Re: Safari remote arbitrary code execution
So, while having help pop open is certainly noticable, and I think I
broke parts of the script by quitting help as it ran. (Eg, it didn't
create ~/owned.txt, but did open a terminal, which means it could have
run other things in there.)
http://www.monkeyfood.com/software/MoreInternet/ allows you to change
the help, but I'm not sure if this will break other help functions.
The actual exploit line is:
<meta HTTP-EQUIV="refresh" content="10;
URL=help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scptstring='Volumes:0x04_script:0x04_script.term'">
Adam
On Mon, May 17, 2004 at 04:05:11PM +0200, kang wrote:
| Adv: safari_0x04
|
| Release Date: 10/05/04
| Affected Products: Safari =< 1.2
| Fixed in: Not fixed.
| Impact: Remote code execution.
| Severity: High.
| Vendor: Notified (23/02/04)
| Author: fundisom.com
|
|
| Apple uses a special function to execute scripts and applications from
| his Help system. Unfortunatly, this Help system uses HTML format and
| is callable from within browsers such as Safari (all other browsers
| tested were vulnerables too).
|
| The problem lies in the fact that Apple added a special function into
| his own HTML renderer called "runscript". A link to help:runscript can
| be triggered from the browsers and thus launching the desired
| application/script.
| The desired application/script can be downloaded to a known location
| using Safari Safe Open File (default setting) by downloading a Disk
| Image (.dmg) which will always point to /Volume/DiskImageName/ScriptName.
| It is also possible to guess the user login when Safe Open File is
| disabled, and might be possible to include inline Apple Script
| commands without calling any external application.
|
| This advisory was released since the bug has been made public
| recently. Apple is working on a fix which should be issued shortly.
|
| To protect yourself:
| - disable auto opening of safe files in Safari (bad protection,
| doesn't prevents anything really)
| - change the help helper in InternetConfig (better protection)
|
| Author link: http://fundisom.com/owned/warning
| Proof of concept:
| http://www.insecure.ws/article.php?story=2004051612423136
|
|