Tuesday, July 10, 2012

XSS in iPhone iOS

I am going to share my thoughts on an XSS vulnerability I discovered in Apple iPhone iOS,


Question: What is the "Content-disposition" header in HTTP response?
Answer: Simply put, it tells your browser what kind of content it is receiving so it can choose how to handle it being displayed,  
For example: Content-Disposition: attachment;filename="test.html";filename*=UTF-8''test.html 
which means that the server is telling the client: "Yo!, here is that thing you requested, by the way... it is a file"



Now, Back on topic:

iPhone iOS safari will ignore the content disposition  header and display the content if it is clicked, to display this in a POC I have created a file called:
test.pleasedonttouchme 
And I emailed it to myself, when I opened the attachment in my iPhone's safari, the server told the iPhone that this is a file and not an HTML page but still the safari app opened the file as an html, and here is the picture:

At first I thought this might be a google bug, but no, Google servers send this header in the response:
Content-Disposition: attachment; filename="test.pleasedonttouchme"

which means that the receiving application should handle this content as type of "pleasedonttouchme" but instead is handeling it like it is HTML.

But wait!
There is more...

When googling for similar CVE's I found this:
and in that page you can see this interesting piece of data:
SafariAvailable for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad
Impact: Opening maliciously crafted files on certain websites may lead to a cross-site scripting attack
Description: iOS did not support the 'attachment' value for the HTTP Content-Disposition header. This header is used by many websites to serve files that were uploaded to the site by a third-party, such as attachments in web-based e-mail applications. Any script in files served with this header value would run as if the file had been served inline, with full access to other resources on the origin server. This issue is addressed by loading attachments in an isolated security origin with no access to resources on other sites.
CVE-ID
CVE-2011-3426 : Christian Matthies working with iDefense VCP, Yoshinori Oota from Business Architects Inc working with JP/CERT
Ok, Cool, This is exactly what I am talking about... but wait... i am using iOS 5.1.1 and this is relating to iOS 5... wait... what???
I have verified this on all iOS versions from 4.2.1 and up to 5.1.1  (Not iOS 6 beta yet)
The end.

4 comments:

  1. Verified independently on iOS6: http://imgur.com/Gbwfl .

    Just a note, when its opened in mail, it has no idea how to open it but in GMail it seems to default to webview? I feel like this is more the Gmail app's fault then iOS...but...I'd have to think it over when I'm not tired...

    ReplyDelete
  2. nice find but old news! I have reported this 2 months ago.. ;)

    ReplyDelete
  3. Different browsers handle this in the same way or it is different in each case? I think there will be a difference but as I haven't tried it can't be said.

    ReplyDelete