diff --git a/README.md b/README.md index 30c6b02..c1ba6e1 100644 --- a/README.md +++ b/README.md @@ -15,47 +15,61 @@ accepts **unauthenticated and unsigned XML property list (.plist) payloads**, ex ## Impact - - **Arbitrary Provisioning:** Attackers can inject custom provisioning logic into the activation workflow.   - - **Bypass Security:** MDM enrollment, signature checks, and user consent are fully bypassed.   - - **Persistence:** Malicious profiles and configurations remain after activation.   - - **Attack Vectors:** Exploitable remotely via captive portals, rogue access points, or compromised provisioning servers.   - - **Techniques:** XML External Entity (XXE) injection, malformed payload acceptance, and silent background task injection.   - - Server responses confirm consistent **HTTP 200 OK** acceptance of illicit payloads without validation. - +--- ## Risk - - **Enterprise & Supply Chain:** Devices can be manipulated before reaching end users.   - - **Stealth:** Changes are invisible to standard logs and forensic tools.   - - **High Severity:** Exploitation requires no jailbreak or physical access.   +--- +## Evidence (Artifact-Based) +**Primary artifact:** `artifacts/mobileactivationd_sdcrt_baa_response.txt`   -## Status +Key observations from the server response: +- `HTTP Status Code: 200 (no error)` — confirms the endpoint accepted the request.   +- Headers: `Server: Apple`, `Host: humb.apple.com`, `HUMBUG_XHEADER_STATUS: 0`.   +- Response body contained multiple PEM certificate blocks (`-----BEGIN CERTIFICATE----- …`).   +- Timestamp in `Date:` header allows correlation with device/system logs.   -- **Case Assigned:** CERT/CC acknowledged, **VRF#25-05-RCKYK** on **May 19, 2025**.   +**Interpretation:** Instead of rejecting invalid/unsigned provisioning data, the server processed the request and returned cryptographic material, demonstrating insufficient validation. -- **Vendor Response:** Apple remains **unresponsive** as of publication.   +--- -- **Mitigation:** No patch available.   +## Attack Surface & Technical Impact +- **Pre-activation phase:** The flaw manifests before MDM enrollment or user consent.   +- **Delivery vectors:** captive portals, rogue Wi-Fi/APs, compromised provisioning servers.   +- **Technical outcomes:**   +  - Arbitrary provisioning injection   +  - Bypass of signature/consent enforcement   +  - Persistent, stealthy configuration drift in caches such as `CloudKitAccountInfoCache` and `CommCenter`   +--- +## Detection +### Network Indicators +- Responses from `humb.apple.com/humbug/baa` with `200 OK` and PEM certificate blocks.   +- Presence of `HUMBUG_XHEADER_STATUS: 0` in response headers. -## Recommended Actions +### Host Indicators +- Unexpected entries in: +  - `CloudKitAccountInfoCache`   +  - `CommCenter` modem/network configurations   +- Profiles/configs applied post-activation without user or MDM actions. -- Block or monitor traffic to `humb.apple.com/humbug/baa`.   +### Safe Triage Commands +```bash +# Search response captures for certificate blocks +grep -R "-----BEGIN CERTIFICATE-----" /path/to/response_captures/ -- Inspect provisioning workflows for anomalies.   - -- Treat newly provisioned devices as potentially untrusted until a vendor fix is issued. +# Look for humbug headers in activation logs +grep -i "HUMBUG_XHEADER_STATUS" /var/log/mobileactivationd*