lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040522114236.216CE23ABE@ws5-3.us4.outblaze.com>
From: rosalina at linuxmail.org (Rosalina Hamar)
Subject: Exploit different

Apple released a fix for the Help Viewer Problem described by lixlpixel.
But during different tests some really serious problems turned out.

1) MacOS X LaunchService Vunerability
Mount a FTP/DAV/SMB/AFS-Volume with an application in it
which registers a new protocol handler i.e. test:, and if that
handler is called, the script will be executed.

Example from Info.plist:
[...]
<key>CFBundleURLTypes</key>
  <array>
    <dict>
      <key>CFBundleURLName</key>
        <string>Test</string>
          <key>CFBundleURLSchemes</key>
            <array>
               <string>test</string>
             </array>
      </dict>
   </array>
[...]

Demo: http://rosa.base-industries.net/
More Infos:
-http://www.unsanity.com/haxies/pa/whitepaper
- http://forums.macnn.com/showthread.php?s=&threadid=213043&perpage=50&pagenumber=1

2) Telnet URI Handler File Creation/Truncation Vulnerability
It is possible to wipe/zeroing a file using a telnet URI.

Example: telnet://-nlibrary%2Fpreferences%2Fcom.apple.finder.plist

This effects all browsers which are passing telnet URIs back the
LaunchServices (thanks to fukami to make this clear to me).

More Infos: http://daringfireball.net/2004/05/telnet_protocol
 
Jason Harris from Unsanity provided a haxie called Paranoid Android
which pops up when a weird protocol handler is called.
PA can be found here: http://www.unsanity.com/haxies/pa/


"Even the exploits are user friendly" (mcgroarty on slashdot)

 Rosa

-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ