Cross-Site Escape: Pwning macOS Safari Sandbox the Unusual Way

The presentation discusses a novel attack targeting the design flaws of the reachable IPC and their associated WebViews by utilizing the classic web security attack, i.e., Cross-Site Scripting (XSS) to achieve native code execution outside the sandbox. The talk revisits the big picture of Safari sandbox attack surfaces, especially those forgotten by previous publications, analyzing various WebViews in different contexts and their weakness.

• Sandbox escape plays a vital role in a full chain exploit
• Underrated attack surfaces like private API, platform-specific features, and legacy components on macOS are discussed
• A novel attack targeting the design flaws of the reachable IPC and their associated WebViews by utilizing the classic web security attack, i.e., Cross-Site Scripting (XSS) is presented
• Three unique standalone exploits respectively affecting from OS X Yosemite (or even earlier) to macOS Catalina 10.15.2 are detailed
• The talk revisits the big picture of Safari sandbox attack surfaces, especially those forgotten by previous publications, analyzing various WebViews in different contexts and their weakness

One of the exploits presented involves exploiting a sandbox bug in corefoundation before macOS Mojave to gain native code execution and escape the sandbox. The bug exploited help viewer which is trusted by Safari. The exploit involved jumping from Safari to a local application and running calculator without any memory corruption. This was achieved by exploiting a legacy URL scheme accepted by help viewer, which replaced the URL scheme x-apple-help-basic to https and opened the URL in a web view only apple.com is accepted. This web view is not sandboxed and it's possible to find a cross-site scripting or open redirection on apple.com to make it load arbitrary scripts. The presentation highlights the need for developers to learn from bugs and vulnerabilities found by researchers.

Sandbox escape plays a vital role in a full chain exploit. For the past few years, we've seen several favorite targets of researchers like WindowServer have fallen apart on Pwn2Own. Most of them are memory safety issues in IPC endpoints that are reachable from the sandbox. However, there are underrated attack surfaces like private API, platform-specific features, and legacy components on macOS. In this talk, I'll present a novel attack targeting the design flaws of the reachable IPC and their associated WebViews by utilizing the classic web security attack, i.e., Cross-Site Scripting (XSS). Without re-exploiting WebKit twice, native code execution outside the sandbox is achieved. Such flaws often involve a multi-stage chain across several components that don't usually have connections at all, making them hard to spot, not to mention the impossibility to fuzz. They don't require a single byte of memory corruption (except the initial renderer exploit), so all the state-of-the-art memory safety mitigations don't stop them at all. Compared to traditional ways, they were incredibly stable and cleaner to implement. This talk will revisit the big picture of Safari sandbox attack surfaces, especially those forgotten by previous publications, analyzing various WebViews in different contexts and their weakness. I'll detail three unique standalone exploits respectively affecting from OS X Yosemite (or even earlier) to macOS Catalina 10.15.2, including the one used in TianfuCup 2019 Safari category. They covered features like Dashboard, OTA Updates, Dictionary lookup, etc. to execute native code unexpectedly. One of them even has a persistence attack scenario on iOS.