SSD Advisory – iOS/macOS Safari Sandbox Escape via QuartzCore Heap Overflow

Credit to Author: SSD / Ori Nimron| Date: Sun, 02 Dec 2018 13:08:59 +0000

Vulnerabilities Summary QuartzCore ( https://developer.apple.com/documentation/quartzcore ), also known as CoreAnimation, is a framework use by macOS and iOS to build an animatable scene graph. CoreAnimation uses a unique rendering model where the graphics operations are run in a separate process. On macOS, the process is WindowServer and on iOS the name is backboardd. Both of … Continue reading SSD Advisory – iOS/macOS Safari Sandbox Escape via QuartzCore Heap Overflow

Read more

SSD Advisory – Chrome AppCache Subsystem SBX by utilizing a Use After Free

Credit to Author: SSD / Ori Nimron| Date: Mon, 29 Oct 2018 09:23:16 +0000

Vulnerabilities Summary The vulnerability exists in the AppCache subsystem in Chrome Versions 69.0 and before. This code is located in the privileged browser process outside of the sandbox. The renderer interacts with this subsystem by sending IPC messages from the renderer to the browser process. These messages can cause the browser to make network requests, … Continue reading SSD Advisory – Chrome AppCache Subsystem SBX by utilizing a Use After Free

Read more

SSD Advisory – VirtualBox VRDP Guest-to-Host Escape

Credit to Author: SSD / Ori Nimron| Date: Mon, 20 Aug 2018 06:00:52 +0000

Vulnerability Summary VirtualBox has a built-in RDP server which provides access to a guest machine. While the RDP client sees the guest OS, the RDP server runs on the host OS. Therefore, to view the guest OS the RDP client will make a connection to the host OS IP address rather than the guest OS … Continue reading SSD Advisory – VirtualBox VRDP Guest-to-Host Escape

Read more

SSD安全公告 – Mac OS X 10.12隔离机制绕过漏洞

Credit to Author: SSD / Maor Schwartz| Date: Sun, 15 Oct 2017 06:02:53 +0000

漏洞概要 Mac OS X存在一个漏洞,该漏洞允许攻击者绕过Apple的隔离机制,不受任何限制执行任意JavaScript代码. 漏洞提交者 来自WeAreSegment的安全研究者Filippo Cavallarin向Beyond Security的SSD报告了该漏洞. 厂商响应 苹果公司已于2017年6月27日收到了我们的报告,并和我们进行了多次沟通。苹果公司通知我们,在即将发布的High Sierra操作系统中会修补这个漏洞。这之后,苹果公司再没有提供任何其他信息 – 既没有链接公告,也没有提供关于CVE编号分配的任何信息. 我们已经验证在Mac OS X High Sierra中已不存在该漏洞。对于该漏洞的解决办法是升级到Mac OS X High Sierra,或者移除rhtmlPlayer.html文件修复该漏洞. 漏洞详细信息 苹果隔离机制的运行原理是在下载的文件上设置一个扩展属性(从已下载的归档文档/图片提取的文件也适用),以便系统在受限制的环境中打开/执行这些文件. 例如,一个被隔离的HTML文件不能加载本地资源. 此漏洞存在于一个html文件(Mac OS X内核的一部分)中,容易受到基于DOM的XSS攻击,允许在其(无限制)上下文中执行任意JavaScript命令. 上述文件的具体路径为:/System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html 文件包含如下代码: [crayon-59e3ded896bb2180670324/] 简而言之,这段代码从“rhtml”查询字符串参数中提取URL地址,向该URL发出请求,并将响应数据作为JavaScript代码加以执行. 下面的代码包含两段不同的基于DOM的XSS的代码。第一个是在loadLocStrings()函数中创建一个SCRIPT元素,并使用“rhtml”参数作为其“src”属性。第二个是在init()函数中使用“rhtml”参数进行ajax调用,然后将响应直接传递给eval()。这样做的结果是同样的载荷被执行两次. 攻击者通过提供一个uri,就可以控制响应数据,进而获得代码执行. 通过使用.webloc文件是一种可能的漏洞利用方式。基本上这些文件都包含一个URL,他们只需在Safari中加载即可。通过构造一个.webloc文件,并诱导受害者打开,攻击者就可以在受害者的计算机上以高权限执行JavaScript命令. 由于.webloc文件同样使用扩展属性来存储数据,因此攻击者必须将文件打包放在tar文件中(或其他任何支持扩展属性的文件格式)中. 漏洞证明 通过以下步骤复现漏洞 创建一个你想要要在目标上执行的JavaScript文件 使用base64对文件内容编码 将其编码为“uri组件”(比如,使用js的encodeURIComponent函数完成这个任务) 使用它来构造如下形式的uri:data:text / plain; base64, 在开头添加如下字符串:file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml = 使用Safari打开它 将其另存为书签 将该书签拖放到Finder中(此时会创建一个.webloc文件,如果扩展名不是.webloc,重命名为.webloc) 创建一个包含.webloc文件的tar归档文件 将归档文件发送给受害者 请注意,受限于rhtmlPlayer.html的处理流程,为了访问本地资源,JavaScript代码的第一行必须是: [crayon-59e3ded896bbb626384155/] 以下bash脚本会将JavaScript文件转换为最终的“文件”URL: … Continue reading SSD安全公告 – Mac OS X 10.12隔离机制绕过漏洞

Read more

SSD Advisory – Mac OS X 10.12 Quarantine Bypass

Credit to Author: SSD / Noam Rathaus| Date: Thu, 28 Sep 2017 20:52:32 +0000

Vulnerability summary Mac OS X contains a vulnerability that allows bypassing of the Apple Quarantine and the execution of arbitrary JavaScript code without any restrictions. Credit A security researcher from WeAreSegment, Filippo Cavallarin, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. Vendor response Apple has been notified on the 27th of June … Continue reading SSD Advisory – Mac OS X 10.12 Quarantine Bypass

Read more