Show Notes

97 - A MacOS SIP Bypass & an XSS Fiesta

Vulnerability The initial foot hold was a stored cross-site scripting vulnerabilities in the conversion of the [url] BBcode tag. This could be used to target an administrative user, adding a new admin account and installing a malicious plugin for code execution.

Cross-Site Scripting in BBcode StarStoreNET would encode user input to protect against injecting HTML, but they did not properly handle nesting. Specifically with URL tags, where part of the user controlled content is reflected in an attribute (the href attribute of the <a> tag). This allows an attacker to nest a urltag within another which doesn’t get processes properly.

Specifically nesting a complex [url] tag inside a simple one. A complex tag is one where the hrefattribute and the display text are different.

simple:  `[url]https://dayzerosec.com[/url]`
complex: `[url=https://dayzoersec.com]dayzerosec[/url]`

By nesting the complex tag within the simple one, the inner url tag will be parsed and replaced with HTML, that will then be places inside the href attribute of the outer tag. This will include unescaped quotes that break out of the href attribute and allow injecting other attributes.

In somewhat simplified form:

[url]outer_left[url=injectedAttribute=XYZ]inner[/url]outer_right[/url]
Becomes
[url]outer_left<a href="injectedAttribute=XYZ">inner</a>outer_right[/url]
which becomes
<a href="outer_left<a href="injectedAttribute=XYZ">inner</a>outer_right">"outer_left<a href="injectedAttribute=XYZ">inner</a>outer_right</a>

The start of the inner tag’s href breaks out of the first tag’s href.

Exploitation With attribute injection, often the only route forward is something requiring user interaction, such as injecting into onmouseover or something. In this case they were able to take advantage of some existing CSS animations, and then set their code in onwebkitanimationend which on Chrome, Safari, and Opera will execute when the animation ends automatically.

From there, using the XSS to target an admin user and automatically creating a new administrative account. With an admin account under attacker control, a plugin could be installed for code execution.

The Chrome New Tab Page was vulnerable to a stored cross-site scripting attack in the search suggestion box.

This attack does require an attacker be able to control a prior search so that it shows up in the suggestion box, this apparently is doable through CSRF but the example of this included a CSRF token, so there might be more information needed on that. But the gist of it, is that by searching for something like "><img src=x onerror=alert(1337)> the next time the New Tab search box is used, the previous searches will be insecurely reflected into the page.

StreamLabs would normally only redirect to a set of whitelisted domains approved to recieve the access_token. The author here put some effort into discovering what domains were approved, and found http://dragynslair.live was whitelisted, but no longer registered. Any attacker could have registered this domain and received access tokens.

It is possible to bypass macOS’s System Integrity Protection (SIP) through the system_installd daemon. This daemon has the com.apple.rootless.install.heritable entitlement which means that any process started by the daemon will not be protected by SIP.

While the daemon has multiple uses, one use-case is when Apple signed Package files (.pkg) are being installed. The package will invoke the daemon to install it. The problem is that during post-install, if there are any post-install scripts these will be launched with the default shell, zsh for most users. zsh upon starting will look for the /etc/zshenv file and execute any commands from it. An attacker could create this file and place a malicious script within, leading to unprotected code execution that can avoid SIP.