Full Report
When you log in to a WiFi network, you are automatically native to a captive portal. The browser that opens for the captive portal is not normal Safari—it's Websheet. Naturally, the author had some questions about the control that a user would have over the content and the sandboxing of the application. We can return a malicious page using a malicious WiFi dongle and Linux machine. This page will have a Webkit exploit in it, which is out of the scope of this post. Since this is automatically rendered when connecting, it's a zero-click attack surface. Unlike Safari, WebSheet doesn't use a split process model between the sandbox renderer process. So, if you find a web bug, you have code execution in the context of WebSheet. Once we're in this process, the sandbox is restrictive but the next goal is to see what we can do with it. The entitlement com.apple.managedconfiguration.profiled-access can be used to install a configuration profile, which includes a RootCA and proxy settings. This can also be used to install an additional fake app in the background, silently backdooring the device forever. The next interesting permission is com.apple.springboard.opensensitiveurl. This can be used to open sensitive URL entitlements. For instance, opening Safari. Using this issue, we can force a URL to be open once again and deliver the same WebKit exploit as before. I personally love this post. Most of the time, we say, "How can we get in?" or require a full chain of bugs. This post assumes we have a WebKit bug the extrapolates what we can do with it. Defense-in-depth measures only matter if we properly scrutinize them. The entitlements on this application feel like too much and it's interesting to see how they can be abused.
Analysis Summary
# Vulnerability: Zero-Click iOS WebSheet Sandbox Escape and Device Compromise
## CVE Details
* **CVE ID:** N/A (Note: The researcher utilized a combination of unspecified WebKit memory corruption vulnerabilities and logic flaws in iOS system entitlements. The vulnerabilities are discussed in a 2016 context and have since been patched by Apple).
* **CVSS Score:** Estimated 9.8 (Critical)
* **CWE:** CWE-267 (Privilege Defined by Presence of Privilege), CWE-285 (Improper Authorization)
## Affected Systems
* **Products:** Apple iOS (iPhone, iPad, iPod Touch).
* **Versions:** Versions prior to mid-2016 (iOS 9.x and earlier).
* **Configurations:** Devices configured to automatically join Wi-Fi networks or users manually connecting to a "Captive Portal" (Hotspot) network.
## Vulnerability Description
The vulnerability chain relies on the improper sandboxing and over-privileged entitlements of the **WebSheet** application. WebSheet is the system app responsible for displaying login pages for captive Wi-Fi portals.
1. **Rendering Logic Flaw:** When an iOS device connects to a Wi-Fi network, it requests `http://captive.apple.com/hotspot-detect.html`. A malicious access point can intercept this HTTP request and serve an exploit page.
2. **Monolithic Process Model:** Unlike Safari, which uses a split-process model to isolate the renderer, WebSheet (at the time) ran the renderer in the same process as the application logic. Consequently, a WebKit exploit grants code execution within the WebSheet process context.
3. **Entitlement Abuse:** The WebSheet process possessed highly privileged entitlements, specifically:
* `com.apple.managedconfiguration.profiled-access`: Allowed the silent installation of configuration profiles via XPC.
* `com.apple.springboard.opensensitiveurl`: Allowed the application to launch other system applications via sensitive URL schemes.
## Exploitation
* **Status:** PoC available (detailed in research blog).
* **Complexity:** Medium (Requires a WebKit RCE and knowledge of iOS private APIs).
* **Attack Vector:** Adjacent (Wi-Fi network proximity). No user interaction required beyond connecting to the network (Zero-click).
## Impact
* **Confidentiality:** Total (Ability to install Root CAs for HTTPS interception and access system data).
* **Integrity:** Total (Ability to silently install configuration profiles, fake apps, and backdoors).
* **Availability:** Total (Full control over the device and its network communications).
## Remediation
### Patches
* Apple has since transitioned system components to use **WKWebView**, which enforces process separation.
* Entitlements for system applications like WebSheet have been significantly hardened in modern iOS versions (iOS 10+).
### Workarounds
* Avoid connecting to untrusted or "Free" public Wi-Fi networks.
* Disable "Ask to Join Networks" and "Auto-Join" in Wi-Fi settings.
* Utilize a VPN to tunnel traffic immediately upon connection, though this may not prevent the initial WebSheet trigger.
## Detection
* **Indicators of Compromise:** Presence of unexpected Configuration Profiles or Root Certificates in **Settings > General > Profiles & Device Management**.
* **Detection Methods:** Monitor for unusual XPC traffic to `com.apple.managedconfiguration.profiled` from processes other than Safari or Settings.
## References
* Marco Grassi's Research: [https://marcograss.github.io/](https://marcograss.github.io/)
* Apple Security Advisories: [https://support.apple.com/en-us/HT201222](https://support.apple.com/en-us/HT201222)