<<< Date Index >>>     <<< Thread Index >>>

SSH URI handler remote arbitrary code execution



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adv: safari_0x06
Release Date: 24/05/2004
Affected Products: MacOSX >= 10.3.3, Various Browsers, possibly others
platforms/browsers
Fixed in: Not fixed.
Impact: Remote code execution.
Severity: High.
Vendors: Notified (20-23/02/04)
Author: kang@xxxxxxxxxxx


After the HelpViewer problem, and the self-URI registration in MacOSX,
not to mention the telnet://-nFile overwrite on many platforms, here is
yet another one using the SSH handler.

It has not been determined if this vulnerability can be successfully
exploited on linux, but it seems that konqueror is protected, while
Firefox/etc are not. I wish I could test it but it seems that there is a
bug in Gnome 2.6.1 and theses uri handlers which prevented the
successfull exploitation. Else than that, the Gnome browsers would be
all vulnerable.

On MacOSX, it is still possible to use paths (like /path/to/xx and
:path:to:xxx) in  URI links, despite the recent fix which filtered them
out, using URL Encoding.

This weakness allows a new URI + SSH exploit, using the ProxyCommand
option of ssh clients. This option is used to execute a proxy
application which will be launched between the ssh client and the
actually connection. Unfortunately, this option can also be used to
execute arbitrary commands.

Safari,Camino,Firefox,Mozilla have been reported vulnerable on OSX.

My policy is usually to keep such things private, to research them to
their full extend, then to start informing the vendors, and publishing
the problem to the public after a fix has been issued or a few monthes
without answers.
However, as you know, two or three vulnerabilities are already
discussing of the same kind of problems (which were reported and
disclosed before my owns researches anyway), and one is not yet fixed in
MacOSX. (see http://www.insecure.ws/article.php?story=20040522041815126 )

Therefore I think it is in the best interest that people know about it
to protect themselves.

A simple fix is available at http://www.unsanity.com/haxies/pa/ for
MacOSX and is highly recommanded.

No fixes have been available for Gnome based applications but it is not
vulnerable until the URI bugs have been fixed ;)

The full advisory ca be found here:
http://www.insecure.ws/article.php?story=200405222251133

There is an online proof of concept for MacOSX on the page advisory.


- --
Please do not copy this advisory without authorisation.
Authorisation is given to the security focus staff.
Please note, my PGP key has changed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAshbqB9TTXBpCLwwRAu5gAKCWHc3a/gw754lEwbZ84I2WgoTXUACdH8B1
ErKkZtGkZ2jA2yoTcz91MUA=
=1UI1
-----END PGP SIGNATURE-----