Cross-Site Escape - Pwning macOS Safari Sandbox the Unusual Way

Explore a novel attack targeting design flaws in reachable IPC and associated WebViews using Cross-Site Scripting (XSS) in this 26-minute Black Hat conference talk. Discover how native code execution outside the sandbox can be achieved without re-exploiting WebKit twice. Delve into topics such as TOCTOU without racing, web content case studies, dashboard widgets, arbitrary widget installation, sandbox escape techniques, and CVE-2020-9979. Learn about hard-coded trusted schemes, legacy help vulnerabilities, and methods for arbitrary file execution. Gain insights into jumping to Dictionary.app and understand the implications for macOS Safari sandbox security. Presented by Zhi Zhou, this talk offers valuable takeaways for cybersecurity professionals and researchers interested in browser security and sandbox escape techniques.

Intro
Comparation
TOCTOU Without Racing
Web Content Case Study
Timeline for Web Content
Dashboard Widgets
Turning to Arbitrary Widget installation
Sandbox Escape
Problems
Triggering Execution
Hard Coded Trusted Schemes
Legacy Help
Sandbox is...gone
(Failed) Local File Disclosure
Some Drama
CVE-2020-9979: We Got Trust Issue
Dictionary App
Arbitrary File Execution
Local File Execution
How do we jump to Dictionary?
Jump to Dictionary.app
Summary
Takeaways