lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 May 2004 16:55:46 -0400 From: Adam Shostack <adam@...eport.org> To: kang <kang@...ecure.ws> Cc: bugtraq@...urityfocus.com Subject: Re: Safari remote arbitrary code execution So, while having help pop open is certainly noticable, and I think I broke parts of the script by quitting help as it ran. (Eg, it didn't create ~/owned.txt, but did open a terminal, which means it could have run other things in there.) http://www.monkeyfood.com/software/MoreInternet/ allows you to change the help, but I'm not sure if this will break other help functions. The actual exploit line is: <meta HTTP-EQUIV="refresh" content="10; URL=help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scptstring='Volumes:0x04_script:0x04_script.term'"> Adam On Mon, May 17, 2004 at 04:05:11PM +0200, kang wrote: | Adv: safari_0x04 | | Release Date: 10/05/04 | Affected Products: Safari =< 1.2 | Fixed in: Not fixed. | Impact: Remote code execution. | Severity: High. | Vendor: Notified (23/02/04) | Author: fundisom.com | | | Apple uses a special function to execute scripts and applications from | his Help system. Unfortunatly, this Help system uses HTML format and | is callable from within browsers such as Safari (all other browsers | tested were vulnerables too). | | The problem lies in the fact that Apple added a special function into | his own HTML renderer called "runscript". A link to help:runscript can | be triggered from the browsers and thus launching the desired | application/script. | The desired application/script can be downloaded to a known location | using Safari Safe Open File (default setting) by downloading a Disk | Image (.dmg) which will always point to /Volume/DiskImageName/ScriptName. | It is also possible to guess the user login when Safe Open File is | disabled, and might be possible to include inline Apple Script | commands without calling any external application. | | This advisory was released since the bug has been made public | recently. Apple is working on a fix which should be issued shortly. | | To protect yourself: | - disable auto opening of safe files in Safari (bad protection, | doesn't prevents anything really) | - change the help helper in InternetConfig (better protection) | | Author link: http://fundisom.com/owned/warning | Proof of concept: | http://www.insecure.ws/article.php?story=2004051612423136 | |
Powered by blists - more mailing lists