| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: rosalina at linuxmail.org (Rosalina Hamar)
Subject: Exploit different
Apple released a fix for the Help Viewer Problem described by lixlpixel.
But during different tests some really serious problems turned out.
1) MacOS X LaunchService Vunerability
Mount a FTP/DAV/SMB/AFS-Volume with an application in it
which registers a new protocol handler i.e. test:, and if that
handler is called, the script will be executed.
Example from Info.plist:
[...]
<key>CFBundleURLTypes</key>
<array>
<dict>
<key>CFBundleURLName</key>
<string>Test</string>
<key>CFBundleURLSchemes</key>
<array>
<string>test</string>
</array>
</dict>
</array>
[...]
Demo: http://rosa.base-industries.net/
More Infos:
-http://www.unsanity.com/haxies/pa/whitepaper
- http://forums.macnn.com/showthread.php?s=&threadid=213043&perpage=50&pagenumber=1
2) Telnet URI Handler File Creation/Truncation Vulnerability
It is possible to wipe/zeroing a file using a telnet URI.
Example: telnet://-nlibrary%2Fpreferences%2Fcom.apple.finder.plist
This effects all browsers which are passing telnet URIs back the
LaunchServices (thanks to fukami to make this clear to me).
More Infos: http://daringfireball.net/2004/05/telnet_protocol
Jason Harris from Unsanity provided a haxie called Paranoid Android
which pops up when a weird protocol handler is called.
PA can be found here: http://www.unsanity.com/haxies/pa/
"Even the exploits are user friendly" (mcgroarty on slashdot)
Rosa
--
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
Powered by blists - more mailing lists