X Site eScape (Part II): Look Up a Shell in the Dictionary

This post is the last part of this silly series, but I think it’s the only noteworthy one. The exploit chain triggers two XSS across two privileged WebViews and bypasses GateKeeper to execute arbitrary native code outside the sandbox. It works on both High Sierra and Mojave.

  • MobileAsset arbitrary URL replacement leads to GateKeeper bypass and SIP protected system resource replacement, which is used to trigger persistent XSS in Dicitonary app
  • WebKit::WebPage::performDictionaryLookupOfCurrentSelection to open LookupViewService
  • LookupViewService x-dict:// URL scheme navigation
  • Dictionary.app XSS to arbitrary command execution

The demo below is chained with LinusHenze/WebKit-RegEx-Exploit. The sandbox escape part worked for macOS up to 10.14.6

Continue

X Site eScape (Part III): CVE-2020-9860, A Copycat

Safari Sandbox escape in pure Javascript inspired by Lokihardt

Continue

X Site eScape (Part I): Exploitation of An Old CoreFoundation Sandbox Bug

What is your impression of XSS? Stealing credentials from websites? Struggling for CSP and SameSite cookies?

Here’s an odd case for it. The input vector has nothing to do with the HTTP protocol, and the motivation is to escape the sandbox instead of exfiltrating sensitive tokens. It’s a story about how I turned a sandbox escape primitive to a XSS in a privileged WebView and archive further native code execution.

Last year I blogged about a TOCTOU bug that doesn’t require race. It seemed to be long standing since OS X Yosemite or even earlier, definitely before I’ve ever had my very first Mac.

Continue

Revisiting an old MediaRemote bug (CVE-2018-4340)

This post is the first part of a series of Safari sandbox escapes I found on macOS. This bug was found on High Sierra (10.13.x) two years ago. I wrote about this bug once. Thought it was useless, and Apple wouldn’t care about it, so I published the details before the response. Then the security team asked me to take it down because they were still working on it.

I’ve also talked about it on TyphoonCon 2019. I did not release the slides because I had some 0days at the time that shared the similar pattern: triggering XSS in a privileged WebView via sandbox reachable IPCs. This PoC worked on all Mojave until Catalina unintentionally broke some part of it.

Now here’s the slides. The git history is still there so it’s been public for quite a while:

https://github.com/ssd-secure-disclosure/typhooncon2019/blob/f253778bf80de7358545a547722483a677508eef/Zhi%20Zhou%20-%20I%20Want%20to%20Break%20Free%20(TyphoonCon).pdf

Continue

Two macOS Persistence Tricks Abusing Plugins

This blog does not involve any vulnerability, but I hope the readers can find these tricks useful for red teaming and anti-malware.

Since Mojave (10.14), Hardened Runtime has been introduced to bring global Library Validation enforcement, which prohibits dynamic libraries without valid code signature from the same developer or Apple from being loaded.

Some entitlements can mark an executable as an exception.

Continue