Cross-Site Escape: Pwning macOS Safari Sandbox the Unusual Way presented at BlackHatEurope 2020

by Zhi Zhou,

Summary : Sandbox escape plays a vital role in a full chain exploit. For the past few years, we've seen several favorite targets of researchers like WindowServer have fallen apart on Pwn2Own. Most of them are memory safety issues in IPC endpoints that are reachable from the sandbox. However, there are underrated attack surfaces like private API, platform-specific features, and legacy components on macOS.In this talk, I'll present a novel attack targeting the design flaws of the reachable IPC and their associated WebViews by utilizing the classic web security attack, i.e., Cross-Site Scripting (XSS). Without re-exploiting WebKit twice, native code execution outside the sandbox is achieved. Such flaws often involve a multi-stage chain across several components that don't usually have connections at all, making them hard to spot, not to mention the impossibility to fuzz. They don't require a single byte of memory corruption (except the initial renderer exploit), so all the state-of-the-art memory safety mitigations don't stop them at all. Compared to traditional ways, they were incredibly stable and cleaner to implement.This talk will revisit the big picture of Safari sandbox attack surfaces, especially those forgotten by previous publications, analyzing various WebViews in different contexts and their weakness. I'll detail three unique standalone exploits respectively affecting from OS X Yosemite (or even earlier) to macOS Catalina 10.15.2, including the one used in TianfuCup 2019 Safari category. They covered features like Dashboard, OTA Updates, Dictionary lookup, etc. to execute native code unexpectedly. One of them even has a persistence attack scenario on iOS.