【CVE-2015-3755】Apple Safari URL And Javascript Prompt Origin Spoof Vulnerability&&FF Bypass SOP

AFFECTED PRODUCTS
——————–

Safari for MAC:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.6.3 (KHTML, like Gecko) Version/8.0.6 Safari/600.6.3

Safari for IPad:
Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F69 Safari/600.1.4

Safari for Iphone:
Mozilla/5.0 (iPhone; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4

DESCRIPTION
——————–
A domain with a port number in the Safari browser, if the colon (:) behind is the non digital, displayed the colon (:) before the domain name in the address bar , the default page rendering can be blank and be changed arbitrarily. The attacker can carefully construct a malicious phishing page, forged any domain in the address bar, and change the content of the page. In Iphone/Ipad, JavaScript create alerts and warnings of the source is forged, and the HTTPS in the address bar will be with a small lock icon, which makes users believe that the current domain is more credible.

PoC
——————–
POC for Ipad/Iphone

Save as url.html, and open in Safari.

POC for MAC

Save as url.html, and open in Safari.

CREDIT
——————–
This vulnerability was discovered by xisigr of Tencent’s Xuanwu LAB(http://www.tencent.com).
Email:xisigr@gmail.com
Attack Video
——————–


References
——————–
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities.
CONFIRM:https://support.apple.com/kb/HT205030
CONFIRM:https://support.apple.com/kb/HT205033
APPLE:APPLE-SA-2015-08-13-1
URL:http://lists.apple.com/archives/security-announce/2015/Aug/msg00000.html
APPLE:APPLE-SA-2015-08-13-3
URL:http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html

 

———————————————-update: 2016/3/17—————————————-

Bypassing SOP and shouting hello before you cross the pond

 

屏幕快照 2016-03-17 下午9.03.29

 

111

发表评论

电子邮件地址不会被公开。 必填项已用*标注