147 - Stealing DropBox Google Drive Tokens, a GitLab Bug, and macOS "Powerdir" Vulnerability
A Transparency Consent and Control (TCC) bypass in macOS. TCC is the subsystem responsible for gating off access to privacy settings and iCloud account data and such. The way it works is it tracks consent history for app requests and stores them in a database. Two databases are managed, a user database and a system-wide database. Microsoft stumbled on an old bypass, which abused the fact the
tccd daemon would use the
HOME environment variable to build the path to the
TCC.db user database file. By manipulating environment variables, the
HOME path could be switched to an attacker-controlled one to get a fake database loaded.
Apple fixed this by removing the
HOME variable evaluation in favor of using
getpwuid() to get the
pwdir field. While this prevents easy bypass through env vars, the root issue still remains; an attacker can change the home directory in other ways. Two ways are detailed, first of which using the directory services utility to swap the home directory. This required root and relied on the
dsexport utilities for their TCC entitlement, though it’s still a privesc as it can allow hijacking the database without full disk access. The second method was the
configd daemon, which also had the TCC entitlement, and supported the ability to load arbitrary code via
data-* attributes like
data-method are stripped by DOMPurify, arbitrary
data-* attributes aren’t. They will be sanitized, however the problem is that GitLab has certain event handlers such as
dismiss that will use endpoints for POST requests that can be influenced by some of these attributes. The
dismiss event handler specifically (which is called on any element with the
closeButton class) will use the
dismissEndpoint for sending a POST request, which can be set via
data-dismiss-endpoint. This can be combined with an output from jupyter notebook to create a button with the
closeButton class that occupies the whole screen, and can abuse the GitLab API to do some sensitive action (like add an attacker account as admin).
Funny bug in Glovo, which is a delivery platform for taking orders and dispatching deliveries. The bug is an integer overflow in the quantity parameter of the POST request for the order, which can affect the total price of the order. For example, the researcher places an order for two different items, 1 of each. They then edit the request to change the quantities to 2299922 and 2499999, which when used to calculate the price, results in a price lower than it was for the two items at one each.
Inspired by HTTPVoid’s February write-up about Hacking Google Drive Integrations. They took a bit deeper look at how HelloSign patched the SSRF documented.
Turns out the patch was basically just to limit the resources the SSRF could hit, so no access to sensitive endpoints but the SSRF remains. This is important because the SSRF thinks it is accessing a Google Drive API endpoint, so it includes the authorization token for the current user’s Drive integration. Alone, this means an attack can expose their own authorization token to themselves.
Combining this with a CSRF attack, as the page leading to the SSRF itself had no CSRF protection an attacker could have any victim upon visiting their HelloSign link will leak their Google Drive Authorization Token to the attack.