funsec: Re: Serious Flaw on OS X in Apple Safari

Nmap Security Scanner
- Intro
- Ref Guide
- Install Guide
- Download
- Changelog
- Book
- Docs
Security Lists
- Nmap Hackers
- Nmap Dev
- Bugtraq
- Full Disclosure
- Pen Test
- Basics
- More
Security Tools
Site News
Advertising
About/Contact
Sponsors:

funsec mailing list archives

Re: Serious Flaw on OS X in Apple Safari

From: Anthony Rodgers <Anthony_Rodgers () dnv org>
Date: Mon, 20 Feb 2006 17:33:28 -0800

This looks like it might be quite serious, unlike previous ones. Ihave tested the POC, and can tell you that:


1. It does not need Safari to work
2. It does not need auto-open to work

That information is a red herring. The vulnerability is an OSvulnerability that is described in paragraph 4 of the article:

"If a script is given an extension such as "jpg" or "mov" and storedwithin a ZIP archive, Mac OS X will add a binary metadata file to thearchive which determines its association. This metafile instructs theoperating system on another Mac to open that file with the Terminalapplication -- regardless of its extension or the symbol displayed inthe Finder. The Terminal will redirect scripts without an interpreterline directly to bash, the standard shell in OS X."

All it needs is a zip file with meta-data in it that makes it behavelike a shell script, and a file name extension that makes it looklike a jpg (or any other type of 'friendly' file. This zip file, orits resultant contents, can then be downloaded from a web site (withor without Safari, with or without auto-open), emailed, or whatever.


Regards,
--
Anthony

On 20-Feb-06, at 5:09 PM, Fergie wrote:

Via The SAN ISC Daily Handler's Diary.

[snip]
We received notice from Juergen Schmidt, editor-in-chief atheise.de, that a serious vulnerability has been found in AppleSafari on OS X. "In its default configuration shell commands areexecute[d] simply by visting a web site - no user interactionrequired." This could be really bad. Attackers can run shellscripts on your computer remotely just by visiting a maliciouswebsite.
Full text of the article: http://www.heise.de/english/newsticker/news/69862
Proof of concept from the original discoverer (Michael Lehn):http://www.mathematik.uni-ulm.de/~lehn/mac.html
[snip]

http://isc.sans.org/diary.php?storyid=1138

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

By Date By Thread

Current thread:

Serious Flaw on OS X in Apple Safari Fergie (Feb 21)
- Re: Serious Flaw on OS X in Apple Safari Anthony Rodgers (Feb 21)
  - RE: Serious Flaw on OS X in Apple Safari Larry Seltzer (Feb 21)
    - Re: Serious Flaw on OS X in Apple Safari Anthony Rodgers (Feb 21)
- <Possible follow-ups>
- Re: Serious Flaw on OS X in Apple Safari Fergie (Feb 21)
- RE: Serious Flaw on OS X in Apple Safari Fergie (Feb 21)