AFFECTED PRODUCTS
——————–
Safari <10.0.1 on MAC

 

DESCRIPTION
——————–
Safari Plugins view page have multiple(MIME Type、Description、Extensions) Stored XSS Vulnerabilities。

This page is a local file:

When user has installed evil-plugins , and open Safari -> Help menu -> installed plugins to view Plug-ins information may suffer UXSS attack。

 

PoC
——————–
Attackers publish malicious plug-ins. In XCODE, set info.plist, inject malicious code.

The content of info.plist

Copy the Plugin into “~/Library/Internet Plug-Ins”。Restart Safari, it will work.Open Safari -> Help menu -> installed plugins to view Plug-ins information.

Steal user passwd file POC:

 

UXSS POC:

 

Discloure Timeline

——————–

2016/7/27 Provide vulnerability detail to APPLE via product-security@apple.com

2016/10/24 Apple fix it in Safari 10.0.1

2016/11/18 Apple Reply:No CVE was issued because this issue required the precondition that the user install a malicious plug-in.