New issue
Advanced search Search tips
This site will be read-only for 3-4 hours starting at Sunday, 08:00AM PDT
Starred by 3 users

Issue metadata

Status: Fixed
Closed: Feb 2017

Sign in to add a comment

macOS: HelpViewer XSS leads to arbitrary file execution and arbitrary file read.

Project Member Reported by, Dec 14 2016 Back to list

Issue description

HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/

or using "help:" scheme:

HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.

HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".

document.location = "help:///Applications/";

The attached poc will pop up a Calculator.

Tested on macOS Sierra 10.12.1 (16B2659).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

1.9 KB View Download
Project Member

Comment 1 by, Jan 20 2017

Labels: CVE-2017-2361
Project Member

Comment 2 by, Feb 2 2017

Status: Fixed
Project Member

Comment 3 by, Feb 22 2017

Labels: -Restrict-View-Commit

Sign in to add a comment