AFFECTED PRODUCTS
——————–
Safari <10.0.1 on MAC

 

DESCRIPTION
——————–
Safari Plugins view page have multiple(MIME Type、Description、Extensions) Stored XSS Vulnerabilities。

This page is a local file:

When user has installed evil-plugins , and open Safari -> Help menu -> installed plugins to view Plug-ins information may suffer UXSS attack。

 

PoC
——————–
Attackers publish malicious plug-ins. In XCODE, set info.plist, inject malicious code.

The content of info.plist

Copy the Plugin into “~/Library/Internet Plug-Ins”。Restart Safari, it will work.Open Safari -> Help menu -> installed plugins to view Plug-ins information.

Steal user passwd file POC:

 

UXSS POC:

 

Discloure Timeline

——————–

2016/7/27 Provide vulnerability detail to APPLE via product-security@apple.com

2016/10/24 Apple fix it in Safari 10.0.1

2016/11/18 Apple Reply:No CVE was issued because this issue required the precondition that the user install a malicious plug-in.

CSS Handling Status Bar Spoofing, I found this interesting vulnerability 5 years ago, and now it still exists.When the key UI module of the browser can be controled by the user , I think it is dangerous,such as the orgin of the dialog box, etc..Of course the status bar of the browser is different from the traditional browser URL spoof,it is more like a logical error in design,which led to the attacker can use CSS to draw a exactly the same status bar.Although it’s not as serious as you think about it.But I still stick to my point of view, when an attacker can control the UI module of the browser , the phishing attack may happen at any time.

Now you can try CSS Handling Status Bar Spoofing 

References:
Microsoft Internet Explorer CSS Handling Status Bar Spoofing Vulnerability
http://www.securityfocus.com/bid/47547
Google Chrome CSS Handling Status Bar Spoofing Vulnerability
http://www.securityfocus.com/bid/47548
Mozilla Firefox CSS Handling Status Bar Spoofing Vulnerability
http://www.securityfocus.com/bid/47549

Vulnerability Details:

Fixed on Firefox44.0

(1) In the notification dialog, no originates hints and warnings.The attacker can then display a malicious notification dialog to the user that seemingly originates from the trusted site. Typically this notification dialog would mimic the legitimate site. An attacker may exploit this vulnerability to spoof an interface of a trusted web site.

Origin Spoof Demo:http://xisigr.com/test/notification/1.html

 

(2)Web Notification will be fully displayed, resulting in full screen display notification dialog to denial of service attack.

FullScreen Display DOS Demo:http://xisigr.com/test/notification/2.html

References:

https://bugzilla.mozilla.org/show_bug.cgi?id=1220519

CREDIT:
This vulnerability was discovered by xisigr of Tencent’s Xuanwu LAB(http://www.tencent.com).
Email:xisigr@gmail.com

Vulnerability Details:

When Notes synchronous ICloud data, is not properly filtered data lead to XSS vulnerabilities.A local user may be able to leak sensitive user information.

Disclosure Timeline:

2015/3/28 Provide vulnerability detail to APPLE via product-security@apple.com
2015/3/28 APPLE automatic reply
2015/3/29 APPLE responded that they are verifying the proof of concept code
2015/9/30 APPLE advisory disclosed,CVE-2015-5875

References:

https://support.apple.com/HT205267
http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html

Credit:

This vulnerability was discovered by: xisigr

AFFECTED PRODUCTS
——————–

Safari for MAC:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.6.3 (KHTML, like Gecko) Version/8.0.6 Safari/600.6.3

Safari for IPad:
Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F69 Safari/600.1.4

Safari for Iphone:
Mozilla/5.0 (iPhone; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4

DESCRIPTION
——————–
A domain with a port number in the Safari browser, if the colon (:) behind is the non digital, displayed the colon (:) before the domain name in the address bar , the default page rendering can be blank and be changed arbitrarily. The attacker can carefully construct a malicious phishing page, forged any domain in the address bar, and change the content of the page. In Iphone/Ipad, JavaScript create alerts and warnings of the source is forged, and the HTTPS in the address bar will be with a small lock icon, which makes users believe that the current domain is more credible.

PoC
——————–
POC for Ipad/Iphone

Save as url.html, and open in Safari.

POC for MAC

Save as url.html, and open in Safari.

CREDIT
——————–
This vulnerability was discovered by xisigr of Tencent’s Xuanwu LAB(http://www.tencent.com).
Email:xisigr@gmail.com
Attack Video
——————–


References
——————–
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities.
CONFIRM:https://support.apple.com/kb/HT205030
CONFIRM:https://support.apple.com/kb/HT205033
APPLE:APPLE-SA-2015-08-13-1
URL:http://lists.apple.com/archives/security-announce/2015/Aug/msg00000.html
APPLE:APPLE-SA-2015-08-13-3
URL:http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html

 

———————————————-update: 2016/3/17—————————————-

Bypassing SOP and shouting hello before you cross the pond

 

屏幕快照 2016-03-17 下午9.03.29

 

111