Abstract:
The vulnerability is in one html file, part of the Mac OS X core, that is prone to a DOM Based XSS allowing the excution of arbitrary javascript commands in its (unrestricted) context.
The mentioned file is located at /System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html
and contains the following code:
<script type=”text/javascript” charset=”utf-8″>
setBasePathFromString(urlParam(“rhtml”));
loadLocStrings();
loadJavascriptLibs();
function init () { /* <– called by <body onload=”init()” */
[…]
rHTMLPath = urlParam(“rhtml”); /* <– takes ‘rhtml’ parameters from current url */
[…]
self.contentHttpReq.open(‘GET’, rHTMLPath, true);
self.contentHttpReq.onreadystatechange = function() {
if (self.contentHttpReq.readyState == 4) {
loadTutorial(self.contentHttpReq.responseText);
}
}
[…]
}
function loadTutorial(response) {
var rHTMLPath = urlParam(“rhtml”);
// this will create a tutorialData item
eval(response);
[…]
}
function loadLocStrings()
{
var headID = document.getElementsByTagName(“head”)[0];
var rHTMLPath = urlParam(“rhtml”);
rHTMLPath = rHTMLPath.replace(“metaData.html”, “localizedStrings.js”);
var newScript = document.createElement(‘script’);
newScript.type = ‘text/javascript’;
newScript.src = rHTMLPath;
headID.appendChild(newScript);
}
[…]
</script>
Solution:
Upgrade to Mac OS X High Sierra or simply remove rhtmlPlayer.html
Update:
Safari 11 (available for Mac OS X 10.11, 10.12 and 10.13) introduces the following security enhancement:
CORS and cross origin access from file:// are now blocked unless Disable Local File Restrictions is selected from the Develop menu
hence the above exploit will not work against updated versions of OSX El Capitan and Sierra. However javascript execution outside quarantine is still possible.
