Tunip3

Dev Home HTML injection

TL;DR; this is largely useless due to winjs csp stuff blocking inline scripts by default. Though this would be highly useful if a bypass to enable inline scripting was found, some exploitable event handler could be found or if someone figures how to launch the ERA toolwindows manually. However this is all extremely unlikely as the death of winjs being rapidly phased out in favour of reactnative.

Discovery

Whilst looking through the strings in Xboxdevservice.exe in ghidra I found 3 odd looking URIs with a custom protocol handler which I decided to dig further into after seeing unattendedscript. image The next step after this is to figure out what app the protocol handler is from. Luckily I had created a table a whilst back of all URI protocol handlers registered by apps in their appxmanifests which revealed that the app responsible for handling the URI was Dev Home.

image

The table was generated by manually ripping all of the appxmanifest files from an Xbox One in dev mode and then parsing them and can be found here.

After finding that Dev Home was responsible for registering the protocol handler I dumped a copy of the package from my console, which can be found in X:\Apps\DevHome. After dumping the app I found that it was a winjs app, so I simply searched through all the files in the package for the uri protocol.

image

The protocol is referenced by 2 comments with in the protocol handler.

image

Uri parsing

To understand how the URI is parsed you need to first understand the etemology of the uri. I have attached an image below that should explain it.

image

When Parsing the URI Dev Home first looks at the host.

image

If the host is show-overlay it simply takes the uri provided in the query parameters and puts it into a iframe, not very interesting and not very exploitable.

If the host is unattendedscript and the action in the query parameters is abort it simply aborts any unattended scripts.

However if the host is unattendedscript and the action in the query parameters is complete it takes the filename from query parameters (despite this just being called file name it still it has to be a compete filepath). It then gets the parent folder of the filepath and passes it to another function DevHome.Utilities.showSimpleTextFileAsync.

image

What does the showSimpleTextFileAsync function do though? showSimpleTextFileAsync is meant to be used to show log files, however the manner in which this is done enables the user to inject arbitrary html elements. The function loads the file, replaces all carriage returns followed by new lines (windows line endings) with
tags (new line in htmls) then concat it with some divs and then use it as the inner html for a div element. In practice this means the user simply has to remove all line endings or replace them with alternative formats and the user can add whatever html they want.

image

Here it is in practice with some custom html injected: image

Here is what it should normally look like with a normal valid file: image

Usability

This is largely useless due to the fact that winjs csp limitations mean that inline scripting is blocked by default, however scripts from https://apps.atgservices.xboxlive.com/are allowed so it may be possible to uset the proxy certificate authority to create a fake server and serve a malicious js file. If you can bypass the csp, that would let you trigger arbitrary JS. It may also be possible to find exploitable event handler could be found. It would also be useful if someone figures how to launch the ERA toolwindows manually (from a uwa kit). But as it stands this is sadly not useful for much.

RIP winjs you will not be missed. Long live react native