lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 17 May 2004 16:05:11 +0200
From: kang <kang@...ecure.ws>
To: bugtraq@...urityfocus.com
Subject: Safari remote arbitrary code execution


Adv: safari_0x04

Release Date: 10/05/04
Affected Products: Safari =< 1.2
Fixed in: Not fixed.
Impact: Remote code execution.
Severity: High.
Vendor: Notified (23/02/04)
Author: fundisom.com


Apple uses a special function to execute scripts and applications from
his Help system. Unfortunatly, this Help system uses HTML format and
is callable from within browsers such as Safari (all other browsers
tested were vulnerables too).

The problem lies in the fact that Apple added a special function into
his own HTML renderer called "runscript". A link to help:runscript can
be triggered from the browsers and thus launching the desired
application/script.
The desired application/script can be downloaded to a known location
using Safari Safe Open File (default setting) by downloading a Disk
Image (.dmg) which will always point to /Volume/DiskImageName/ScriptName.
It is also possible to guess the user login when Safe Open File is
disabled, and might be possible to include inline Apple Script
commands without calling any external application.

This advisory was released since the bug has been made public
recently. Apple is working on a fix which should be issued shortly.

To protect yourself:
- disable auto opening of safe files in Safari (bad protection,
doesn't prevents anything really)
- change the help helper in InternetConfig (better protection)

Author link: http://fundisom.com/owned/warning
Proof of concept:
http://www.insecure.ws/article.php?story=2004051612423136




Powered by blists - more mailing lists