Home page logo
/

funsec logo funsec mailing list archives

Re: Serious Flaw on OS X in Apple Safari
From: Anthony Rodgers <Anthony_Rodgers () dnv org>
Date: Mon, 20 Feb 2006 17:33:28 -0800

This looks like it might be quite serious, unlike previous ones. I have tested the POC, and can tell you that:

1. It does not need Safari to work
2. It does not need auto-open to work

That information is a red herring. The vulnerability is an OS vulnerability that is described in paragraph 4 of the article:

"If a script is given an extension such as "jpg" or "mov" and stored within a ZIP archive, Mac OS X will add a binary metadata file to the archive which determines its association. This metafile instructs the operating system on another Mac to open that file with the Terminal application -- regardless of its extension or the symbol displayed in the Finder. The Terminal will redirect scripts without an interpreter line directly to bash, the standard shell in OS X."

All it needs is a zip file with meta-data in it that makes it behave like a shell script, and a file name extension that makes it look like a jpg (or any other type of 'friendly' file. This zip file, or its resultant contents, can then be downloaded from a web site (with or without Safari, with or without auto-open), emailed, or whatever.

Regards,
--
Anthony

On 20-Feb-06, at 5:09 PM, Fergie wrote:

Via The SAN ISC Daily Handler's Diary.

[snip]

We received notice from Juergen Schmidt, editor-in-chief at heise.de, that a serious vulnerability has been found in Apple Safari on OS X. "In its default configuration shell commands are execute[d] simply by visting a web site - no user interaction required." This could be really bad. Attackers can run shell scripts on your computer remotely just by visiting a malicious website.

Full text of the article: http://www.heise.de/english/newsticker/ news/69862

Proof of concept from the original discoverer (Michael Lehn): http://www.mathematik.uni-ulm.de/~lehn/mac.html

[snip]

http://isc.sans.org/diary.php?storyid=1138

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]