Safari remote arbitrary code execution
Adv: safari_0x04
Release Date: 10/05/04
Affected Products: Safari =< 1.2
Fixed in: Not fixed.
Impact: Remote code execution.
Severity: High.
Vendor: Notified (23/02/04)
Author: fundisom.com
Apple uses a special function to execute scripts and applications from
his Help system. Unfortunatly, this Help system uses HTML format and
is callable from within browsers such as Safari (all other browsers
tested were vulnerables too).
The problem lies in the fact that Apple added a special function into
his own HTML renderer called "runscript". A link to help:runscript can
be triggered from the browsers and thus launching the desired
application/script.
The desired application/script can be downloaded to a known location
using Safari Safe Open File (default setting) by downloading a Disk
Image (.dmg) which will always point to /Volume/DiskImageName/ScriptName.
It is also possible to guess the user login when Safe Open File is
disabled, and might be possible to include inline Apple Script
commands without calling any external application.
This advisory was released since the bug has been made public
recently. Apple is working on a fix which should be issued shortly.
To protect yourself:
- disable auto opening of safe files in Safari (bad protection,
doesn't prevents anything really)
- change the help helper in InternetConfig (better protection)
Author link: http://fundisom.com/owned/warning
Proof of concept:
http://www.insecure.ws/article.php?story=2004051612423136