bug bounty for a one-line device-name bypass, but I'll admit it was a little frustrating to hear that an API leaking entitlement-gated information didn't qualify for a bug bounty. If anyone from Apple stumbles upon this, I would take a moment to update the [bug bounty categories](https://security.apple.com/bounty/categories/) page to include more information about similar issues that fall in the "it's a sensitive data bypass, but the data is not that sensitive." I still plan to finish up the other user fingerprinting issues I've found, but this experience has taken a bit of the wind out of my sails.
File Snapshot

 [4.0K]  /data/pocs/30b3a85785ceee1ccbbe9f9a662619ce6cad5e2f
├── [4.0K]  HostName
│   ├── [4.0K]  HostName
│   │   ├── [4.0K]  Assets.xcassets
│   │   │   ├── [4.0K]  AccentColor.colorset
│   │   │   │   └── [ 123]  Contents.json
│   │   │   ├── [4.0K]  AppIcon.appiconset
│   │   │   │   └── [ 177]  Contents.json
│   │   │   └── [  63]  Contents.json
│   │   ├── [ 394]  ContentView.swift
│   │   ├── [ 228]  HostNameApp.swift
│   │   └── [4.0K]  Preview Content
│   │       └── [4.0K]  Preview Assets.xcassets
│   │           └── [  63]  Contents.json
│   └── [4.0K]  HostName.xcodeproj
│       ├── [ 13K]  project.pbxproj
│       └── [4.0K]  project.xcworkspace
│           ├── [ 135]  contents.xcworkspacedata
│           └── [4.0K]  xcshareddata
│               └── [ 238]  IDEWorkspaceChecks.plist
├── [1.1K]  LICENSE
└── [2.2K]  README.md

10 directories, 11 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.