CVE-2015-5770

Vulnerability

MobileInstallation in Apple iOS versions prior to 8.4.1 does not enforce uniqueness of universal provisioning profile bundle IDs. This allows a maliciously crafted enterprise-signed app to replace arbitrary system or third-party extensions on the device. The issue is present in iOS versions up to and including 8.4 [1].

Exploitation

An attacker must have the ability to install an enterprise-provisioned app on the target device, typically by social engineering or physical access to the device. The attacker crafts an enterprise app whose bundle ID matches an existing arbitrary extension (e.g., a system extension or another app's extension). When MobileInstallation processes the provisioning profile, it fails to confirm that the bundle ID is unique and overwrites the target extension with the attacker's code.

Impact

Successful exploitation allows the attacker's extension to replace a legitimate extension on the device. Depending on the replaced extension's privileges and functionality, this can lead to arbitrary code execution within the context of that extension, potential access to sensitive data, or further system compromise. The attacker achieves unauthorized modification of the device's installed extensions.

Mitigation

Apple released iOS 8.4.1 on August 13, 2015, which addresses this issue by ensuring that bundle IDs are unique before installing an enterprise-signed profile [1]. Users should update to iOS 8.4.1 or later. There is no public workaround for systems running earlier versions; the only mitigation is to avoid installing untrusted enterprise apps.