Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Exploit different
From: "Rosalina Hamar" <rosalina () linuxmail org>
Date: Sat, 22 May 2004 19:42:36 +0800

Apple released a fix for the Help Viewer Problem described by lixlpixel.
But during different tests some really serious problems turned out.

1) MacOS X LaunchService Vunerability
Mount a FTP/DAV/SMB/AFS-Volume with an application in it
which registers a new protocol handler i.e. test:, and if that
handler is called, the script will be executed.

Example from Info.plist:

Demo: http://rosa.base-industries.net/
More Infos:
- http://forums.macnn.com/showthread.php?s=&threadid=213043&perpage=50&pagenumber=1

2) Telnet URI Handler File Creation/Truncation Vulnerability
It is possible to wipe/zeroing a file using a telnet URI.

Example: telnet://-nlibrary%2Fpreferences%2Fcom.apple.finder.plist

This effects all browsers which are passing telnet URIs back the
LaunchServices (thanks to fukami to make this clear to me).

More Infos: http://daringfireball.net/2004/05/telnet_protocol
Jason Harris from Unsanity provided a haxie called Paranoid Android
which pops up when a weird protocol handler is called.
PA can be found here: http://www.unsanity.com/haxies/pa/

"Even the exploits are user friendly" (mcgroarty on slashdot)


Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]