Vulnerabilities > CVE-2016-4585 - Cross-site Scripting vulnerability in Apple Webkit
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Cross-site scripting (XSS) vulnerability in the WebKit Page Loading implementation in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to inject arbitrary web script or HTML via an HTTP response specifying redirection that is mishandled by Safari.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 | |
OS | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Embedding Scripts in Non-Script Elements This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.
- Embedding Scripts within Scripts An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
- Cross-Site Scripting in Error Pages An attacker distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page. When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the attacker the infected error message error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.
- Cross-Site Scripting Using Alternate Syntax The attacker uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.
Nessus
NASL family Misc. NASL id APPLETV_9_2_2.NASL description According to its banner, the version of the remote Apple TV device is prior to 9.2.2. It is, therefore, affected by multiple vulnerabilities in the following components : - CoreGraphics - ImageIO - IOAcceleratorFamily - IOHIDFamily - Kernel - libxml2 - libxslt - Sandbox Profiles - WebKit - WebKit Page Loading Note that only 4th generation models are affected by the vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 92494 published 2016-07-21 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92494 title Apple TV < 9.2.2 Multiple Vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3079-1.NASL description A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 93511 published 2016-09-15 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93511 title Ubuntu 16.04 LTS : webkit2gtk vulnerabilities (USN-3079-1) NASL family MacOS X Local Security Checks NASL id MACOSX_SAFARI9_1_2.NASL description The version of Apple Safari installed on the remote Mac OS X host is prior to 9.1.2. It is, therefore, affected by multiple vulnerabilities, the most serious of which can result in remote code execution, in the following components : - WebKit - WebKit JavaScript Bindings - WebKit Page Loading last seen 2020-06-01 modified 2020-06-02 plugin id 92358 published 2016-07-19 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92358 title Mac OS X : Apple Safari < 9.1.2 Multiple Vulnerabilities
Seebug
bulletinFamily | exploit |
description | This article translated from: http://www.mbsd.jp/blog/20160921.html ,there is changes **The original author: a PU ro Fu epolight ッ silicone ョ na Hikaru Cytec ー bldg su division Temple Tian Jian** **Translator: Holic (know Chong Yu 404 security lab)** Part of the contents of the translation from [MBSD](<http://www.mbsd.jp/blog/20160921.html>), there are changes. ## 0x00 vulnerability overview #### Vulnerability description URL redirection vulnerability sometimes causes and context variables related to vulnerability, which leads to XSS is a common example. This article described the [vulnerabilities ](<https://support.apple.com/HT206900>)in a year ago and submitted to Apple the official, corresponding to [CVE-2016-4585](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4585>), the following describes the vulnerability of the relevant details. #### The exploit point 1. To manipulate the request Host header 2. Origin Confusion XSS In addition you can also steal sensitive information and expand the phishing attacks. #### The affected component [Safari < v9. 1. 2](<https://support.apple.com/HT206900>), The [iOS < v9. 3. 3](<https://support.apple.com/HT206902>), The [tvOS <v9. 2. 2](<https://support.apple.com/HT206905>) ## 0x01 vulnerability details ### 1\. Manipulation of the Host header On the service side return a 302 or 307 status code of the case, we can construct the following request: `Location: http://example.com:abc<'">()foo/` Note that the above URL is the port number not a number. Safari at the time of treatment will access example. com:80, and the request header is converted into the following: `Host: example. com:abc'%3C%26%22%3E()foo` Host the head of the port is invalid, this means that you can manipulate the browser in the Host header to access any position. Exploit there are two points restrictions: * These characters have part of the is encoded; * Only the":" behind the content can be modified Below to explore some of the attack using the skills #### The closing single quote leads to XSS See above some of the characters is limited, such as"'"and"&"are. Some XSS attack on Safari is restricted: ![](https://images.seebug.org/content/images/2016/09/3D9A02D7-9674-4B67-B1F9-78439A844A90.png) Safari's XSS filtering mechanisms of the Host header of the reflection type of the same effect. Of course following this case is can trigger XSS. ![](https://images.seebug.org/content/images/2016/09/2.png) #### Steerable hostname XSS The Host header can affect the similar to the following portion of code: `javascript <script src="http://(HOST)/js/jquery.js"> <link href="http://(HOST)/css/style. css" rel="stylesheet" type="text/css">` ![](https://images.seebug.org/content/images/2016/09/template.png) When the server has a similar code will trigger the vulnerability. In [Github ](<https://github.com/search?utf8=%E2%9C%93&q=%3Cscript+src%3D+%24_SERVER%5B%22HTTP_HOST%22%5D&type=Code&ref=searchresults>)can find a lot of similar code, I was in the local also conducted a series of verification. ![](https://images.seebug.org/content/images/2016/09/githubvul.png) We look at`<script src=`tags in here, if the Host header“example.com”modifications to“example. com:abc": `javascript <script src="http://example.com:abc/js/jquery.js">` In this case, Safari will not load the malformed URL, the URL is not legitimate, and the attacker is wanted in Safari to load his own server on top of JS. After a series of experiments, came up with the following ideas: **The attacker on the server response:** ![](https://images.seebug.org/content/images/2016/09/20160921_safari_31.png) **In this case the target server of the request:** After receiving the Location after the Safari is connected to the example. jp:80,sending the Host header as follows `Host: example. jp:evil` The beginning part of `a@`is used as the basis of the authentication information. **The target server returns the content:** ![](https://images.seebug.org/content/images/2016/09/20160921_safari_33.png) (Original. ![](https://images.seebug.org/content/images/2016/09/3.jpeg) The back including the`@`portion is again removed. Thus, the JS from the attacker's host acquisition, the successful implementation of a XSS attack. Attack example(load an external website of js): the ![](https://images.seebug.org/content/images/2016/09/badjs.png) ![](https://images.seebug.org/content/images/2016/09/attack.jpeg) #### Theft The above said skills can also be used to steal information. Assume that some web services will redirect a URL that contains some private information: `Location: http://(HOST)/foo? token=fj0t9wj958...` In this case, the attacker can still through the`@`Law of the manipulation of the Host head. This scenario is actually very common, because the Location header is that the service end of the Host header of Feedback the most common place. This may be because not the web app developer wrote, but using the same web Platform, the relative URL is processed into an absolute path when it is based on the Host header. For example, Java's HttpServletResponse#sendRedirect()method. By the way, under the Agreement the background, the path to absolute format according to the HTTP/1.1 standard, [RFC2616 ](<https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30>) is the prohibition of the Location header using a relative however [RFC7231 ](<https://tools.ietf.org/html/rfc7231#section-7.1.2>)allowed so to do). If the header value is the hostname of the impact, in addition to the Location header, HTML URI attribute like`<form action=` and the `<a href=`can also be caused by information theft vulnerability. ### 2\. Domain confused with XSS According to the original author of the example, he used`:a non-numeric `method to test the target link, like `http://www.mbsd.jp:xyz/`in the loading of the external resource will appear when the following situations. ![](https://images.seebug.org/content/images/2016/09/20160921_safari_40.png) Clear the use relative path of URL to resource is not loaded correctly. We can be in the browser console the following can be verified: ![](https://images.seebug.org/content/images/2016/09/20160921_safari_44.png) This page of the domain is corrupted, this is why using relative paths to load resources failed. cookies therefore can not obtain. The same-origin policy in a certain extent inhibits the attacker's behavior, but if you can make good use of the words of this story will become very different. Think of the best use of the method is the iframe, we can find in the header"X-Frame-Options"limit the relaxed standing test. The original author of the example is as follows: ![](https://images.seebug.org/content/images/2016/09/20160921_safari_46.png) We found that after a series of confused, the browser will load in the iframe of the parent page to the baseURL of resources, resulting in a load error. The same I also online to verify this situation: ![](https://images.seebug.org/content/images/2016/09/failsource.png) Similarly, the relative path to load resources lead to this situation. ### The impact of Loading the JS is in the loading damage to the contents of the case, and therefore can not pass the XHR way to get the same site cookie. But still can their own document, this means that an attacker can modify the page content. Use of Cookies the authentication of the page is also possible to attack the use of the AS request with a cookie. ![](https://images.seebug.org/content/images/2016/09/20160921_safari_50.png) ### Vulnerability points * Safari in the handling of invalid ports when the use default ports 80 and 443) * Malformations of the Host header as `Host: hostname:xyz `can be sent to Apache, WebLogic and Nginx and other Servers, Tomcat and IIS will not receive. * You can use the GET and POST HTTP request method, use 302 or 307 to jump * In the iframe, the base URL are inherited from the parent page, the strange is by far the`<base href=`is completely ignored. * JS is in the blank under the domain of the Executive, with the iframe the parent page separation, in addition to the cookies, DOM objects can access * The CSP (or the X-Frame-Options) may prevent the XSS attacks ## 0x02 repair recommendations Upgrade Safari to 2016 7 May 18, the later versions **Official fix**: strengthening verification, the illegal URL error will be displayed ## 0x03 reference * http://paper.seebug.org/51/ * http://www.mbsd.jp/blog/20160921.html * https://support.apple.com/HT206900 |
id | SSV:92437 |
last seen | 2017-11-19 |
modified | 2016-09-23 |
published | 2016-09-23 |
reporter | 名匿 |
title | Safari < 9.1.2 URL redirection vulnerability |
References
- http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html
- http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html
- http://lists.apple.com/archives/security-announce/2016/Jul/msg00004.html
- http://packetstormsecurity.com/files/138502/WebKitGTK-SOP-Bypass-Information-Disclosure.html
- http://www.securityfocus.com/archive/1/539295/100/0/threaded
- http://www.securityfocus.com/bid/91830
- http://www.securitytracker.com/id/1036343
- https://support.apple.com/HT206900
- https://support.apple.com/HT206902
- https://support.apple.com/HT206905