lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 17 May 2004 16:55:46 -0400
From: Adam Shostack <adam@...eport.org>
To: kang <kang@...ecure.ws>
Cc: bugtraq@...urityfocus.com
Subject: Re: Safari remote arbitrary code execution


So, while having help pop open is certainly noticable, and I think I
broke parts of the script by quitting help as it ran.  (Eg, it didn't
create ~/owned.txt, but did open a terminal, which means it could have
run other things in there.)

http://www.monkeyfood.com/software/MoreInternet/ allows you to change
the help, but I'm not sure if this will break other help functions.

The actual exploit line is:

<meta HTTP-EQUIV="refresh" content="10;
URL=help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scptstring='Volumes:0x04_script:0x04_script.term'">

Adam

On Mon, May 17, 2004 at 04:05:11PM +0200, kang wrote:
| Adv: safari_0x04
| 
| Release Date: 10/05/04
| Affected Products: Safari =< 1.2
| Fixed in: Not fixed.
| Impact: Remote code execution.
| Severity: High.
| Vendor: Notified (23/02/04)
| Author: fundisom.com
| 
| 
| Apple uses a special function to execute scripts and applications from
| his Help system. Unfortunatly, this Help system uses HTML format and
| is callable from within browsers such as Safari (all other browsers
| tested were vulnerables too).
| 
| The problem lies in the fact that Apple added a special function into
| his own HTML renderer called "runscript". A link to help:runscript can
| be triggered from the browsers and thus launching the desired
| application/script.
| The desired application/script can be downloaded to a known location
| using Safari Safe Open File (default setting) by downloading a Disk
| Image (.dmg) which will always point to /Volume/DiskImageName/ScriptName.
| It is also possible to guess the user login when Safe Open File is
| disabled, and might be possible to include inline Apple Script
| commands without calling any external application.
| 
| This advisory was released since the bug has been made public
| recently. Apple is working on a fix which should be issued shortly.
| 
| To protect yourself:
| - disable auto opening of safe files in Safari (bad protection,
| doesn't prevents anything really)
| - change the help helper in InternetConfig (better protection)
| 
| Author link: http://fundisom.com/owned/warning
| Proof of concept:
| http://www.insecure.ws/article.php?story=2004051612423136
| 
| 


Powered by blists - more mailing lists