{"uuid": "fd3864f6-e9ff-4b59-878d-942773bdd095", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-1879", "type": "published-proof-of-concept", "source": "https://t.me/alexmakus/4175", "content": "\u0442\u0443\u0442 \u043e\u0447\u0435\u043d\u044c \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u0430\u044f \u0432\u0435\u0442\u043a\u0430 \u0438\u0441\u0442\u043e\u0440\u0438\u0438 \u043f\u0440\u043e SolarWinds, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0432\u043a\u043b\u044e\u0447\u0430\u0435\u0442 \u0432 \u0441\u0435\u0431\u044f 0-day \u0434\u043b\u044f iPhone. \u041f\u043e\u0445\u043e\u0436\u0435, \u0447\u0442\u043e \u0445\u0430\u043a\u0435\u0440\u044b, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u043e\u0432\u0430\u043b\u0438 \u0430\u0442\u0430\u043a\u0443 \u0447\u0435\u0440\u0435\u0437 SW \u0432 \u043f\u0440\u043e\u0448\u043b\u043e\u043c \u0433\u043e\u0434\u0443, \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u043e\u0432\u0430\u043b\u0438 iOS 0-day \u0441 \u0446\u0435\u043b\u044c\u044e \u043a\u0440\u0430\u0436\u0438 \u043b\u043e\u0433\u0438\u043d\u043e\u0432-\u043f\u0430\u0440\u043e\u043b\u0435\u0439 \u0447\u043b\u0435\u043d\u043e\u0432 \u043f\u0440\u0430\u0432\u0438\u0442\u0435\u043b\u044c\u0441\u0442\u0432 \u0437\u0430\u043f\u0430\u0434\u043d\u044b\u0445 \u0441\u0442\u0440\u0430\u043d. \n\n\u0420\u0435\u0447\u044c \u0438\u0434\u0435\u0442 \u043e CVE-2021-1879 \u0432 Safari, \u043e \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u0432 \u0442\u043e\u043c \u0447\u0438\u0441\u043b\u0435 \u0440\u0430\u0441\u0441\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0432 \u043f\u043e\u0441\u0442\u0435 Google \u2014\u00a0\u0441\u0443\u0442\u044c \u0435\u0451 \u0432 \u0442\u043e\u043c, \u0447\u0442\u043e \u043e\u043d\u0430 \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u044f\u043b\u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u043d\u0430 \u0434\u043e\u043c\u0435\u043d\u044b, \u0433\u0434\u0435 \u043d\u0430 iPhone \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u043b\u0441\u044f \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u044b\u0439 \u043f\u0430\u043a\u0435\u0442. \u0412\u0441\u0435 \u044d\u0442\u043e \u0431\u044b\u043b\u043e \u0432 \u0440\u0430\u043c\u043a\u0430\u0445 \u0441\u043f\u043b\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u043a\u0430\u043c\u043f\u0430\u043d\u0438\u0438 \u0438 \u0442\u0430\u0440\u0433\u0435\u0442\u0438\u043d\u0433\u0430 \u0440\u0430\u0437\u043d\u044b\u0445 \u041e\u0421, \u0438 \u0434\u043b\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 iOS-\u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432 \u043a\u0430\u043a \u0440\u0430\u0437 \u043f\u0440\u0438\u043c\u0435\u043d\u044f\u043b\u0430\u0441\u044c CVE-2021-1879, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0432\u0448\u0430\u044f \u043e\u0442\u043a\u043b\u044e\u0447\u0430\u0442\u044c \u0437\u0430\u0449\u0438\u0442\u0443 \u0432 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0435 \u0438 \u0441\u043e\u0431\u0438\u0440\u0430\u0442\u044c \u043a\u0443\u043a\u0438\u0441\u044b \u043f\u043e\u043f\u0443\u043b\u044f\u0440\u043d\u044b\u0445 \u0441\u0430\u0439\u0442\u043e\u0432. \u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u044b\u043b\u0430 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0430 \u0432 \u043c\u0430\u0440\u0442\u0435 2021 \u0433\u043e\u0434\u0430. \n\nAfter several validation checks to ensure the device being exploited was a real device, the final payload would be served to exploit CVE- 2021-1879. This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo and send them via WebSocket to an attacker-controlled IP. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit. The exploit targeted iOS versions 12.4 through 13.7.\n\n\u0414\u0435\u0442\u0430\u043b\u0438 \u043f\u043e \u0441\u0441\u044b\u043b\u043a\u0435 \nhttps://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/", "creation_timestamp": "2021-07-15T12:53:39.000000Z"}