Tunip3

Dev Home HTML injection

TL;DR; this is largely useless due to winjs csp stuff blocking inline scripts by default. Though this would be highly useful if a bypass to enable inline scripting was found, some exploitable event handler could be found or if someone figures how to launch the ERA toolwindows manually. However this is all extremely unlikely as the death of winjs being rapidly phased out in favour of reactnative. # Discovery Whilst looking through the strings in Xboxdevservice.exe in ghidra I found 3 odd looking URIs with a custom protocol handler which I decided to dig further into after seeing `unattendedscript`. ![image](https://user-images.githubusercontent.com/26260613/124339675-06ccb600-dba8-11eb-83e1-a8189e4d2adc.png) The next step after this is to figure out what app the protocol handler is from. Luckily I had created a table a whilst back of all URI protocol handlers registered by apps in their appxmanifests which revealed that the app responsible for handling the URI was Dev Home. ![image](https://user-images.githubusercontent.com/26260613/124339805-cd487a80-dba8-11eb-8bdb-eb6e695b3240.png) The table was generated by manually ripping all of the appxmanifest files from an Xbox One in dev mode and then parsing them and can be found [here](https://xosft.dev/wiki/protcol-URIs/). After finding that Dev Home was responsible for registering the protocol handler I dumped a copy of the package from my console, which can be found in `X:\Apps\DevHome`. After dumping the app I found that it was a winjs app, so I simply searched through all the files in the package for the uri protocol. ![image](https://user-images.githubusercontent.com/26260613/124340286-ff0f1080-dbab-11eb-890a-736fade2136b.png) The protocol is referenced by 2 comments with in the protocol handler. ![image](https://user-images.githubusercontent.com/26260613/124340366-9b391780-dbac-11eb-8ee6-014d21762b3f.png) ## Uri parsing To understand how the URI is parsed you need to first understand the etemology of the uri. I have attached an image below that should explain it. ![image](https://user-images.githubusercontent.com/26260613/124340434-287c6c00-dbad-11eb-92a4-e8f8ebf6bfb2.png) When Parsing the URI Dev Home first looks at the host. ![image](https://user-images.githubusercontent.com/26260613/124340527-b9534780-dbad-11eb-994e-17226aebfe59.png) If the host is `show-overlay` it simply takes the uri provided in the query parameters and puts it into a iframe, not very interesting and not very exploitable. If the host is `unattendedscript` and the action in the query parameters is `abort` it simply aborts any unattended scripts. However if the host is `unattendedscript` and the action in the query parameters is `complete` it takes the filename from query parameters (despite this just being called file name it still it has to be a compete filepath). It then gets the parent folder of the filepath and passes it to another function `DevHome.Utilities.showSimpleTextFileAsync`. ![image](https://user-images.githubusercontent.com/26260613/124340763-68445300-dbaf-11eb-9e92-e1afb4c9de47.png) What does the `showSimpleTextFileAsync` function do though? `showSimpleTextFileAsync` is meant to be used to show log files, however the manner in which this is done enables the user to inject arbitrary html elements. The function loads the file, replaces all carriage returns followed by new lines (windows line endings) with
tags (new line in htmls) then concat it with some divs and then use it as the inner html for a div element. In practice this means the user simply has to remove all line endings or replace them with alternative formats and the user can add whatever html they want. ![image](https://user-images.githubusercontent.com/26260613/124340916-a8f09c00-dbb0-11eb-97cd-13e07f122c0b.png) Here it is in practice with some custom html injected: ![image](https://user-images.githubusercontent.com/26260613/124341084-fcafb500-dbb1-11eb-8f3c-09ac9bee31a3.png) Here is what it should normally look like with a normal valid file: ![image](https://user-images.githubusercontent.com/26260613/124341134-3a144280-dbb2-11eb-9484-72b222d57bc3.png) # Usability This is largely useless due to the fact that winjs csp limitations mean that inline scripting is blocked by default, however scripts from `https://apps.atgservices.xboxlive.com/`are allowed so it may be possible to uset the proxy certificate authority to create a fake server and serve a malicious js file. If you can bypass the csp, that would let you trigger arbitrary JS. It may also be possible to find exploitable event handler could be found. It would also be useful if someone figures how to launch the ERA toolwindows manually (from a uwa kit). But as it stands this is sadly not useful for much. RIP winjs you will not be missed. Long live react native