Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-46718 PoC — Apple iOS 和 iPadOS 安全漏洞

Source
https://github.com/biscuitehh/cve-2022-46718-leaky-location
Associated Vulnerability
Title:Apple iOS 和 iPadOS 安全漏洞 (CVE-2022-46718)
Description:A logic issue was addressed with improved restrictions. This issue is fixed in iOS 15.7.2 and iPadOS 15.7.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, macOS Monterey 12.6.2. An app may be able to read sensitive location information
Description
CVE-2022-46718: an app may be able to read sensitive location information.
Readme
# CoreParsecLocation

**tl;dr add an entitlement check to `parsecd`**

## Overview

CoreParsecLocation is a sample application demonstrating how a third-party app can access a user's precise location without a user's consent or permission. `parsecd`/`CoreParsec` also provides information such as localized search suggestions, knowledge cards, and a temporary user ID. Thankfully, I do not believe the user ID is persisted or recycled at this time.

## Timeline
- Discovered the information leak in November 2022 & reporting the finding to Apple.
- Apple patched the issue with iOS 16.2 in December 2022.
- Apple verified that the issue was fixed in January 2023, assigned the issue with CVE-2022-46718, and paid out a bug bounty of $35,000.
- *This part bugs me a bit* The public disclosure was added to the [iOS 16.2 Security Notes](https://support.apple.com/en-us/HT213530) on May 1st, 2023.

## How does it work?

During a routine Frameworks expedition, I noticed an active `NSXPCConnection` to `parsecd`. After a few days of tinkering, I discovered that `parsecd` would respond to search queries from any application as long as I spoofed the correct header information. In this case, I used the `SPPARSession` class, which sets up a session for Spotlight.

At first, I assumed that the `PARResponse` object would only return a GeoIP location (which isn't that useful on its own). However, after trying numerous search queries, I discovered that searching for "restaurants" would cause `parsecd` to grab the user's precise location. It then returned the location information to me via the `PARReponse` object.

`parsec` also returns additional information, such as localized news results & search suggestions. I do not believe these contain any user-identifiable information at this time. After submission, I plan to further explore the additional responses.

## Important Tidbits
- The user *IS NOT* notified that their location is currently in use. I'm unsure how often `parsecd` asks for a new location, but I did not see a location indicator in the status bar during my testing.
- The location updates every 100ft or so.
- Affects iOS 16/16.0.1.
- Makes use of the third-party library `Dynamic` (found here: https://github.com/mhdhejazi/Dynamic). This library is not required to exploit `parsecd`, but it does make it easier to use third-party APIs without exposed headers.
- Requires an internet connection, although I'm still testing to see if `parsecd` will return the location without one.
- I believe this falls under the "User-Installed App: Unauthorized Access to Sensitive Data" category on https://developer.apple.com/security-bounty/payouts/.
- This code is _not my best work_ but I was very excited to submit this and wrote it at 3AM. If ya'll have any questions/comments please don't hesitate to reach out.
File Snapshot

 [4.0K]  /data/pocs/0e2fb020aa78d3a026b3079bf26e1d6fcd31d6dd
├── [4.0K]  CoreParsecLocation
│   ├── [4.0K]  CoreParsecLocation
│   │   ├── [4.0K]  Assets.xcassets
│   │   │   ├── [4.0K]  AccentColor.colorset
│   │   │   │   └── [ 123]  Contents.json
│   │   │   ├── [4.0K]  AppIcon.appiconset
│   │   │   │   └── [ 177]  Contents.json
│   │   │   └── [  63]  Contents.json
│   │   ├── [ 367]  CoreParsecLocationApp.swift
│   │   ├── [1020]  RootView.swift
│   │   └── [3.8K]  SeemsLegitLocationManager.swift
│   ├── [4.0K]  CoreParsecLocation.xcodeproj
│   │   ├── [ 14K]  project.pbxproj
│   │   └── [4.0K]  project.xcworkspace
│   │       ├── [ 135]  contents.xcworkspacedata
│   │       └── [4.0K]  xcshareddata
│   │           └── [ 238]  IDEWorkspaceChecks.plist
│   └── [4.0K]  Third Party
│       └── [4.0K]  Dynamic
│           ├── [9.9K]  LICENSE
│           ├── [ 490]  Package.swift
│           ├── [ 14K]  README.md
│           ├── [4.0K]  Sources
│           │   └── [4.0K]  Dynamic
│           │       ├── [9.5K]  Dynamic.swift
│           │       ├── [8.7K]  Invocation.swift
│           │       ├── [2.7K]  Logger.swift
│           │       └── [5.2K]  TypeMapping.swift
│           └── [4.0K]  Tests
│               ├── [4.0K]  DynamicTests
│               │   └── [ 12K]  DynamicTests.swift
│               ├── [ 714]  LinuxMain.stencil
│               └── [ 637]  LinuxMain.swift
├── [1.1K]  LICENSE
└── [2.8K]  README.md

14 directories, 21 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →