CVE-2021-1748 PoC — Apple iOS 输入验证错误漏洞

Source

https://github.com/ChiChou/mistune-patch-backport

Associated Vulnerability

Title:Apple iOS 输入验证错误漏洞 (CVE-2021-1748)
Description:Apple iOS等都是美国苹果（Apple）公司的产品。Apple iOS是一套为移动设备所开发的操作系统。Apple tvOS是一套智能电视操作系统。Apple watchOS是一套智能手表操作系统。 Apple 多款产品存在安全漏洞，该漏洞源于处理恶意制作的URL可能导致任意javascript代码执行。

Description

Backporting CVE-2021-1748 patch for iOS <=14.3

Readme

# CVE-2021-1748 Patch for iOS <= 14.3

The root cause of CVE-2021-1748 is that the app trusts arbitrary data URIs and loads them in a local WebView.

This tweak backports the patch for iOS <= 14.3 by intercepting `data:` URI.

Please note that there is still a powerful variant of bug. This patch doesn't stop server-side script injection or open-redirect on trusted domains.

File Snapshot


 [4.0K]  /data/pocs/8d14cc1d44e0b14eff4446716c4f19d2d9449632
├── [ 241]  control
├── [  59]  itmsxssblock.plist
├── [1.0K]  LICENSE
├── [ 256]  Makefile
├── [ 375]  README.md
└── [ 221]  Tweak.x

0 directories, 6 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!